Bug 1101280
| Summary: | Package pulp-selinux and candlepin-selinux are installed but not effective | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Lukas Zapletal <lzap> | ||||
| Component: | SELinux | Assignee: | Lukas Zapletal <lzap> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Katello QA List <katello-qa-list> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | Nightly | CC: | bbuckingham, bkearney, cwelton, dwalsh, lzap, mgrepl | ||||
| Target Milestone: | Unspecified | Keywords: | Triaged | ||||
| Target Release: | Unused | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1125334 1125337 (view as bug list) | Environment: | |||||
| Last Closed: | 2014-09-03 14:39:49 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1125334, 1125337 | ||||||
| Attachments: |
|
||||||
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release. Sorry I meant they are installed, but not effective. Let me investigate this first. Cloned into Pulp and Candlepin projects, waiting for confirmation or explanation. I have no idea what this bugzilla is complaining about? What are the pulp-selinux and candlepin-selinux packages supposed to do? And why do you think they are not effective? The issue I have the current candlepin-selinux policy: https://github.com/candlepin/candlepin/tree/master/server/selinux I can see specific domain and some rules but I can't find any process running as candlepin_t. I can only see tomcat6 process running in the generic unconfined_java_t. Those packages which are installed with Candlepin/Pulp are supposed to carry project policies similarly like spacewalk-selinux or foreman-selinux do. I suspect that the candlepin policy is outdated and not used at all. For Pulp, I think it is partially working. Please dicuss this in the cloned bugs for each project, these are two different cases I think. Did you run this through a init script or run it directly. You need to use the service script to start your instance. unconfined_t will not transition directly to your domain. unconfined_t @initrc_exec_t -> initrc_t @ candlepin_exec_t -> candlepin_t Dan, I only use the init scripts of course. This is the bug I am reporting here. It ends up in wrong context. Well then one of the scripts is labeled bin_t rather then initrc_exec_t, in order for a system service to continue to run as unconfined_t. What does the service run as if it is started during the boot. Lukas, there will be an issue with java and how it is executed. Basically you need to have a helper script which executes tomcat from this script. Moving your last comment to the cloned bug, closing this one. |
Created attachment 915907 [details] Comment (This comment was longer than 65,535 characters and has been moved to an attachment by Red Hat Bugzilla).