Project

Profile

Help

Issue #594

closed

pulp-celery selinux can manage all tmp files and pid files, not just its own

Added by bmbouter almost 10 years ago. Updated over 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Master
Platform Release:
2.7.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

The pulp-celery policy allows arbitrary read/write abilities to all pid files and tmp files. This is a scary amount of permissions, when all we really need is the ability to manage the pid and tmp files associated with the celery_t process itself.

To accomplish this, we should introduce two new security types: celery_tmp_t and celery_run_t. We can do that in with the following statements:

type celery_run_t;
files_pid_file(celery_var_run_t)

type celery_tmp_t;
files_tmp_file(celery_tmp_t)

Then we need to allow the management of these files with statements like:

allow celery_t celery_tmp_t:file manage_file_perms;
files_tmp_filetrans(celery_t, celery_tmp_t, file)

allow celery_t celery_run_t:file manage_file_perms;
files_pid_filetrans(celery_t, celery_run_t, file)

+ This bug was cloned from Bugzilla Bug #1158169 +

Actions #1

Updated by bmbouter almost 10 years ago

***** Bug 1138814 has been marked as a duplicate of this bug. ***

+ This comment was cloned from Bugzilla #1158169 comment 1 +

Actions #2

Updated by dkliban@redhat.com almost 10 years ago

  • Status changed from NEW to POST
Actions #3

Updated by dkliban@redhat.com almost 10 years ago

The following instructions should help with testing the changes.

https://gist.github.com/dkliban/18989c57bae02a3d466d

Actions #4

Updated by dkliban@redhat.com almost 10 years ago

  • Status changed from POST to MODIFIED
Actions #5

Updated by bmbouter almost 10 years ago

  • Severity changed from Medium to 2. Medium
Actions #6

Updated by dkliban@redhat.com over 9 years ago

  • Platform Release set to 2.7.0
Actions #7

Updated by dkliban@redhat.com over 9 years ago

  • Status changed from MODIFIED to 5
Actions #9

Updated by Skullman over 9 years ago

  • Status changed from 5 to 6

Verified on RHEL6.7, pulp 2.7.0-4

Python terminal log:

>>> from pulp.server.tasks import test_get_size_other_pid, test_get_size_own_pid, test_get_size_other_tmp, test_create_and_remove_tmp_dir, test_create_and_remove_tmp_file, test_create_and_remove_tmp_symlink
>>> from pulp.server.db.connection import initialize
>>> initialize()
>>> test_get_size_other_pid.delay()
<AsyncResult: f83857f8-03f5-4814-b431-80e07af21071>
>>> result =  _; result.state
u'FAILURE'
>>> test_get_size_own_pid.delay()
<AsyncResult: 64bcbe66-5e55-4f8a-88a8-b22244ab3697>
>>> result =  _; result.state
u'SUCCESS'
>>> test_create_and_remove_tmp_dir.delay()
<AsyncResult: c61410c5-bf79-47db-aa20-4f517150bfc3>
>>> result =  _; result.state
u'SUCCESS'
>>> test_create_and_remove_tmp_file.delay()
<AsyncResult: 4c170701-d8c3-4b5a-89c1-df056db6ef66>
>>> result =  _; result.state
u'SUCCESS'
>>> test_create_and_remove_tmp_symlink.delay()
<AsyncResult: b72113fc-947a-488c-b0aa-90d4c625ae43>
>>> result =  _; result.state
u'FAILURE'
Actions #10

Updated by amacdona@redhat.com about 9 years ago

  • Status changed from 6 to CLOSED - CURRENTRELEASE
Actions #12

Updated by bmbouter over 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF