Bug 1148998

Summary: Contribute SELinux policy for Celery workers and celerybeat upstream
Product: [Retired] Pulp Reporter: Brian Bouterse <bmbouter>
Component: z_otherAssignee: pulp-bugs
Status: CLOSED UPSTREAM QA Contact: pulp-qe-list
Severity: low Docs Contact:
Priority: high    
Version: MasterCC: cduryee, mhrivnak
Target Milestone: ---Keywords: Task, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-28 22:38:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brian Bouterse 2014-10-02 21:15:01 UTC 
The SELinux policy is 100% downstream, and it should be contributed back upstream. Some portion of this policy is is specific to Pulp tasks, and some portion of the policy are specific to celery startup behavior on systemd and upstart.

The upstream celery contribution should create containers celery_worker_t and celery_celerybeat_t. Our downstream policy should extend these with the Pulp specific extensions.

We also should define a separate context for celery versus celerybeat.
Comment 1 Brian Bouterse 2014-10-16 19:47:10 UTC 
Two things that should be done along with this work:

1. Have the downstream derivative contexts named pulp_worker_t and pulp_celerybeat_t and reserve the celery_worker_t and celery_beat_t reserved for upstream. It would be wrong for pulp to claim the celery context in the SELinux namespace

2. Move all pulp-celery statements into pulp-server, and delete pulp-server. It's ok for one policy to install multiple contexts. It will install faster, and require less automation maintenance.
Comment 2 Brian Bouterse 2015-02-28 22:38:05 UTC 
Moved to https://pulp.plan.io/issues/563