Project

Profile

Help

Task #563

closed

Contribute SELinux policy for Pulp and Celery workers/beat to fedora-selinux

Added by bmbouter about 9 years ago. Updated almost 5 years ago.

Status:
CLOSED - WONTFIX
Priority:
High
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2, SELinux
Sprint:
Quarter:

Description

The SELinux policy is 100% downstream, and it should be contributed back upstream so less is carried by Pulp specifically. Rather than submitting it to Celery directly we can have it included in fedora-selinux. In fact, we can have both the generic celery policy and the specific to pulp portion of the policy live in fedora-selinux.

A user in #selinux on freenode offered two suggestions.

1. Merge the pulp-server and pulp-celery selinux packages into one
2. Contribute as much of that merged policy back to fedora-selinux

That user offered the following first-cut at merging the two policies. It's incomplete but a good start.

/etc/pki/pulp(/.*)? gen_context(system_u:object_r:pulp_cert_t,s0)
/etc/pulp(/.*)? gen_context(system_u:object_r:pulp_conf_t,s0)

/usr/bin/celery -- gen_context(system_u:object_r:celery_exec_t,s0)

/srv/pulp(/.*)? gen_context(system_u:object_r:pulse_var_cache_t,s0)

/var/cache/pulp(/.*)? gen_context(system_u:object_r:pulp_var_cache_t,s0)

/var/lib/pulp(/.*)? gen_context(system_u:object_r:pulp_var_lib_t,s0)

/var/log/pulp(/.*)? gen_context(system_u:object_r:pulp_var_log_t,s0)

/var/run/pulp(/.*)? gen_context(system_u:object_r:pulp_var_run_t,s0)
policy_module(pulp, 0.0.1)

########################################
#
# Declarations
#

## <desc>
## <p>
## Determine whether pulp can manage puppet config.
## </p>
## </desc>
gen_tunable(pulp_manage_puppet, false)

type celery_t;
type celery_exec_t;
init_daemon_domain(celery_t, celery_exec_t)

type pulp_cert_t;
miscfiles_cert_type(pulp_cert_t)

type pulp_conf_t;
files_config_file(pulp_conf_t)

type pulp_tmp_t;
files_tmp_file(pulp_tmp_t)

type pulp_var_cache_t;
files_type(pulp_var_cache_t)

type pulp_var_lib_t;
files_type(pulp_var_lib_t)

type pulse_var_log_t;
logging_log_file(pulp_var_log_t)

type pulp_var_run_t;
files_pid_file(pulp_var_run_t)

########################################
#
# Policy
#

allow celery_t self:process { setsched signal signull };
allow celery_t self:tcp_socket create_stream_socket_perms;

allow celery_t pulp_conf_t list_dir_perms;
allow celery_t pulp_conf_t read_file_perms;
allow celery_t pulp_conf_t read_lnk_file_perms;

allow celery_t pulp_tmp_t:file manage_file_perms;
allow celery_t pulp_tmp_t:dir manage_dir_perms;
files_tmp_filetrans(celery_t, pulp_tmp_t, dir)

allow celery_t pulp_var_cache_t:file manage_file_perms;
allow celery_t pulp_var_cache_t:dir manage_dir_perms;
files_var_filetrans(celery_t, pulp_var_cache_t, dir)

allow celery_t pulp_var_lib_t:file manage_file_perms;
allow celery_t pulp_var_lib_t:dir manage_dir_perms;
files_var_lib_filetrans(celery_t, pulp_var_lib_t, dir)

create_files_pattern(celery_t, pulp_var_log_t, pulp_var_log_t)
append_files_pattern(celery_t, pulp_var_log_t, pulp_var_log_t)
setattr_files_pattern(celery_t, pulp_var_log_t, pulp_var_log_t)
read_files_pattern(celery_t, pulp_var_log_t, pulp_var_log_t)

allow celery_t pulp_var_run_t:file manage_file_perms;
allow celery_t pulp_var_run_t:dir manage_dir_perms;
files_pid_filetrans(celery_t, pulp_var_run_t, dir)

kernel_read_system_state(celery_t)

corecmd_exec_bin(celery_t)
corecmd_exec_shell(celery_t)

corenet_tcp_connect_all_ports(celery_t)
corenet_tcp_bind_all_ports(celery_t)
corenet_tcp_bind_generic_node(celery_t)

fs_getattr_xattr_fs(celery_t)

auth_use_nsswitch(celery_t)

libs_exec_ldconfig(celery_t)

logging_send_syslog_msg(celery_t)

miscfiles_manage_generic_cert_dirs(celery_t)
miscfiles_read_localization(celery_t)

optional_policy(`
    tunable_policy(`pulp_manage_puppet',`
        # create me upstream
        # puppet_manage_config(celery_t)
    ')
')

optional_policy(`
    gpg_exec(celery_t)
')

optional_policy(`
    rpm_exec(celery_t)
')
Actions #1

Updated by bmbouter about 9 years ago

Two things that should be done along with this work:

1. Have the downstream derivative contexts named pulp_worker_t and pulp_celerybeat_t and reserve the celery_worker_t and celery_beat_t reserved for upstream. It would be wrong for pulp to claim the celery context in the SELinux namespace

2. Move all pulp-celery statements into pulp-server, and delete pulp-server. It's ok for one policy to install multiple contexts. It will install faster, and require less automation maintenance.

+ This comment was cloned from Bugzilla #1148998 comment 1 +

Actions #2

Updated by bmbouter over 8 years ago

  • Subject changed from Contribute SELinux policy for Celery workers and celerybeat upstream to Contribute SELinux policy for Pulp and Celery workers/beat to fedora-selinux
  • Description updated (diff)
  • Groomed set to No
  • Sprint Candidate set to No
Actions #4

Updated by bmbouter almost 8 years ago

  • Parent issue set to #1826
Actions #5

Updated by bmbouter almost 8 years ago

  • Tags SELinux added
Actions #6

Updated by bmbouter almost 8 years ago

  • Parent issue deleted (#1826)
Actions #7

Updated by dkliban@redhat.com over 7 years ago

  • Sprint Candidate changed from No to Yes
Actions #8

Updated by amacdona@redhat.com over 5 years ago

  • Sprint Candidate changed from Yes to No
Actions #9

Updated by bmbouter almost 5 years ago

  • Status changed from NEW to CLOSED - WONTFIX
Actions #10

Updated by bmbouter almost 5 years ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

Actions #11

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF