Merge pull request #50 from mikedep333/misc_features

Misc features for 1.3.0

.github/workflows/tests.yml

@@ -8,9 +8,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        centos: ["7", "8"]
+        centos: ["centos:7", "quay.io/centos/centos:stream8"]
     container:
-      image: centos:${{ matrix.centos }}
+      image: ${{ matrix.centos }}
     steps:
       - uses: actions/checkout@v2
       - name: Install packages

pulpcore.fc

@@ -1,12 +1,11 @@
 # label for both nginx & apache
 /etc/pulp/certs(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
+
+/etc/pulp/certs/database_fields.symmetric.key	gen_context(system_u:object_r:pulpcore_etc_t,s0)
+/etc/pulp/certs/galaxy_signing_service.*	gen_context(system_u:object_r:pulpcore_etc_t,s0)
+/etc/pulp/certs/token_private_key.pem		gen_context(system_u:object_r:pulpcore_etc_t,s0)
+/etc/pulp/certs/token_public_key.pem		gen_context(system_u:object_r:pulpcore_etc_t,s0)
 /etc/pulp/settings.py			gen_context(system_u:object_r:pulpcore_etc_t,s0)
-/etc/pulp/token_private_key.pem			gen_context(system_u:object_r:pulpcore_etc_t,s0)
-/etc/pulp/token_public_key.pem			gen_context(system_u:object_r:pulpcore_etc_t,s0)
-# The installer prior to 2020-08-20 used these 2 token paths. Clean up once dev
-# instance is deleted.
-/etc/pulp/private_key.pem			gen_context(system_u:object_r:pulpcore_etc_t,s0)
-/etc/pulp/public_key.pem			gen_context(system_u:object_r:pulpcore_etc_t,s0)
 
 /usr/libexec/pulpcore/.*	--	gen_context(system_u:object_r:pulpcore_exec_t,s0)
 /usr/libexec/pulpcore/gunicorn	--	gen_context(system_u:object_r:pulpcore_server_exec_t,s0)
@@ -24,6 +23,8 @@
 /var/lib/pulp/upload(/.*)?	gen_context(system_u:object_r:pulpcore_var_lib_t,s0)
 /var/lib/pulp/sign-metadata.sh	--	gen_context(system_u:object_r:pulpcore_var_lib_t,s0)
 
+/var/log/galaxy_api_access.log		gen_context(system_u:object_r:pulpcore_log_t,s0)
+
 /var/run/pulpcore-api(/.*)?		gen_context(system_u:object_r:pulpcore_server_var_run_t,s0)
 /var/run/pulpcore-content(/.*)?		gen_context(system_u:object_r:pulpcore_server_var_run_t,s0)
 /var/run/pulpcore-(api|content)\.sock	gen_context(system_u:object_r:pulpcore_server_var_run_t,s0)

pulpcore.te

@@ -1,4 +1,4 @@
-policy_module(pulpcore, 1.2.8)
+policy_module(pulpcore, 1.3.0)
 
 require {
 	type httpd_config_t;
@@ -25,6 +25,9 @@ permissive pulpcore_server_t;
 type pulpcore_etc_t;
 files_config_file(pulpcore_etc_t)
 
+type pulpcore_log_t;
+logging_log_file(pulpcore_log_t)
+
 type pulpcore_var_lib_t;
 files_type(pulpcore_var_lib_t)
 type pulpcore_server_var_lib_t;
@@ -77,6 +80,10 @@ manage_files_pattern(pulpcore_server_t, pulpcore_var_lib_t, pulpcore_var_lib_t)
 read_lnk_files_pattern(pulpcore_server_t, pulpcore_var_lib_t, pulpcore_var_lib_t)
 write_sock_files_pattern(pulpcore_t, pulpcore_var_lib_t, pulpcore_var_lib_t)
 
+# /var/log
+append_files_pattern(pulpcore_t, pulpcore_log_t, pulpcore_log_t)
+append_files_pattern(pulpcore_server_t, pulpcore_log_t, pulpcore_log_t)
+
 # /run
 manage_dirs_pattern(pulpcore_t, pulpcore_var_run_t, pulpcore_var_run_t)
 manage_files_pattern(pulpcore_t, pulpcore_var_run_t, pulpcore_var_run_t)
@@ -178,10 +185,18 @@ sysnet_read_config(pulpcore_t)
 
 # Attempts to read the non-existent /etc/httpd/mime.types with Katello on EL7
 # Occurs whenever mailcap isn't installed, which would provide /etc/mime.types
-dontaudit pulpcore_server_t httpd_config_t:dir search;
+# dontaudit pulpcore_server_t httpd_config_t:dir search;
+#
+# Instead of just doing that, we have this broader config to allow both pulp
+# contexts to be able to read the new pulp certs and keys under /etc/pulp/certs
+apache_search_config(pulpcore_t)
+apache_search_config(pulpcore_server_t)
+allow pulpcore_t httpd_config_t:dir read;
+allow pulpcore_server_t httpd_config_t:dir read;
 
 optional_policy(`
         gpg_exec(pulpcore_t)
+        gpg_exec(pulpcore_server_t)
 ')
 
 optional_policy(`

pulpcore_port.te

@@ -1,4 +1,4 @@
-policy_module(pulpcore_port, 1.2.8)
+policy_module(pulpcore_port, 1.3.0)
 
 gen_require(`
     attribute port_type;

pulpcore_rhsmcertd.te

@@ -1,4 +1,4 @@
-policy_module(pulpcore_rhsmcertd, 1.2.8)
+policy_module(pulpcore_rhsmcertd, 1.3.0)
 
 gen_require(`
 	type pulpcore_server_t, rhsmcertd_config_t;