rpms/icecream/devel icecream.fc, 1.1, 1.2 icecream.spec, 1.15, 1.16 icecream.te, 1.4, 1.5
Michal Schmidt
michich at fedoraproject.org
Mon Feb 16 13:55:23 UTC 2009
- Previous message (by thread): rpms/cherokee/EL-5 .cvsignore, 1.5, 1.6 cherokee.spec, 1.7, 1.8 import.log, 1.7, 1.8 sources, 1.5, 1.6
- Next message (by thread): rpms/kdelibs/devel kdelibs-4.2.0-gcc44-workaround.patch, NONE, 1.1 kdelibs.spec, 1.435, 1.436
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: michich
Update of /cvs/pkgs/rpms/icecream/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27920
Modified Files:
icecream.fc icecream.spec icecream.te
Log Message:
* Mon Feb 16 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.3-2
- Updated and re-enabled the SELinux policy. The scheduler is now confined too.
Index: icecream.fc
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/devel/icecream.fc,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- icecream.fc 21 Nov 2007 00:32:33 -0000 1.1
+++ icecream.fc 16 Feb 2009 13:54:52 -0000 1.2
@@ -1,10 +1,5 @@
-# myapp executable will have:
-# label: system_u:object_r:myapp_exec_t
-# MLS sensitivity: s0
-# MCS categories: <none>
-
/usr/sbin/iceccd -- gen_context(system_u:object_r:iceccd_exec_t,s0)
-/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_helper_exec_t,s0)
+/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0)
/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0)
/var/log/iceccd -- gen_context(system_u:object_r:iceccd_log_t,s0)
-#/var/log/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_log_t,s0)
+/usr/sbin/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_exec_t,s0)
Index: icecream.spec
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/devel/icecream.spec,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- icecream.spec 16 Feb 2009 12:22:04 -0000 1.15
+++ icecream.spec 16 Feb 2009 13:54:52 -0000 1.16
@@ -1,6 +1,6 @@
%if 0%{?fedora}
%bcond_without fedora
-%bcond_with selinux
+%bcond_without selinux
%else
%bcond_with fedora
# I'd need to modify the policy a bit to make it work on RHEL,
@@ -11,7 +11,7 @@
Name: icecream
Version: 0.9.3
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Distributed compiler
Group: Development/Tools
@@ -165,6 +165,7 @@
restorecon %{_localstatedir}/log/iceccd 2>/dev/null ||:
semanage port -a -t iceccd_port_t -p tcp 10245 2>/dev/null ||:
semanage port -a -t icecc_scheduler_port_t -p tcp 8765 2>/dev/null ||:
+semanage port -a -t icecc_scheduler_port_t -p tcp 8766 2>/dev/null ||:
semanage port -a -t icecc_scheduler_port_t -p udp 8765 2>/dev/null ||:
%endif
# fi
@@ -183,6 +184,7 @@
%if %{with selinux}
semanage port -d -t iceccd_port_t -p tcp 10245 2>/dev/null ||:
semanage port -d -t icecc_scheduler_port_t -p tcp 8765 2>/dev/null ||:
+ semanage port -d -t icecc_scheduler_port_t -p tcp 8766 2>/dev/null ||:
semanage port -d -t icecc_scheduler_port_t -p udp 8765 2>/dev/null ||:
for selinuxvariant in %{selinux_variants}; do
semodule -s ${selinuxvariant} -r icecream 2>/dev/null ||:
@@ -233,6 +235,9 @@
%{_libdir}/pkgconfig/icecc.pc
%changelog
+* Mon Feb 16 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.3-2
+- Updated and re-enabled the SELinux policy. The scheduler is now confined too.
+
* Mon Feb 16 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.3-1
- new upstream release
- Dropped merged patches.
Index: icecream.te
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/devel/icecream.te,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- icecream.te 13 Mar 2008 00:09:06 -0000 1.4
+++ icecream.te 16 Feb 2009 13:54:52 -0000 1.5
@@ -1,46 +1,47 @@
-policy_module(icecream,0.0.36)
+policy_module(icecream,0.0.42)
########################################
#
# Declarations
#
+# the compiler node daemon
type iceccd_t;
type iceccd_exec_t;
init_daemon_domain(iceccd_t, iceccd_exec_t)
-type iceccd_var_run_t;
-files_pid_file(iceccd_var_run_t)
-
type iceccd_log_t;
logging_log_file(iceccd_log_t)
-type iceccd_cache_t;
-files_type(iceccd_cache_t)
-
type iceccd_tmp_t;
files_tmp_file(iceccd_tmp_t)
-type iceccd_helper_t;
-type iceccd_helper_exec_t;
-domain_type(iceccd_helper_t)
-domain_entry_file(iceccd_helper_t, iceccd_helper_exec_t)
-role system_r types iceccd_helper_t;
+type iceccd_var_run_t;
+files_pid_file(iceccd_var_run_t)
+
+# the working area
+type iceccd_cache_t;
+files_type(iceccd_cache_t)
+
+# icecc-create-env script makes a tarball of the local compiler and its
+# dependencies for other nodes to use
+type iceccd_createenv_t;
+type iceccd_createenv_exec_t;
+domain_type(iceccd_createenv_t)
+domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t)
+role system_r types iceccd_createenv_t;
-# the cache contains foreign compilers and libraries
-# the whole point of icecream is to run them...
+# foreign compilers
type iceccd_untrusted_t;
domain_type(iceccd_untrusted_t);
domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
role system_r types iceccd_untrusted_t;
-# XXX: something like this:
-# network_port(iceccd, tcp,10245,s0)
-#type iceccd_client_packet_t;
-#type iceccd_server_packet_t;
-# XXX: portcon only works in base policy module
-#portcon tcp 10245 gen_context(system_u:object_r:iceccd_port_t, s0)
+# the scheduler
+type icecc_scheduler_t;
+type icecc_scheduler_exec_t;
+init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
type iceccd_port_t;
type icecc_scheduler_port_t;
@@ -49,119 +50,131 @@
########################################
#
-# Icecream local policy
+# Icecream policy
#
allow iceccd_t self:process { signal_perms setsched setrlimit };
allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
allow iceccd_t self:tcp_socket create_stream_socket_perms;
allow iceccd_t self:udp_socket create_socket_perms;
-allow iceccd_t iceccd_port_t:tcp_socket name_bind;
-allow iceccd_t icecc_scheduler_port_t:tcp_socket { send_msg recv_msg name_connect };
-allow iceccd_t icecc_scheduler_port_t:udp_socket { send_msg recv_msg };
-allow iceccd_t self:fifo_file { read write ioctl getattr };
-# why exactly?:
-allow iceccd_t self:capability { chown dac_override fsetid kill };
-allow iceccd_t self:capability { setgid setuid };
-allow iceccd_t self:capability { sys_chroot };
-
+allow iceccd_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_t self:capability { chown dac_override fsetid kill setgid setuid sys_chroot };
allow iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure signal };
-allow iceccd_helper_t iceccd_t:process { sigchld };
-allow iceccd_helper_t iceccd_log_t:file { append };
-allow iceccd_helper_t self:fifo_file { read write ioctl getattr };
-# needs investigating:
-allow iceccd_helper_t iceccd_tmp_t:file { execute };
-# rly needed?
-allow iceccd_helper_t iceccd_t:udp_socket { read write };
-
-allow iceccd_untrusted_t self:fifo_file { read write getattr };
-allow iceccd_untrusted_t self:process { signal };
-allow iceccd_untrusted_t iceccd_t:process { sigchld };
-allow iceccd_untrusted_t iceccd_t:fifo_file { write };
-allow iceccd_untrusted_t iceccd_t:unix_stream_socket { read write getattr };
-allow iceccd_untrusted_t iceccd_cache_t:dir { search getattr write add_name remove_name };
-allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans write unlink create };
-
-corenet_all_recvfrom_unlabeled(iceccd_t)
-corenet_all_recvfrom_netlabel(iceccd_t)
-corenet_tcp_sendrecv_all_if(iceccd_t)
-corenet_udp_sendrecv_all_if(iceccd_t)
-corenet_tcp_sendrecv_all_nodes(iceccd_t)
-corenet_udp_sendrecv_all_nodes(iceccd_t)
-# corenet_tcp_sendrecv_all_ports(iceccd_t)
-# corenet_udp_sendrecv_all_ports(iceccd_t)
-corenet_tcp_bind_all_nodes(iceccd_t)
-
-manage_files_pattern(iceccd_t,iceccd_log_t,iceccd_log_t)
-logging_log_filetrans(iceccd_t, iceccd_log_t, file)
-
-manage_files_pattern(iceccd_t,iceccd_var_run_t,iceccd_var_run_t)
-files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
-
-manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
-manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
-
-manage_dirs_pattern(iceccd_helper_t, iceccd_cache_t, iceccd_cache_t)
-manage_files_pattern(iceccd_helper_t, iceccd_cache_t, iceccd_cache_t)
-
+files_read_etc_files(iceccd_t)
libs_use_ld_so(iceccd_t)
libs_use_shared_libs(iceccd_t)
-
-# for ldd
-libs_exec_ld_so(iceccd_t)
-
-files_read_etc_files(iceccd_t)
miscfiles_read_localization(iceccd_t)
-kernel_read_system_state(iceccd_t)
-sysnet_read_config(iceccd_t)
-#files_read_usr_files(iceccd_t)
-
-files_read_etc_files(iceccd_helper_t)
-libs_use_ld_so(iceccd_helper_t)
-libs_use_shared_libs(iceccd_helper_t)
-miscfiles_read_localization(iceccd_helper_t)
-corecmd_exec_bin(iceccd_helper_t)
-corecmd_exec_shell(iceccd_helper_t)
-dev_read_urand(iceccd_helper_t)
-kernel_read_system_state(iceccd_helper_t)
-files_read_usr_files(iceccd_helper_t)
-libs_exec_ld_so(iceccd_helper_t)
-libs_exec_lib_files(iceccd_helper_t)
-nscd_socket_use(iceccd_helper_t)
-# XXX: iceccd wants this every second. why?
fs_getattr_all_fs(iceccd_t)
+kernel_read_system_state(iceccd_t)
+sysnet_read_config(iceccd_t)
corecmd_exec_bin(iceccd_t)
corecmd_read_bin_symlinks(iceccd_t)
-# XXX: could iceccd be modified to not need this?
-corecmd_exec_shell(iceccd_t)
-
-# for mktemp
-#dev_read_urand(iceccd_t)
files_getattr_tmp_dirs(iceccd_t)
files_search_tmp(iceccd_t)
+corenet_all_recvfrom_unlabeled(iceccd_t)
+corenet_all_recvfrom_netlabel(iceccd_t)
+corenet_tcp_sendrecv_generic_if(iceccd_t)
+corenet_udp_sendrecv_generic_if(iceccd_t)
+corenet_tcp_sendrecv_generic_node(iceccd_t)
+corenet_udp_sendrecv_generic_node(iceccd_t)
+corenet_tcp_sendrecv_all_ports(iceccd_t)
+corenet_udp_sendrecv_all_ports(iceccd_t)
+corenet_tcp_bind_generic_node(iceccd_t)
+allow iceccd_t iceccd_port_t:tcp_socket { name_bind };
+allow iceccd_t icecc_scheduler_port_t:tcp_socket { name_connect };
+
+domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
+domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
+
+manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
+logging_log_filetrans(iceccd_t, iceccd_log_t, file)
+
+manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
+files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
+
+manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+
manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
files_tmp_filetrans(iceccd_t, iceccd_tmp_t, file)
-manage_dirs_pattern(iceccd_helper_t, iceccd_tmp_t, iceccd_tmp_t)
-manage_files_pattern(iceccd_helper_t, iceccd_tmp_t, iceccd_tmp_t)
-files_tmp_filetrans(iceccd_helper_t, iceccd_tmp_t, file)
-files_tmp_filetrans(iceccd_helper_t, iceccd_tmp_t, dir)
-# to re-create /var/cache/icecream
+allow iceccd_createenv_t iceccd_log_t:file { append };
+allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
+# icecc-create-env looks for executable files to strip them. It does not
+# really execute them, but the -x check would trigger a denial. Do not allow
+# this, typically the binaries are already stripped anyway. Just silence it.
+dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
+
+allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_untrusted_t self:process signal_perms;
+allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
+manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
+allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans };
+
+files_read_etc_files(iceccd_createenv_t)
+libs_use_ld_so(iceccd_createenv_t)
+libs_use_shared_libs(iceccd_createenv_t)
+miscfiles_read_localization(iceccd_createenv_t)
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+
+files_read_usr_files(iceccd_createenv_t)
+libs_exec_ld_so(iceccd_createenv_t)
+libs_exec_lib_files(iceccd_createenv_t)
+libs_domtrans_ldconfig(iceccd_createenv_t)
+corecmd_exec_bin(iceccd_createenv_t)
+corecmd_exec_shell(iceccd_createenv_t)
+dev_read_urand(iceccd_createenv_t)
+kernel_read_system_state(iceccd_createenv_t)
+# silence file(1) looking for /root/.magic
+userdom_dontaudit_search_admin_dir(iceccd_createenv_t)
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, file)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, dir)
+
+optional_policy(`
+ nscd_socket_use(iceccd_createenv_t)
+')
+
+# Some rules that can probably go away when iceccd is fixed properly:
+#
+# XXX: icecc-create-env does not really need to talk to the open UDP socket
+# leaked from its parent.
+dontaudit iceccd_createenv_t iceccd_t:udp_socket { read write };
+# XXX: iceccd could be modified to avoid the shell completely
+corecmd_exec_shell(iceccd_t)
+# XXX: fix iceccd to only nuke the contents of /var/cache/icecream,
+# not the directory itself.
files_var_filetrans(iceccd_t, iceccd_cache_t, dir)
-# aka domain_auto_trans
-domain_auto_transition_pattern(iceccd_t, iceccd_helper_exec_t, iceccd_helper_t)
-domain_auto_transition_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
-
-userdom_dontaudit_getattr_sysadm_home_dirs(iceccd_t)
-#userdom_dontaudit_getattr_sysadm_home_dirs(iceccd_helper_t)
-userdom_dontaudit_search_sysadm_home_dirs(iceccd_helper_t)
-#userdom_getattr_sysadm_home_dirs(iceccd_t)
+allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
+allow icecc_scheduler_t self:udp_socket create_socket_perms;
+
+files_read_etc_files(icecc_scheduler_t)
+libs_use_ld_so(icecc_scheduler_t)
+libs_use_shared_libs(icecc_scheduler_t)
+miscfiles_read_localization(icecc_scheduler_t)
+
+corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
+corenet_all_recvfrom_netlabel(icecc_scheduler_t)
+corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
+corenet_udp_sendrecv_generic_if(icecc_scheduler_t)
+corenet_tcp_sendrecv_generic_node(icecc_scheduler_t)
+corenet_udp_sendrecv_generic_node(icecc_scheduler_t)
+corenet_tcp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_udp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_tcp_bind_generic_node(icecc_scheduler_t)
+corenet_udp_bind_generic_node(icecc_scheduler_t)
+allow icecc_scheduler_t icecc_scheduler_port_t:tcp_socket { name_bind };
+allow icecc_scheduler_t icecc_scheduler_port_t:udp_socket { name_bind };
- Previous message (by thread): rpms/cherokee/EL-5 .cvsignore, 1.5, 1.6 cherokee.spec, 1.7, 1.8 import.log, 1.7, 1.8 sources, 1.5, 1.6
- Next message (by thread): rpms/kdelibs/devel kdelibs-4.2.0-gcc44-workaround.patch, NONE, 1.1 kdelibs.spec, 1.435, 1.436
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list