This repository has been archived by the owner on Dec 7, 2022. It is now read-only.
1160796 - SELinux change allowing celery to make TCP connections to all hosts and ports #1289
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
My expertise isn't strong enough to verify that this is correct, but it does look reasonable. It conceptually matches my expectations, and I have confidence that you implemented it correctly. :) LGTM |
bmbouter
added a commit
that referenced
this pull request
Nov 6, 2014
1160796 - SELinux change allowing celery to make TCP connections to all hosts and ports
seandst
pushed a commit
to seandst/pulp
that referenced
this pull request
Feb 11, 2016
Also resurrected a bunch of unit tests for the install distributor that had been removed during the mongoengine conversion. fixes pulp#1289
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://bugzilla.redhat.com/show_bug.cgi?id=1160796
This PR removes some portions of the SELinux policy that granted specific ports, and replaces it with a policy that grants all TCP port access to all nodes. It also adds some notes to the policy about why. These changes were also discussed on #selinux on freenode.
The BZ is about a problem accessing the proxy port, but after discussion it was determined that restricting Pulp's network access prevents normal pulp operation since sync or SMTP can be done on any port. Rather than adding another whitelist for the default proxy port, we're opening up all TCP connections. This is also OK because admins can use network or host firewalls to guard against unwanted network traffic.
I compiled this on EL6, EL7, FC19, and FC20 to ensure it will compile without error.
I also smoke tested repo create/sync/delete and consumer register/bind/update/unbind/unregister on EL6 with SELinux in enforcing mode and everything worked for me.