Issue #594
closed
pulp-celery selinux can manage all tmp files and pid files, not just its own
Description
The pulp-celery policy allows arbitrary read/write abilities to all pid files and tmp files. This is a scary amount of permissions, when all we really need is the ability to manage the pid and tmp files associated with the celery_t process itself.
To accomplish this, we should introduce two new security types: celery_tmp_t and celery_run_t. We can do that in with the following statements:
type celery_run_t;
files_pid_file(celery_var_run_t)
type celery_tmp_t;
files_tmp_file(celery_tmp_t)
Then we need to allow the management of these files with statements like:
allow celery_t celery_tmp_t:file manage_file_perms;
files_tmp_filetrans(celery_t, celery_tmp_t, file)
allow celery_t celery_run_t:file manage_file_perms;
files_pid_filetrans(celery_t, celery_run_t, file)
+ This bug was cloned from Bugzilla Bug #1158169 +
.