Foreman-selinux package is ready

All,

we are finished with required changes to our selinux policy. It does run
with Passenger 4.0+ both in SCL and non-SCL mode. Also, the policy has
been slightly optimized and now requires minimum version of RHEL 6.4 (or
clones of course).

The policy lives here:

Scratch build available here:

http://koji.katello.org/koji/taskinfo?taskID=38789

Big thanks to Mirek Grepl from SELinux team for analysis and Dominic for
testing and review.

I will follow up with PR into Foreman SPEC to require foreman-selinux. I
think hard require is fine, because everyone can still turn selinux off.
It is also possible to just disable the Foreman policy while having
SELinux in enforcing too. There are few commands available:

foreman-selinux-enable
foreman-selinux-disable
foreman-selinux-relabel

They are documented (see man pages).

Opinions? Comments?

··· -- Later,

Lukas “lzap” Zapletal
irc: lzap #theforeman

Brilliant, thank you.

I've just done a test of RC2 with the policy (installed after Foreman
itself, then switched to enforcing) and my basic Foreman install with
the puppetmaster continued functioning. A excellent start!

I expect we'll have a few edge cases, but I'll add this to the RC2
announcement so we get people testing it.

I don't know about whether we should add it as a dependency to "foreman"
or not, as opposed to adding it to the installer so it's installed only
when SELinux is loaded. Pure package users can also install it as an
option, like they do other functionality.

··· On 07/06/13 14:05, Lukas Zapletal wrote: > All, > > we are finished with required changes to our selinux policy. It does run > with Passenger 4.0+ both in SCL and non-SCL mode. Also, the policy has > been slightly optimized and now requires minimum version of RHEL 6.4 (or > clones of course). > > [..] > Comments?


Dominic Cleal
Red Hat Engineering