Bug #30465
Pulpcore services run unconfined in SELinux
Status:
Closed
Priority:
Normal
Assignee:
Category:
Foreman modules
Target version:
Fixed in Releases:
Found in Releases:
Description
Currently the services run unconfined because pulpcore-selinux only labels /usr/{local,lib/pulp}/bin/{gunicorn,rq} but RPM packages install to /usr/bin/{gunicorn,rq}. Labelling those with pulpcore_exec_t feels incorrect so I'm suggesting to introduce /usr/libexec/pulpcore/{gunicorn,rq} wrappers with the correct SELinux labels.
Associated revisions
History
#1
Updated by The Foreman Bot 3 months ago
Updated by - Assignee set to Ewoud Kohl van Wijngaarden
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/puppet-pulpcore/pull/116 added
#2
Updated by Ewoud Kohl van Wijngaarden 3 months ago
Updated by - Triaged changed from No to Yes
- Target version set to 2.2.0
#3
Updated by Eric Helms 3 months ago
Updated by - Target version changed from 2.2.0 to 2.3.0
#4
Updated by Ewoud Kohl van Wijngaarden 21 days ago
- Status changed from Ready For Testing to Closed
Applied in changeset puppet-pulpcore|d9eec934b5ee278128b00f87479c9f5ea7fc08f5.
Fixes #30465 - Use libexec wrappers for SELinux
In python3-pulpcore 3.7.1-2 the /usr/libexec/pulpcore wrappers have been
introduced to enter the proper SELinux domain.
It has also been cherry picked to 3.6.3-2 but in the SELinux policy is
incomplete so it has no effect. The main benefit of that cherry pick is
to keep the module compatible with both 3.6 and 3.7.