Story #282
Updated by bmbouter over 9 years ago
For Pulp to correctly operate, it expects the that /var/lib/pulp/* will have httpd_sys_rw_content_t file context. If you want to make /var/lib/pulp/ or some subdirectory of it hosted via NFS those files will receive the nfs_t label. This causes Pulp to not work correctly if you want to scale the /var/lib/pulp filesystem with NFS and be secure with SELinux in Enforcing. To reproduce the issue: 0. Enable selinux to enforcing mode 1. Mount /var/lib/pulp via NFS 2. Try to sync or consume content 3. Observe the sync will fail and AVC denials will be present SELinux will not allow Pulp to work due to incorrect file labels. Deliverables: 1. Document Adjust the SELinux policy to have Pulp work if /var/lib/pulp has nfs_t using one of the potential solutions below. 2. Add documentation to the docs about when/how users can configure NFS to work with Pulp's SELinux policy definition. set any booleans or restorecons or similar. This should be in a new section or subsection. 2. 3. Add a release note about this change. Potential Solutions: Recommended Solution: The recommended way to fix this is by making NFS aware of the SELinux context to use when mounting /var/lib/pulp/ or a subsection of it using the context option on mount. <pre> # mount -o context="system_u:object_r:httpd_sys_rw_content_t:s0" REMOTEHOST:/var/lib/pulp /var/lib/pulp </pre> Other potential solutions: One way to fix this would be "similar to what spacewalk did by using mountpoints":https://github.com/spacewalkproject/spacewalk/blob/master/spacewalk/setup/bin/spacewalk-make-mount-points did":https://github.com/spacewalkproject/spacewalk/blob/master/spacewalk/setup/bin/spacewalk-make-mount-points by introducing a spacewalk_nfs_mountpoint label or something similar. A third way to fix this would be to have our policy be nfs_t aware specifically for pulp content, but not other nfs_t directories. Another way would be for the user to manually relabel with a restorecon statement that specifies the httpd_sys_rw_content_t label, but that would need to be tested to be sure that it won't interfere with nfs_t correct operation or that SELinux won't relabel it later. Another way would be to use some sort of SELinux aliasing.