Pulp

The SELinux policy is 100% downstream, and it should be contributed back upstream so less is carried by Pulp specifically. Rather than submitting it to Celery directly we can have it included in fedora-selinux. In fact, we can have both the generic celery policy and the specific to pulp portion of the policy live in fedora-selinux.

A user in #selinux on freenode offered two suggestions.

1. Merge the pulp-server and pulp-celery selinux packages into one
2. Contribute as much of that merged policy back to fedora-selinux

That user offered the following first-cut at merging the two policies. It's incomplete but a good start.

/etc/pki/pulp(/.*)? gen_context(system_u:object_r:pulp_cert_t,s0)
/etc/pulp(/.*)? gen_context(system_u:object_r:pulp_conf_t,s0)

/usr/bin/celery -- gen_context(system_u:object_r:celery_exec_t,s0)

/srv/pulp(/.*)? gen_context(system_u:object_r:pulse_var_cache_t,s0)

/var/cache/pulp(/.*)? gen_context(system_u:object_r:pulp_var_cache_t,s0)

/var/lib/pulp(/.*)? gen_context(system_u:object_r:pulp_var_lib_t,s0)

/var/log/pulp(/.*)? gen_context(system_u:object_r:pulp_var_log_t,s0)

/var/run/pulp(/.*)? gen_context(system_u:object_r:pulp_var_run_t,s0)
policy_module(pulp, 0.0.1)

########################################
#
# Declarations
#

## <desc>
## <p>
## Determine whether pulp can manage puppet config.
## </p>
## </desc>
gen_tunable(pulp_manage_puppet, false)

type celery_t;
type celery_exec_t;
init_daemon_domain(celery_t, celery_exec_t)

type pulp_cert_t;
miscfiles_cert_type(pulp_cert_t)

type pulp_conf_t;
files_config_file(pulp_conf_t)

type pulp_tmp_t;
files_tmp_file(pulp_tmp_t)

type pulp_var_cache_t;
files_type(pulp_var_cache_t)

type pulp_var_lib_t;
files_type(pulp_var_lib_t)

type pulse_var_log_t;
logging_log_file(pulp_var_log_t)

type pulp_var_run_t;
files_pid_file(pulp_var_run_t)

########################################
#
# Policy
#

allow celery_t self:process { setsched signal signull };
allow celery_t self:tcp_socket create_stream_socket_perms;

allow celery_t pulp_conf_t list_dir_perms;
allow celery_t pulp_conf_t read_file_perms;
allow celery_t pulp_conf_t read_lnk_file_perms;

allow celery_t pulp_tmp_t:file manage_file_perms;
allow celery_t pulp_tmp_t:dir manage_dir_perms;
files_tmp_filetrans(celery_t, pulp_tmp_t, dir)

allow celery_t pulp_var_cache_t:file manage_file_perms;
allow celery_t pulp_var_cache_t:dir manage_dir_perms;
files_var_filetrans(celery_t, pulp_var_cache_t, dir)

allow celery_t pulp_var_lib_t:file manage_file_perms;
allow celery_t pulp_var_lib_t:dir manage_dir_perms;
files_var_lib_filetrans(celery_t, pulp_var_lib_t, dir)

create_files_pattern(celery_t, pulp_var_log_t, pulp_var_log_t)
append_files_pattern(celery_t, pulp_var_log_t, pulp_var_log_t)
setattr_files_pattern(celery_t, pulp_var_log_t, pulp_var_log_t)
read_files_pattern(celery_t, pulp_var_log_t, pulp_var_log_t)

allow celery_t pulp_var_run_t:file manage_file_perms;
allow celery_t pulp_var_run_t:dir manage_dir_perms;
files_pid_filetrans(celery_t, pulp_var_run_t, dir)

kernel_read_system_state(celery_t)

corecmd_exec_bin(celery_t)
corecmd_exec_shell(celery_t)

corenet_tcp_connect_all_ports(celery_t)
corenet_tcp_bind_all_ports(celery_t)
corenet_tcp_bind_generic_node(celery_t)

fs_getattr_xattr_fs(celery_t)

auth_use_nsswitch(celery_t)

libs_exec_ldconfig(celery_t)

logging_send_syslog_msg(celery_t)

miscfiles_manage_generic_cert_dirs(celery_t)
miscfiles_read_localization(celery_t)

optional_policy(`
    tunable_policy(`pulp_manage_puppet',`
        # create me upstream
        # puppet_manage_config(celery_t)
    ')
')

optional_policy(`
    gpg_exec(celery_t)
')

optional_policy(`
    rpm_exec(celery_t)
')