Created attachment 915907 [details] Comment (This comment was longer than 65,535 characters and has been moved to an attachment by Red Hat Bugzilla).
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.
Sorry I meant they are installed, but not effective. Let me investigate this first.
Cloned into Pulp and Candlepin projects, waiting for confirmation or explanation.
I have no idea what this bugzilla is complaining about? What are the pulp-selinux and candlepin-selinux packages supposed to do? And why do you think they are not effective?
The issue I have the current candlepin-selinux policy: https://github.com/candlepin/candlepin/tree/master/server/selinux I can see specific domain and some rules but I can't find any process running as candlepin_t. I can only see tomcat6 process running in the generic unconfined_java_t. Those packages which are installed with Candlepin/Pulp are supposed to carry project policies similarly like spacewalk-selinux or foreman-selinux do. I suspect that the candlepin policy is outdated and not used at all. For Pulp, I think it is partially working. Please dicuss this in the cloned bugs for each project, these are two different cases I think.
Did you run this through a init script or run it directly. You need to use the service script to start your instance. unconfined_t will not transition directly to your domain. unconfined_t @initrc_exec_t -> initrc_t @ candlepin_exec_t -> candlepin_t
Dan, I only use the init scripts of course. This is the bug I am reporting here. It ends up in wrong context.
Well then one of the scripts is labeled bin_t rather then initrc_exec_t, in order for a system service to continue to run as unconfined_t. What does the service run as if it is started during the boot.
Lukas, there will be an issue with java and how it is executed. Basically you need to have a helper script which executes tomcat from this script.
Moving your last comment to the cloned bug, closing this one.