Bug 1158169 - pulp-celery selinux can manage all tmp files and pid files, not just its own
Summary: pulp-celery selinux can manage all tmp files and pid files, not just its own
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Pulp
Classification: Retired
Component: z_other
Version: Master
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: ---
Assignee: Dennis Kliban
QA Contact: pulp-qe-list
URL:
Whiteboard:
: 1138814 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-28 19:06 UTC by Brian Bouterse
Modified: 2015-02-28 22:41 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-28 22:41:38 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Pulp Redmine 594 0 None None None Never

Description Brian Bouterse 2014-10-28 19:06:06 UTC
The pulp-celery policy allows arbitrary read/write abilities to all pid files and tmp files. This is a scary amount of permissions, when all we really need is the ability to manage the pid and tmp files associated with the celery_t process itself.

To accomplish this, we should introduce two new security types: celery_tmp_t and celery_run_t. We can do that in with the following statements:

type celery_run_t;
files_pid_file(celery_var_run_t)

type celery_tmp_t;
files_tmp_file(celery_tmp_t)

Then we need to allow the management of these files with statements like:

allow celery_t celery_tmp_t:file manage_file_perms;
files_tmp_filetrans(celery_t, celery_tmp_t, file)

allow celery_t celery_run_t:file manage_file_perms;
files_pid_filetrans(celery_t, celery_run_t, file)

Comment 1 Brian Bouterse 2014-10-28 19:19:23 UTC
*** Bug 1138814 has been marked as a duplicate of this bug. ***

Comment 2 Brian Bouterse 2015-02-28 22:41:38 UTC
Moved to https://pulp.plan.io/issues/594


Note You need to log in before you can comment on or make changes to this bug.