Bug 1026374

A dedicated "launcher" script needed so as to fit the phased transition
as intended with paster CLI frontend of Paste.

Early heads up about its final location to the SELinux policy team
(to Miroslav assigned to the original bug) is probably needed here.

+++ This bug was initially created as a clone of Bug #1023202 +++

See the subject, reproducer:

# yum install -y
# service luci start
# ps -Zp $(service luci status | awk '{print $5;}' )

In my case, both el6.4 and el6.5 reports something like this:
> LABEL                             PID TTY          TIME CMD
> unconfined_u:system_r:initrc_t:s0 6077 ?       00:00:00 python

The full command is:

> /usr/bin/python -Es /usr/bin/paster serve --daemon --user luci \
>  --group luci --log-file=/var/log/luci/luci.log \
>  --pid-file=/var/run/luci/luci.pid --server-name=init --app-name=init \
>  /var/lib/luci/etc/luci.ini

Was told this is not expected and I can also remember that in the past,
the luci-related things were labeled piranha*_t; see e.g. [bug 737635]
showing (if I interpret scontext ~ subject context correctly) that
expected process label should be:

> unconfined_u:system_r:piranha_web_t

--- Additional comment from Miroslav Grepl on 2013-10-25 09:30:31 CEST ---

Ok, this is way how the paster is involved. Basically we did fixes in Fedora for this where we changed the way how to confine it.

http://mgrepl.wordpress.com/2012/06/20/how-would-tools-like-paster-work-with-selinux/

This is a bug for RHEL6.6.

--- Additional comment from Jan Pokorný on 2013-10-30 15:21:41 CET ---

If I read the referenced blog post correctly, we should rather provide
a custom "launcher" script just to fit the current expected phased
transition scheme involving paster (so as not to complicate the matters
in the policy)?

--- Additional comment from Miroslav Grepl on 2013-11-04 15:10:19 CET ---

Jan,
yes. We need to have a helper scripts for luci. Also I will need to back port piranha.te policy changes to RHEL6.6 to make it working.