Project

Profile

Help

Task #563

Contribute SELinux policy for Pulp and Celery workers/beat to fedora-selinux

Added by bmbouter over 5 years ago. Updated over 1 year ago.

Status:
CLOSED - WONTFIX
Priority:
High
Assignee:
-
Category:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2, SELinux
Sprint:

Description

The SELinux policy is 100% downstream, and it should be contributed back upstream so less is carried by Pulp specifically. Rather than submitting it to Celery directly we can have it included in fedora-selinux. In fact, we can have both the generic celery policy and the specific to pulp portion of the policy live in fedora-selinux.

A user in #selinux on freenode offered two suggestions.

1. Merge the pulp-server and pulp-celery selinux packages into one
2. Contribute as much of that merged policy back to fedora-selinux

That user offered the following first-cut at merging the two policies. It's incomplete but a good start.

/etc/pki/pulp(/.*)? gen_context(system_u:object_r:pulp_cert_t,s0)
/etc/pulp(/.*)? gen_context(system_u:object_r:pulp_conf_t,s0)

/usr/bin/celery -- gen_context(system_u:object_r:celery_exec_t,s0)

/srv/pulp(/.*)? gen_context(system_u:object_r:pulse_var_cache_t,s0)

/var/cache/pulp(/.*)? gen_context(system_u:object_r:pulp_var_cache_t,s0)

/var/lib/pulp(/.*)? gen_context(system_u:object_r:pulp_var_lib_t,s0)

/var/log/pulp(/.*)? gen_context(system_u:object_r:pulp_var_log_t,s0)

/var/run/pulp(/.*)? gen_context(system_u:object_r:pulp_var_run_t,s0)
policy_module(pulp, 0.0.1)

########################################
#
# Declarations
#

## <desc>
## <p>
## Determine whether pulp can manage puppet config.
## </p>
## </desc>
gen_tunable(pulp_manage_puppet, false)

type celery_t;
type celery_exec_t;
init_daemon_domain(celery_t, celery_exec_t)

type pulp_cert_t;
miscfiles_cert_type(pulp_cert_t)

type pulp_conf_t;
files_config_file(pulp_conf_t)

type pulp_tmp_t;
files_tmp_file(pulp_tmp_t)

type pulp_var_cache_t;
files_type(pulp_var_cache_t)

type pulp_var_lib_t;
files_type(pulp_var_lib_t)

type pulse_var_log_t;
logging_log_file(pulp_var_log_t)

type pulp_var_run_t;
files_pid_file(pulp_var_run_t)

########################################
#
# Policy
#

allow celery_t self:process { setsched signal signull };
allow celery_t self:tcp_socket create_stream_socket_perms;

allow celery_t pulp_conf_t list_dir_perms;
allow celery_t pulp_conf_t read_file_perms;
allow celery_t pulp_conf_t read_lnk_file_perms;

allow celery_t pulp_tmp_t:file manage_file_perms;
allow celery_t pulp_tmp_t:dir manage_dir_perms;
files_tmp_filetrans(celery_t, pulp_tmp_t, dir)

allow celery_t pulp_var_cache_t:file manage_file_perms;
allow celery_t pulp_var_cache_t:dir manage_dir_perms;
files_var_filetrans(celery_t, pulp_var_cache_t, dir)

allow celery_t pulp_var_lib_t:file manage_file_perms;
allow celery_t pulp_var_lib_t:dir manage_dir_perms;
files_var_lib_filetrans(celery_t, pulp_var_lib_t, dir)

create_files_pattern(celery_t, pulp_var_log_t, pulp_var_log_t)
append_files_pattern(celery_t, pulp_var_log_t, pulp_var_log_t)
setattr_files_pattern(celery_t, pulp_var_log_t, pulp_var_log_t)
read_files_pattern(celery_t, pulp_var_log_t, pulp_var_log_t)

allow celery_t pulp_var_run_t:file manage_file_perms;
allow celery_t pulp_var_run_t:dir manage_dir_perms;
files_pid_filetrans(celery_t, pulp_var_run_t, dir)

kernel_read_system_state(celery_t)

corecmd_exec_bin(celery_t)
corecmd_exec_shell(celery_t)

corenet_tcp_connect_all_ports(celery_t)
corenet_tcp_bind_all_ports(celery_t)
corenet_tcp_bind_generic_node(celery_t)

fs_getattr_xattr_fs(celery_t)

auth_use_nsswitch(celery_t)

libs_exec_ldconfig(celery_t)

logging_send_syslog_msg(celery_t)

miscfiles_manage_generic_cert_dirs(celery_t)
miscfiles_read_localization(celery_t)

optional_policy(`
    tunable_policy(`pulp_manage_puppet',`
        # create me upstream
        # puppet_manage_config(celery_t)
    ')
')

optional_policy(`
    gpg_exec(celery_t)
')

optional_policy(`
    rpm_exec(celery_t)
')

History

#1 Updated by bmbouter over 5 years ago

Two things that should be done along with this work:

1. Have the downstream derivative contexts named pulp_worker_t and pulp_celerybeat_t and reserve the celery_worker_t and celery_beat_t reserved for upstream. It would be wrong for pulp to claim the celery context in the SELinux namespace

2. Move all pulp-celery statements into pulp-server, and delete pulp-server. It's ok for one policy to install multiple contexts. It will install faster, and require less automation maintenance.

+ This comment was cloned from Bugzilla #1148998 comment 1 +

#2 Updated by bmbouter almost 5 years ago

  • Subject changed from Contribute SELinux policy for Celery workers and celerybeat upstream to Contribute SELinux policy for Pulp and Celery workers/beat to fedora-selinux
  • Description updated (diff)
  • Groomed set to No
  • Sprint Candidate set to No

#4 Updated by bmbouter over 4 years ago

  • Parent task set to #1826

#5 Updated by bmbouter over 4 years ago

  • Tags SELinux added

#6 Updated by bmbouter over 4 years ago

  • Parent task deleted (#1826)

#7 Updated by dkliban@redhat.com almost 4 years ago

  • Sprint Candidate changed from No to Yes

#8 Updated by amacdona@redhat.com almost 2 years ago

  • Sprint Candidate changed from Yes to No

#9 Updated by bmbouter over 1 year ago

  • Status changed from NEW to CLOSED - WONTFIX

#10 Updated by bmbouter over 1 year ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

#11 Updated by bmbouter over 1 year ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF