Fixes #30465 - Run services in SELinux enforcing mode

theforeman · Jul 23, 2020 · 2eeb921 · 2eeb921
1 parent a474728
commit 2eeb921
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 30 deletions.
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -20,7 +20,7 @@
     order   => '01',
   }
 
-  file { [$pulpcore::user_home, $pulpcore::webserver_static_dir, $pulpcore::cache_dir]:
+  file { [$pulpcore::user_home, $pulpcore::webserver_static_dir, $pulpcore::cache_dir, $pulpcore::pulp_static_root]:
     ensure => directory,
     owner  => $pulpcore::user,
     group  => $pulpcore::group,
@@ -30,6 +30,14 @@
   pulpcore::admin { 'collectstatic --noinput':
     refreshonly => true,
     subscribe   => Concat['pulpcore settings'],
+    require     => File[$pulpcore::pulp_static_root],
+  }
+
+  file { '/usr/libexec/pulpcore':
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
   }
 
   selinux::port { 'pulpcore-api-port':

diff --git a/manifests/service.pp b/manifests/service.pp
@@ -2,22 +2,37 @@
 # @api private
 class pulpcore::service {
 
+  ['gunicorn', 'rq'].each |$bin| {
+    file { "/usr/libexec/pulpcore/${bin}":
+      ensure  => file,
+      content => "#!/bin/bash\nexec ${bin} \"$@\"\n",
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0755',
+      # https://github.com/pulp/pulpcore-selinux/pull/13
+      seltype => 'pulpcore_exec_t',
+    }
+  }
+
   systemd::unit_file { 'pulpcore-api.service':
-    content => template('pulpcore/pulpcore-api.service.erb'),
-    active  => true,
-    enable  => true,
+    content   => template('pulpcore/pulpcore-api.service.erb'),
+    active    => true,
+    enable    => true,
+    subscribe => File['/usr/libexec/pulpcore/gunicorn'],
   }
 
   systemd::unit_file { 'pulpcore-content.service':
-    content => template('pulpcore/pulpcore-content.service.erb'),
-    active  => true,
-    enable  => true,
+    content   => template('pulpcore/pulpcore-content.service.erb'),
+    active    => true,
+    enable    => true,
+    subscribe => File['/usr/libexec/pulpcore/gunicorn'],
   }
 
   systemd::unit_file { 'pulpcore-resource-manager.service':
-    content => template('pulpcore/pulpcore-resource-manager.service.erb'),
-    active  => true,
-    enable  => true,
+    content   => template('pulpcore/pulpcore-resource-manager.service.erb'),
+    active    => true,
+    enable    => true,
+    subscribe => File['/usr/libexec/pulpcore/rq'],
   }
 
   systemd::unit_file { 'pulpcore-worker@.service':
@@ -26,9 +41,10 @@
 
   Integer[1, $pulpcore::worker_count].each |$n| {
     service { "pulpcore-worker@${n}.service":
-      ensure  => running,
-      enable  => true,
-      require => [Systemd::Unit_file['pulpcore-worker@.service'], Class['systemd::systemctl::daemon_reload']],
+      ensure    => running,
+      enable    => true,
+      require   => Class['systemd::systemctl::daemon_reload'],
+      subscribe => [Systemd::Unit_file['pulpcore-worker@.service'], File['/usr/libexec/pulpcore/rq']],
     }
   }
 

diff --git a/templates/pulpcore-api.service.erb b/templates/pulpcore-api.service.erb
@@ -8,9 +8,10 @@ Environment="DJANGO_SETTINGS_MODULE=pulpcore.app.settings"
 Environment="PULP_SETTINGS=<%= scope['pulpcore::settings_file'] %>"
 Environment="PULP_STATIC_ROOT=<%= scope['pulpcore::pulp_static_root'] %>"
 User=<%= scope['pulpcore::user'] %>
-PIDFile=/run/pulpcore-api.pid
+Group=<%= scope['pulpcore::group'] %>
+WorkingDirectory=%t/pulpcore-api
 RuntimeDirectory=pulpcore-api
-ExecStart=/usr/bin/gunicorn pulpcore.app.wsgi:application \
+ExecStart=/usr/libexec/pulpcore/gunicorn pulpcore.app.wsgi:application \
           --bind '<%= scope['pulpcore::api_host'] %>:<%= scope['pulpcore::api_port'] %>' \
           --access-logfile -
 ProtectSystem=full
@@ -24,13 +25,6 @@ SyslogIdentifier=pulpcore-api
 Restart=always
 RestartSec=3
 
-# This directive is set to an absolute path in other Pulp units. Using an
-# absolute path is an abuse of the directive, as it should be a relative path,
-# not an absolute path. PIDFile is now used to ensure that PID files are laid
-# out in a standard way. If this directive had any other effects, it is better
-# to use the correct directive than to uncomment this.
-# WorkingDirectory=/var/run/pulpcore-api/
-
 [Install]
 WantedBy=multi-user.target
 
diff --git a/templates/pulpcore-content.service.erb b/templates/pulpcore-content.service.erb
@@ -7,9 +7,10 @@ Wants=network-online.target
 Environment="DJANGO_SETTINGS_MODULE=pulpcore.app.settings"
 Environment="PULP_SETTINGS=<%= scope['pulpcore::settings_file'] %>"
 User=<%= scope['pulpcore::user'] %>
-WorkingDirectory=/var/run/pulpcore-content/
+Group=<%= scope['pulpcore::group'] %>
+WorkingDirectory=%t/pulpcore-content
 RuntimeDirectory=pulpcore-content
-ExecStart=/usr/bin/gunicorn pulpcore.content:server \
+ExecStart=/usr/libexec/pulpcore/gunicorn pulpcore.content:server \
           --bind '<%= scope['pulpcore::content_host'] %>:<%= scope['pulpcore::content_port'] %>' \
           --worker-class 'aiohttp.GunicornWebWorker' \
           -w 2 \

diff --git a/templates/pulpcore-resource-manager.service.erb b/templates/pulpcore-resource-manager.service.erb
@@ -4,14 +4,15 @@ After=network-online.target
 Wants=network-online.target
 
 [Service]
+Type=simple
 Environment="DJANGO_SETTINGS_MODULE=pulpcore.app.settings"
 Environment="PULP_SETTINGS=<%= scope['pulpcore::settings_file'] %>"
 User=<%= scope['pulpcore::user'] %>
-WorkingDirectory=/var/run/pulpcore-resource-manager/
+Group=<%= scope['pulpcore::group'] %>
+WorkingDirectory=%t/pulpcore-resource-manager
 RuntimeDirectory=pulpcore-resource-manager
-ExecStart=/usr/bin/rq worker \
+ExecStart=/usr/libexec/pulpcore/rq worker \
           -w pulpcore.tasking.worker.PulpWorker -n resource-manager \
-          --pid=/var/run/pulpcore-resource-manager/resource-manager.pid \
           -c 'pulpcore.rqconfig' \
           --disable-job-desc-logging
 

diff --git a/templates/pulpcore-worker@.service.erb b/templates/pulpcore-worker@.service.erb
@@ -4,17 +4,17 @@ After=network-online.target
 Wants=network-online.target
 
 [Service]
+Type=simple
 EnvironmentFile=-/etc/default/pulp-workers
 EnvironmentFile=-/etc/default/pulp-workers-%i
 Environment="DJANGO_SETTINGS_MODULE=pulpcore.app.settings"
 Environment="PULP_SETTINGS=<%= scope['pulpcore::settings_file'] %>"
 User=<%= scope['pulpcore::user'] %>
 Group=<%= scope['pulpcore::group'] %>
-WorkingDirectory=/var/run/pulpcore-worker-%i/
+WorkingDirectory=%t/pulpcore-worker-%i
 RuntimeDirectory=pulpcore-worker-%i
-ExecStart=/usr/bin/rq worker \
+ExecStart=/usr/libexec/pulpcore/rq worker \
           -w pulpcore.tasking.worker.PulpWorker \
-          --pid=/var/run/pulpcore-worker-%i/reserved-resource-worker-%i.pid \
           -c 'pulpcore.rqconfig' \
           --disable-job-desc-logging