1138814 – pulp-selinux should not allow pulp-celery policy to manage pids

Bug 1138814 - pulp-selinux should not allow pulp-celery policy to manage pids

Summary: pulp-selinux should not allow pulp-celery policy to manage pids

Keywords:
Status:	CLOSED DUPLICATE of bug 1158169
Alias:	None
Product:	Pulp
Classification:	Retired
Component:	z_other
Sub Component:
Version:	Master
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	2.6.0
Assignee:	Brian Bouterse
QA Contact:	pulp-qe-list
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-09-05 16:46 UTC by Brian Bouterse
Modified:	2014-11-19 15:19 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-28 19:19:23 UTC
Embargoed:

Attachments	(Terms of Use)

Description Brian Bouterse 2014-09-05 16:46:04 UTC

The SELinux definition allows celery to create any number of pid files with the line:

allow celery_t var_run_t:file { write getattr read create unlink open };

This permission should be removed, and a new type introduced so that these permissions can target that specific filesystem label.

Comment 1 Michael Hrivnak 2014-09-10 19:42:01 UTC

Attempt to fix this in 2.5.1, but if the changes are not appropriate for a z release, punt the changes to the next y or x release.

At least add the documentation/explanation in 2.5.1.

Comment 2 Brian Bouterse 2014-10-28 19:19:23 UTC

This bug is more comprehensively described with in another bug [0]. That other bug also contains some more info on how to fix.

[0]:  https://bugzilla.redhat.com/show_bug.cgi?id=1158169

*** This bug has been marked as a duplicate of bug 1158169 ***

Note You need to log in before you can comment on or make changes to this bug.