Allow pulpcore_server_t to manage gunicorn control socket in pulpcore…

[zjhuntin]

…_server_var_lib_t

Gunicorn >= 25.1.0 introduces a control socket, defaulting to $HOME/gunicorn.ctl. For the pulp user, HOME is /var/lib/pulp, so the socket lands at /var/lib/pulp/gunicorn.ctl.

pulpcore-api and pulpcore-content run as pulpcore_server_t, which had no policy rule covering sock_files in /var/lib/pulp. This caused AVC denials on { create setattr getattr unlink } operations. All denials are permissive=1 so nothing breaks at runtime, but ausearch catches them and fb-verify-selinux.bats fails as a result.

Fix: extend the existing filetrans_pattern to transition sock_files created by pulpcore_server_t in pulpcore_var_lib_t to the more specific pulpcore_server_var_lib_t label, then add manage_sock_files_pattern on that type. This is narrower than allowing sock_file operations on pulpcore_var_lib_t directly, which would cover all of /var/lib/pulp including GPG sockets.

[Odilhao]

Review

Overall: looks correct and the approach is sound — a few notes below.

What the PR does

gunicorn >= 25.1.0 creates a control socket at $HOME/gunicorn.ctl. For the pulp user that resolves to /var/lib/pulp/gunicorn.ctl. pulpcore_server_t (the domain for pulpcore-api/content) had no sock_file permission in /var/lib/pulp, causing AVC denials on { create setattr getattr unlink }.

The fix:

1. Extends the existing filetrans_pattern to include sock_file — so sockets created by pulpcore_server_t in pulpcore_var_lib_t are labeled pulpcore_server_var_lib_t instead.
2. Adds manage_sock_files_pattern on that narrower type.

What's good

• Correct scoping: using the file transition to pulpcore_server_var_lib_t rather than granting sock_file access directly on pulpcore_var_lib_t is the right call — it avoids accidentally covering GPG sockets and other unrelated sock_files under /var/lib/pulp.
• Consistent style: manage_sock_files_pattern matches the macro convention used throughout the rest of the file.
• Good comment: the inline explanation of why this is needed is useful.

Notes

• manage vs. minimum necessary: the AVC denials only list { create setattr getattr unlink }, but manage_sock_files_pattern grants a superset (also read write rename link). This is fine — manage is the idiomatic level used everywhere else in this file and avoids chasing individual permissions if gunicorn's socket usage widens.

• $HOME vs. $XDG_RUNTIME_DIR: the comment says the socket lands at /var/lib/pulp/gunicorn.ctl, which is correct for systemd services that don't set XDG_RUNTIME_DIR. Worth noting that gunicorn's actual lookup order is $XDG_RUNTIME_DIR/gunicorn.ctl → $HOME/.gunicorn/gunicorn.ctl → working directory. For standard bare-metal/VM deployments this path is correct.

• Complementary fix upstream: we've also opened theforeman/puppet-pulpcore#403 to explicitly pass --control-socket /run/pulpcore-{api,content}/gunicorn.ctl to gunicorn in the systemd service templates. That routes the socket to the RuntimeDirectory-managed /run/ paths (already labeled pulpcore_server_var_run_t with existing sock_file transitions), keeping runtime sockets out of /var/lib/pulp for puppet-managed deployments. This SELinux fix is still needed as a safety net for other deployment methods (installer, manual, etc.).

Verdict

The change is minimal, correctly scoped, and fixes a real gap in the policy. Good to merge.

[zjhuntin]

closing in favor of theforeman/puppet-pulpcore#403