Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1158169

Summary: pulp-celery selinux can manage all tmp files and pid files, not just its own
Product: [Retired] Pulp Reporter: Brian Bouterse <bmbouter>
Component: z_otherAssignee: Dennis Kliban <dkliban>
Status: CLOSED UPSTREAM QA Contact: pulp-qe-list
Severity: medium Docs Contact:
Priority: high    
Version: MasterCC: dkliban, jortel
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-28 22:41:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brian Bouterse 2014-10-28 19:06:06 UTC 
The pulp-celery policy allows arbitrary read/write abilities to all pid files and tmp files. This is a scary amount of permissions, when all we really need is the ability to manage the pid and tmp files associated with the celery_t process itself.

To accomplish this, we should introduce two new security types: celery_tmp_t and celery_run_t. We can do that in with the following statements:

type celery_run_t;
files_pid_file(celery_var_run_t)

type celery_tmp_t;
files_tmp_file(celery_tmp_t)

Then we need to allow the management of these files with statements like:

allow celery_t celery_tmp_t:file manage_file_perms;
files_tmp_filetrans(celery_t, celery_tmp_t, file)

allow celery_t celery_run_t:file manage_file_perms;
files_pid_filetrans(celery_t, celery_run_t, file)
Comment 1 Brian Bouterse 2014-10-28 19:19:23 UTC 
*** Bug 1138814 has been marked as a duplicate of this bug. ***
Comment 2 Brian Bouterse 2015-02-28 22:41:38 UTC 
Moved to https://pulp.plan.io/issues/594