Bug 1145720 - selinux relabel after yum update of pulp-selinux
Summary: selinux relabel after yum update of pulp-selinux
Alias: None
Product: Pulp
Classification: Retired
Component: rel-eng
Version: Master
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: pulp-bugs
QA Contact: pulp-qe-list
Depends On:
TreeView+ depends on / blocked
Reported: 2014-09-23 14:43 UTC by Bryan Kearney
Modified: 2015-05-05 08:54 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1131575
Last Closed: 2015-02-28 22:21:52 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Pulp Redmine 540 0 None None None Never

Comment 1 Brian Bouterse 2014-10-16 20:13:17 UTC
If pulp-selinux is being installed or uninstalled it has to run the restorecon statements. If there is a lot of file contents in the pulp areas of the filesystem, the SELinux policy needs to take its time to label them properly or the SELinux policy won't work.

Labeling them asynchronously is not viable IMO either because there is an expectation from the user that once the pulp-selinux install is complete they are protected, but asynchronous labeling would not yet be in place so they would still be vulnerable.

I believe the way to resolve this is to avoid doing work necessarily. The reason we do work unecessarily is because pulp-selinux is versioned in lock-step with Pulp. We should not have pulp-selinux lock step version with Pulp. To do that right it needs to be moved to its own package with its own version. There are a few practical things that prevent us from doing that right now, but we're working through those.

If pulp-selinux was not upgraded everytime a new Pulp release comes out then yum wouldn't even run the restorecon statements unless it actually needs to.

Comment 2 Stephen Benjamin 2015-01-06 12:57:27 UTC
You can also detect when changes are made, and only run restorecon on the applicable paths.  This works better anyway, because if the future separated pulp-selinux has a small change unrelated to /var/lib/pulp, you don't also relabel that.

I haven't looked into this too much, but it may help:

14:09 | stbenjam > is it typical to always run restorecon in a -selinux PRM %post? this is insane on pulp-selinux... /var/lib/pulp has hundreds of thousands of files :-(
14:11 | Dominic > stbenjam: you can optimise it in various ways, see fixfiles -C and probably selinux-policy pre/post script
14:11 | Dominic > stbenjam: I think you're basically only restoring contexts of files where there's a change in fcontext 14:21 | Dominic > stbenjam: line 277-282 in %pre, followed by 263-268 in %post.. http://pkgs.fedoraproject.org/cgit/selinux-policy.git/tree/selinux-policy.spec#n265

Comment 3 Brian Bouterse 2015-02-28 22:21:52 UTC
Moved to https://pulp.plan.io/issues/540

Note You need to log in before you can comment on or make changes to this bug.