Project

General

Profile

Bug #30465

Pulpcore services run unconfined in SELinux

Added by Ewoud Kohl van Wijngaarden about 1 year ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Category:
Foreman modules
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:

Description

Currently the services run unconfined because pulpcore-selinux only labels /usr/{local,lib/pulp}/bin/{gunicorn,rq} but RPM packages install to /usr/bin/{gunicorn,rq}. Labelling those with pulpcore_exec_t feels incorrect so I'm suggesting to introduce /usr/libexec/pulpcore/{gunicorn,rq} wrappers with the correct SELinux labels.

Associated revisions

Revision d9eec934 (diff)
Added by Ewoud Kohl van Wijngaarden 12 months ago

Fixes #30465 - Use libexec wrappers for SELinux

In python3-pulpcore 3.7.1-2 the /usr/libexec/pulpcore wrappers have been
introduced to enter the proper SELinux domain.

It has also been cherry picked to 3.6.3-2 but in the SELinux policy is
incomplete so it has no effect. The main benefit of that cherry pick is
to keep the module compatible with both 3.6 and 3.7.

History

#1 Updated by The Foreman Bot about 1 year ago

  • Assignee set to Ewoud Kohl van Wijngaarden
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/puppet-pulpcore/pull/116 added

#2 Updated by Ewoud Kohl van Wijngaarden about 1 year ago

  • Triaged changed from No to Yes
  • Target version set to 2.2.0

#3 Updated by Eric Helms about 1 year ago

  • Target version changed from 2.2.0 to 2.3.0

#4 Updated by Ewoud Kohl van Wijngaarden 12 months ago

  • Status changed from Ready For Testing to Closed

#5 Updated by Tomer Brisker 10 months ago

  • Fixed in Releases 2.3.0 added

Also available in: Atom PDF