Project

Profile

Help

Task #563

Updated by bmbouter about 6 years ago

The SELinux policy is 100% downstream, and it should be contributed back upstream so less upstream. Some portion of this policy is carried by is specific to Pulp specifically. Rather than submitting it to Celery directly we can have it included in "fedora-selinux":https://github.com/fedora-selinux/selinux-policy. In fact, we can have both the generic celery policy tasks, and the specific to pulp some portion of the policy live in fedora-selinux.

A user in #selinux
are specific to celery startup behavior on freenode offered two suggestions. systemd and upstart.

1. Merge the pulp-server The upstream celery contribution should create containers celery_worker_t and pulp-celery selinux packages into one
2. Contribute as much of that merged
celery_celerybeat_t. Our downstream policy back to fedora-selinux should extend these with the Pulp specific extensions.

That user offered the following first-cut at merging the two policies. It's incomplete but We also should define a good start. separate context for celery versus celerybeat.

<pre>
/etc/pki/pulp(/.*)? gen_context(system_u:object_r:pulp_cert_t,s0)
/etc/pulp(/.*)? gen_context(system_u:object_r:pulp_conf_t,s0)

/usr/bin/celery -- gen_context(system_u:object_r:celery_exec_t,s0)

/srv/pulp(/.*)? gen_context(system_u:object_r:pulse_var_cache_t,s0)

/var/cache/pulp(/.*)? gen_context(system_u:object_r:pulp_var_cache_t,s0)

/var/lib/pulp(/.*)? gen_context(system_u:object_r:pulp_var_lib_t,s0)

/var/log/pulp(/.*)? gen_context(system_u:object_r:pulp_var_log_t,s0)

/var/run/pulp(/.*)? gen_context(system_u:object_r:pulp_var_run_t,s0)
policy_module(pulp, 0.0.1)

########################################
#
# Declarations
#

## <desc>
## <p>
## Determine whether pulp can manage puppet config.
## </p>
## </desc>
gen_tunable(pulp_manage_puppet, false)

type celery_t;
type celery_exec_t;
init_daemon_domain(celery_t, celery_exec_t)

type pulp_cert_t;
miscfiles_cert_type(pulp_cert_t)

type pulp_conf_t;
files_config_file(pulp_conf_t)

type pulp_tmp_t;
files_tmp_file(pulp_tmp_t)

type pulp_var_cache_t;
files_type(pulp_var_cache_t)

type pulp_var_lib_t;
files_type(pulp_var_lib_t)

type pulse_var_log_t;
logging_log_file(pulp_var_log_t)

type pulp_var_run_t;
files_pid_file(pulp_var_run_t)

########################################
#
# Policy
#

allow celery_t self:process { setsched signal signull };
allow celery_t self:tcp_socket create_stream_socket_perms;

allow celery_t pulp_conf_t list_dir_perms;
allow celery_t pulp_conf_t read_file_perms;
allow celery_t pulp_conf_t read_lnk_file_perms;

allow celery_t pulp_tmp_t:file manage_file_perms;
allow celery_t pulp_tmp_t:dir manage_dir_perms;
files_tmp_filetrans(celery_t, pulp_tmp_t, dir)

allow celery_t pulp_var_cache_t:file manage_file_perms;
allow celery_t pulp_var_cache_t:dir manage_dir_perms;
files_var_filetrans(celery_t, pulp_var_cache_t, dir)

allow celery_t pulp_var_lib_t:file manage_file_perms;
allow celery_t pulp_var_lib_t:dir manage_dir_perms;
files_var_lib_filetrans(celery_t, pulp_var_lib_t, dir)

create_files_pattern(celery_t, pulp_var_log_t, pulp_var_log_t)
append_files_pattern(celery_t, pulp_var_log_t, pulp_var_log_t)
setattr_files_pattern(celery_t, pulp_var_log_t, pulp_var_log_t)
read_files_pattern(celery_t, pulp_var_log_t, pulp_var_log_t)

allow celery_t pulp_var_run_t:file manage_file_perms;
allow celery_t pulp_var_run_t:dir manage_dir_perms;
files_pid_filetrans(celery_t, pulp_var_run_t, dir)

kernel_read_system_state(celery_t)

corecmd_exec_bin(celery_t)
corecmd_exec_shell(celery_t)

corenet_tcp_connect_all_ports(celery_t)
corenet_tcp_bind_all_ports(celery_t)
corenet_tcp_bind_generic_node(celery_t)

fs_getattr_xattr_fs(celery_t)

auth_use_nsswitch(celery_t)

libs_exec_ldconfig(celery_t)

logging_send_syslog_msg(celery_t)

miscfiles_manage_generic_cert_dirs(celery_t)
miscfiles_read_localization(celery_t)

optional_policy(`
tunable_policy(`pulp_manage_puppet',`
# create me upstream
# puppet_manage_config(celery_t)
')
')

optional_policy(`
gpg_exec(celery_t)
')

optional_policy(`
rpm_exec(celery_t)
')
</pre>
+ This bug was cloned from "Bugzilla Bug #1148998":https://bugzilla.redhat.com/show_bug.cgi?id=1148998 +

Back