Project

Profile

Help

Issue #594

pulp-celery selinux can manage all tmp files and pid files, not just its own

Added by bmbouter almost 5 years ago. Updated 9 months ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Severity:
2. Medium
Version:
Master
Platform Release:
2.7.0
Blocks Release:
OS:
Backwards Incompatible:
No
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
QA Contact:
Complexity:
Smash Test:
Verified:
Yes
Verification Required:
No
Sprint:

Description

The pulp-celery policy allows arbitrary read/write abilities to all pid files and tmp files. This is a scary amount of permissions, when all we really need is the ability to manage the pid and tmp files associated with the celery_t process itself.

To accomplish this, we should introduce two new security types: celery_tmp_t and celery_run_t. We can do that in with the following statements:

type celery_run_t;
files_pid_file(celery_var_run_t)

type celery_tmp_t;
files_tmp_file(celery_tmp_t)

Then we need to allow the management of these files with statements like:

allow celery_t celery_tmp_t:file manage_file_perms;
files_tmp_filetrans(celery_t, celery_tmp_t, file)

allow celery_t celery_run_t:file manage_file_perms;
files_pid_filetrans(celery_t, celery_run_t, file)

+ This bug was cloned from Bugzilla Bug #1158169 +

History

#1 Updated by bmbouter almost 5 years ago

  • Bug 1138814 has been marked as a duplicate of this bug. ***

+ This comment was cloned from Bugzilla #1158169 comment 1 +

#2 Updated by dkliban@redhat.com almost 5 years ago

  • Status changed from NEW to POST

#3 Updated by dkliban@redhat.com almost 5 years ago

The following instructions should help with testing the changes.

https://gist.github.com/dkliban/18989c57bae02a3d466d

#4 Updated by dkliban@redhat.com almost 5 years ago

  • Status changed from POST to MODIFIED

#5 Updated by bmbouter almost 5 years ago

  • Severity changed from Medium to 2. Medium

#6 Updated by dkliban@redhat.com almost 5 years ago

  • Platform Release set to 2.7.0

#7 Updated by dkliban@redhat.com over 4 years ago

  • Status changed from MODIFIED to ON_QA

#8 Updated by Skullman over 4 years ago

  • QA Contact set to Skullman

#9 Updated by Skullman over 4 years ago

  • Status changed from ON_QA to VERIFIED

Verified on RHEL6.7, pulp 2.7.0-4

Python terminal log:

>>> from pulp.server.tasks import test_get_size_other_pid, test_get_size_own_pid, test_get_size_other_tmp, test_create_and_remove_tmp_dir, test_create_and_remove_tmp_file, test_create_and_remove_tmp_symlink
>>> from pulp.server.db.connection import initialize
>>> initialize()
>>> test_get_size_other_pid.delay()
<AsyncResult: f83857f8-03f5-4814-b431-80e07af21071>
>>> result =  _; result.state
u'FAILURE'
>>> test_get_size_own_pid.delay()
<AsyncResult: 64bcbe66-5e55-4f8a-88a8-b22244ab3697>
>>> result =  _; result.state
u'SUCCESS'
>>> test_create_and_remove_tmp_dir.delay()
<AsyncResult: c61410c5-bf79-47db-aa20-4f517150bfc3>
>>> result =  _; result.state
u'SUCCESS'
>>> test_create_and_remove_tmp_file.delay()
<AsyncResult: 4c170701-d8c3-4b5a-89c1-df056db6ef66>
>>> result =  _; result.state
u'SUCCESS'
>>> test_create_and_remove_tmp_symlink.delay()
<AsyncResult: b72113fc-947a-488c-b0aa-90d4c625ae43>
>>> result =  _; result.state
u'FAILURE'

#10 Updated by amacdona@redhat.com about 4 years ago

  • Status changed from VERIFIED to CLOSED - CURRENTRELEASE

#11 Updated by pulpbot almost 3 years ago

  • Verified changed from No to Yes

#12 Updated by bmbouter 9 months ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF