Project

Profile

Help

Issue #594

closed

pulp-celery selinux can manage all tmp files and pid files, not just its own

Added by bmbouter over 9 years ago. Updated over 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Master
Platform Release:
2.7.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

The pulp-celery policy allows arbitrary read/write abilities to all pid files and tmp files. This is a scary amount of permissions, when all we really need is the ability to manage the pid and tmp files associated with the celery_t process itself.

To accomplish this, we should introduce two new security types: celery_tmp_t and celery_run_t. We can do that in with the following statements:

type celery_run_t;
files_pid_file(celery_var_run_t)

type celery_tmp_t;
files_tmp_file(celery_tmp_t)

Then we need to allow the management of these files with statements like:

allow celery_t celery_tmp_t:file manage_file_perms;
files_tmp_filetrans(celery_t, celery_tmp_t, file)

allow celery_t celery_run_t:file manage_file_perms;
files_pid_filetrans(celery_t, celery_run_t, file)

+ This bug was cloned from Bugzilla Bug #1158169 +

Also available in: Atom PDF