[Pulp-list] Pulp & SELinux

Cliff Perry cperry at redhat.com
Mon Aug 1 19:07:51 UTC 2011

On 08/01/2011 07:51 AM, John Matthews wrote:
> We've added SELinux rules for Pulp on Fedora and RHEL-6 (RHEL-5 is not supported).  The rules are deployed as part of the rpm.
> The SELinux rules for the pulp module exist at: selinux/pulp.te
> We have a wiki page here that describes a process for updating the rules: https://fedorahosted.org/pulp/wiki/SELinux
> If you see any issues please let me know.
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list

Hi guys,
Please take this as constructive feedback. I'd be happy to give pointers 
to guides/documents to help improve this - currently though I'm not 
happy with this, I have no warm fuzzies.

Good point - you can run pulp with SELinux enabled, so better than with 
it disabled.

Bad point - we have achieved this be choosing to weaken the default 
security policies shipped in RHEL 6.

Ugly points - reviewing:
  - we give Apache the ability to execute anything within /tmp.
  - we give Apache the ability to delete its own log files.
  - we give Apache the ability to modify its own and anyone else's certs
  - we give Apache the ability to connect to any TCP socket/port rather 
than restrict to specific needed one.

So, I'm concerned - but glad we have taken these first steps. This 
initial policy should be one to build upon. With a firm understanding of 
what pulp is and what is does and where on the OS pulp needs to do 
things - you should and we need to start locking pulp down by code 
modifications and specific SELinux rules written for pulps needs. Likely 
command line tool(s) which are confined that pulp calls vs pulp as an 
apache process trying to read/write over the OS is needed. The knocking 
holes though walls put up by the SELinux policies which are in pulps way 
will just lead to someone looking for ways to exploit pulp down the road.


More information about the Pulp-list mailing list