Project

General

Profile

Bug #30465

Pulpcore services run unconfined in SELinux

Added by Ewoud Kohl van Wijngaarden 3 months ago. Updated 21 days ago.

Status:
Closed
Priority:
Normal
Category:
Foreman modules
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:

Description

Currently the services run unconfined because pulpcore-selinux only labels /usr/{local,lib/pulp}/bin/{gunicorn,rq} but RPM packages install to /usr/bin/{gunicorn,rq}. Labelling those with pulpcore_exec_t feels incorrect so I'm suggesting to introduce /usr/libexec/pulpcore/{gunicorn,rq} wrappers with the correct SELinux labels.

Associated revisions

Revision d9eec934 (diff)
Added by Ewoud Kohl van Wijngaarden 21 days ago

Fixes #30465 - Use libexec wrappers for SELinux

In python3-pulpcore 3.7.1-2 the /usr/libexec/pulpcore wrappers have been
introduced to enter the proper SELinux domain.

It has also been cherry picked to 3.6.3-2 but in the SELinux policy is
incomplete so it has no effect. The main benefit of that cherry pick is
to keep the module compatible with both 3.6 and 3.7.

History

#1 Updated by The Foreman Bot 3 months ago

  • Assignee set to Ewoud Kohl van Wijngaarden
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/puppet-pulpcore/pull/116 added

#2 Updated by Ewoud Kohl van Wijngaarden 3 months ago

  • Triaged changed from No to Yes
  • Target version set to 2.2.0

#3 Updated by Eric Helms 3 months ago

  • Target version changed from 2.2.0 to 2.3.0

#4 Updated by Ewoud Kohl van Wijngaarden 21 days ago

  • Status changed from Ready For Testing to Closed

Also available in: Atom PDF