Bug 1138814
| Summary: | pulp-selinux should not allow pulp-celery policy to manage pids | ||
|---|---|---|---|
| Product: | [Retired] Pulp | Reporter: | Brian Bouterse <bmbouter> |
| Component: | z_other | Assignee: | Brian Bouterse <bmbouter> |
| Status: | CLOSED DUPLICATE | QA Contact: | pulp-qe-list |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | Master | CC: | mhrivnak, rbarlow |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | 2.6.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-10-28 19:19:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Attempt to fix this in 2.5.1, but if the changes are not appropriate for a z release, punt the changes to the next y or x release. At least add the documentation/explanation in 2.5.1. This bug is more comprehensively described with in another bug [0]. That other bug also contains some more info on how to fix. [0]: https://bugzilla.redhat.com/show_bug.cgi?id=1158169 *** This bug has been marked as a duplicate of bug 1158169 *** |
The SELinux definition allows celery to create any number of pid files with the line: allow celery_t var_run_t:file { write getattr read create unlink open }; This permission should be removed, and a new type introduced so that these permissions can target that specific filesystem label.