From 2d9d4432fcf496dfe90755124df7c9d9fdf24496 Mon Sep 17 00:00:00 2001 From: Mike DePaulo Date: Mon, 23 Aug 2021 09:21:29 -0400 Subject: [PATCH 1/3] Update for systemd type=notify fixes: #9272 pulpcore-selinux needs SELinux changes for systemd Type=notify https://pulp.plan.io/issues/9272 https://bugzilla.redhat.com/show_bug.cgi?id=1976783# https://community.theforeman.org/t/katello-pulpcore-selinux-issues/24507 related to: #9271 gunicorn processes should be managed by systemd as Type=notify https://pulp.plan.io/issues/9271 --- pulpcore.te | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pulpcore.te b/pulpcore.te index a3a06c7..5d45c1d 100644 --- a/pulpcore.te +++ b/pulpcore.te @@ -98,6 +98,10 @@ fs_tmpfs_filetrans(pulpcore_t, pulpcore_server_tmpfs_t, file ) allow pulpcore_t pulpcore_server_tmpfs_t:file map; # interface calls + +# Needed for systemd Type=notify support +kernel_dgram_send(pulpcore_server_t) + kernel_read_all_proc(pulpcore_t) kernel_read_all_proc(pulpcore_server_t) @@ -129,6 +133,9 @@ libs_exec_ldconfig(pulpcore_server_t) # Needed for systemd Type=notify support init_write_pid_socket(pulpcore_server_t) +allow pulpcore_server_t init_var_run_t:unix_dgram_socket { connect create }; +allow pulpcore_server_t self:unix_dgram_socket { connect create }; +allow kernel_t init_var_run_t:unix_dgram_socket sendto; miscfiles_read_generic_certs(pulpcore_t) From 45581fdecbbc7d680507cd6708d6a959f40a36be Mon Sep 17 00:00:00 2001 From: Mike DePaulo Date: Tue, 24 Aug 2021 12:52:06 -0400 Subject: [PATCH 2/3] Ignore /etc/mime.types access by Python itself Discovered as part of the investigation into #9271 . re: #9272 pulpcore-selinux needs SELinux changes for systemd Type=notify https://pulp.plan.io/issues/9272 [noissue] --- pulpcore.te | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pulpcore.te b/pulpcore.te index 5d45c1d..0a6788b 100644 --- a/pulpcore.te +++ b/pulpcore.te @@ -1,5 +1,10 @@ policy_module(pulpcore, 1.2.4) +require { + type httpd_config_t; + class dir search; +} + ######################################## # # Declarations @@ -141,6 +146,10 @@ miscfiles_read_generic_certs(pulpcore_t) sysnet_read_config(pulpcore_t) +# Attempts to read the non-existent /etc/httpd/mime.types with Katello on EL7 +# Occurs whenever mailcap isn't installed, which would provide /etc/mime.types +dontaudit pulpcore_server_t httpd_config_t:dir search; + optional_policy(` gpg_exec(pulpcore_t) ') From 8ea290e99e7aeb4a367437f9cd5bf50e5fd66a3c Mon Sep 17 00:00:00 2001 From: Mike DePaulo Date: Tue, 24 Aug 2021 16:35:55 -0400 Subject: [PATCH 3/3] Bump version to 1.2.5 --- pulpcore.te | 2 +- pulpcore_port.te | 2 +- pulpcore_rhsmcertd.te | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pulpcore.te b/pulpcore.te index 0a6788b..ec2b112 100644 --- a/pulpcore.te +++ b/pulpcore.te @@ -1,4 +1,4 @@ -policy_module(pulpcore, 1.2.4) +policy_module(pulpcore, 1.2.5) require { type httpd_config_t; diff --git a/pulpcore_port.te b/pulpcore_port.te index 6d520d4..d6a3b7c 100644 --- a/pulpcore_port.te +++ b/pulpcore_port.te @@ -1,4 +1,4 @@ -policy_module(pulpcore_port, 1.2.4) +policy_module(pulpcore_port, 1.2.5) gen_require(` attribute port_type; diff --git a/pulpcore_rhsmcertd.te b/pulpcore_rhsmcertd.te index dac74ff..14ad659 100644 --- a/pulpcore_rhsmcertd.te +++ b/pulpcore_rhsmcertd.te @@ -1,4 +1,4 @@ -policy_module(pulpcore_rhsmcertd, 1.2.4) +policy_module(pulpcore_rhsmcertd, 1.2.5) gen_require(` type pulpcore_server_t, rhsmcertd_config_t;