This repository has been archived by the owner on Dec 7, 2022. It is now read-only.
1160796 - SELinux change allowing celery to make TCP connections to all hosts and ports #1289
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://bugzilla.redhat.com/show_bug.cgi?id=1160796
This PR removes some portions of the SELinux policy that granted specific ports, and replaces it with a policy that grants all TCP port access to all nodes. It also adds some notes to the policy about why. These changes were also discussed on #selinux on freenode.
The BZ is about a problem accessing the proxy port, but after discussion it was determined that restricting Pulp's network access prevents normal pulp operation since sync or SMTP can be done on any port. Rather than adding another whitelist for the default proxy port, we're opening up all TCP connections. This is also OK because admins can use network or host firewalls to guard against unwanted network traffic.
I compiled this on EL6, EL7, FC19, and FC20 to ensure it will compile without error.
I also smoke tested repo create/sync/delete and consumer register/bind/update/unbind/unregister on EL6 with SELinux in enforcing mode and everything worked for me.