Skip to content

Use pulpcore-worker entrypoint directly, without a wrapper #383

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
evgeni merged 1 commit into from
Jun 24, 2025
Merged

Use pulpcore-worker entrypoint directly, without a wrapper #383

evgeni merged 1 commit into from
Jun 24, 2025

Conversation

@evgeni
Copy link
Member

@evgeni evgeni commented Jun 24, 2025

Since pulpcore 3.13 the worker has an own "binary" (Python entrypoint), that is correctly labeled as pulpcore_exec_t (since pulpcore-selinux 2.0.1) and thus the workaround with an wrapper is not necessary anymore.

It's actually harmful, as the wrapper is labeled pulpcore_exec_t, so on execution it auto-transitions into pulpcore_t, but then it wants to execute /usr/bin/pulpcore-worker, which is again pulpcore_exec_t but pulpcore_t is not allowed to transition to pulpcore_exec_t and you get

denied  { execute_no_trans } for comm="pulpcore-worker" path="/usr/bin/pulpcore-worker" scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:pulpcore_exec_t:s0 tclass=file

Fixes: 137128e

@evgeni
Use pulpcore-worker entrypoint directly, without a wrapper
34c4a9b 
Since pulpcore 3.13 the worker has an own "binary" (Python entrypoint),
that is correctly labeled as pulpcore_exec_t (since pulpcore-selinux
2.0.1) and thus the workaround with an wrapper is not necessary anymore.

It's actually harmful, as the wrapper is labeled pulpcore_exec_t, so on
execution it auto-transitions into pulpcore_t, but then it wants to
execute /usr/bin/pulpcore-worker, which is again pulpcore_exec_t but
pulpcore_t is not allowed to transition to pulpcore_exec_t and you get

    denied  { execute_no_trans } for comm="pulpcore-worker" path="/usr/bin/pulpcore-worker" scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:pulpcore_exec_t:s0 tclass=file

Fixes: 137128e
ekohl
ekohl approved these changes Jun 24, 2025
View reviewed changes
Copy link
Member

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On my phone so harder to check. What creates the libexec wrapper? Should we clean those up too?

@evgeni
Copy link
Member Author

evgeni commented Jun 24, 2025

The packaging, will clean up there later, yes.

@evgeni evgeni mentioned this pull request Jun 24, 2025
Merged
@evgeni evgeni added the Bug Something isn't working label Jun 24, 2025
@evgeni evgeni merged commit 5e1d0fd into master Jun 24, 2025
21 checks passed
@evgeni evgeni deleted the direct-worker branch June 24, 2025 08:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ekohl ekohl ekohl approved these changes

Assignees

No one assigned

Labels

Bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@evgeni @ekohl