From 0680e207e17edb2ae1bbe2887fa85481bb26c606 Mon Sep 17 00:00:00 2001 From: Mike DePaulo Date: Fri, 18 Sep 2020 16:58:48 -0400 Subject: [PATCH 1/2] Problem: pulpcore-selinux fails to build due to unknown type pulpcore_etc_t Solution: Label the /etc/pulp/ files and subfolders individually (And declare the type to fix the failure.) fixes: #7532 --- pulpcore.fc | 9 +++++++++ pulpcore.te | 3 +++ 2 files changed, 12 insertions(+) diff --git a/pulpcore.fc b/pulpcore.fc index 30bfc42..8b4623f 100644 --- a/pulpcore.fc +++ b/pulpcore.fc @@ -1,3 +1,12 @@ +#/etc/pulp/certs(/.*)? gen_context(system_u:object_r:pulpcore_etc_t,s0) +/etc/pulp/settings.py gen_context(system_u:object_r:pulpcore_etc_t,s0) +/etc/pulp/token_private_key.pem gen_context(system_u:object_r:pulpcore_etc_t,s0) +/etc/pulp/token_public_key.pem gen_context(system_u:object_r:pulpcore_etc_t,s0) +# The installer prior to 2020-08-20 used these 2 token paths. Clean up once dev +# instance is deleted. +/etc/pulp/private_key.pem gen_context(system_u:object_r:pulpcore_etc_t,s0) +/etc/pulp/public_key.pem gen_context(system_u:object_r:pulpcore_etc_t,s0) + /usr/bin/rq -- gen_context(system_u:object_r:pulpcore_exec_t,s0) /usr/bin/gunicorn -- gen_context(system_u:object_r:pulpcore_server_exec_t,s0) diff --git a/pulpcore.te b/pulpcore.te index 7e41171..ec3c5b4 100644 --- a/pulpcore.te +++ b/pulpcore.te @@ -17,6 +17,9 @@ init_daemon_domain(pulpcore_server_t, pulpcore_server_exec_t) init_nnp_daemon_domain(pulpcore_server_t) permissive pulpcore_server_t; +type pulpcore_etc_t; +files_config_file(pulpcore_etc_t) + type pulpcore_var_lib_t; files_type(pulpcore_var_lib_t) type pulpcore_server_var_lib_t; From 9a3e3fc76d09bfa71b466a93b9ae63dadc67a390 Mon Sep 17 00:00:00 2001 From: Mike DePaulo Date: Mon, 21 Sep 2020 11:03:22 -0400 Subject: [PATCH 2/2] Set webserver certs to httpd_config_t --- pulpcore.fc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pulpcore.fc b/pulpcore.fc index 8b4623f..0c272a6 100644 --- a/pulpcore.fc +++ b/pulpcore.fc @@ -1,4 +1,5 @@ -#/etc/pulp/certs(/.*)? gen_context(system_u:object_r:pulpcore_etc_t,s0) +# label for both nginx & apache +/etc/pulp/certs(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/pulp/settings.py gen_context(system_u:object_r:pulpcore_etc_t,s0) /etc/pulp/token_private_key.pem gen_context(system_u:object_r:pulpcore_etc_t,s0) /etc/pulp/token_public_key.pem gen_context(system_u:object_r:pulpcore_etc_t,s0)