The pulp-celery policy allows arbitrary read/write abilities to all pid files and tmp files. This is a scary amount of permissions, when all we really need is the ability to manage the pid and tmp files associated with the celery_t process itself. To accomplish this, we should introduce two new security types: celery_tmp_t and celery_run_t. We can do that in with the following statements: type celery_run_t; files_pid_file(celery_var_run_t) type celery_tmp_t; files_tmp_file(celery_tmp_t) Then we need to allow the management of these files with statements like: allow celery_t celery_tmp_t:file manage_file_perms; files_tmp_filetrans(celery_t, celery_tmp_t, file) allow celery_t celery_run_t:file manage_file_perms; files_pid_filetrans(celery_t, celery_run_t, file)
*** Bug 1138814 has been marked as a duplicate of this bug. ***
Moved to https://pulp.plan.io/issues/594