The SELinux policy is 100% downstream, and it should be contributed back upstream. Some portion of this policy is is specific to Pulp tasks, and some portion of the policy are specific to celery startup behavior on systemd and upstart.
The upstream celery contribution should create containers celery_worker_t and celery_celerybeat_t. Our downstream policy should extend these with the Pulp specific extensions.
We also should define a separate context for celery versus celerybeat.
Two things that should be done along with this work:
1. Have the downstream derivative contexts named pulp_worker_t and pulp_celerybeat_t and reserve the celery_worker_t and celery_beat_t reserved for upstream. It would be wrong for pulp to claim the celery context in the SELinux namespace
2. Move all pulp-celery statements into pulp-server, and delete pulp-server. It's ok for one policy to install multiple contexts. It will install faster, and require less automation maintenance.
Moved to https://pulp.plan.io/issues/563