From 337de1a72b1b5f1c554c74c3d1b1e1de9239595d Mon Sep 17 00:00:00 2001
From: Michal Schmidt <michich@fedoraproject.org>
Date: May 04 2009 11:58:03 +0000
Subject: - Upstream release 0.9.4.

- Dropped merged patches.

---

diff --git a/icecream-0.9.3-fix-gcc44-ftbfs.patch b/icecream-0.9.3-fix-gcc44-ftbfs.patch
deleted file mode 100644
index 9d935b8..0000000
--- a/icecream-0.9.3-fix-gcc44-ftbfs.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-With gcc 4.4 this fixes not just a warning, but an error. -- Michal
-
-
-commit f1ed14e4062869f583472f74a1b51b9c5ad42cde
-Author: coolo <coolo@283d02a7-25f6-0310-bc7c-ecb5cbfe19da>
-Date:   Mon Feb 16 11:09:03 2009 +0000
-
-    fix compilation warnings
-    
-    
-    git-svn-id: svn://anonsvn.kde.org/home/kde/trunk/icecream@926812 283d02a7-25f6-0310-bc7c-ecb5cbfe19da
-
-diff --git a/daemon/load.cpp b/daemon/load.cpp
-index 5cb1685..08e6f70 100644
---- a/daemon/load.cpp
-+++ b/daemon/load.cpp
-@@ -203,7 +203,7 @@ static void updateCPULoad( CPULoadInfo* load )
- #ifndef USE_SYSCTL
- static unsigned long int scan_one( const char* buff, const char *key )
- {
--  char *b = strstr( buff, key );
-+  const char *b = strstr( buff, key );
-   if ( !b )
-       return 0;
-   unsigned long int val = 0;
-diff --git a/daemon/main.cpp b/daemon/main.cpp
-index f7be369..ee9c0f3 100644
---- a/daemon/main.cpp
-+++ b/daemon/main.cpp
-@@ -619,7 +619,7 @@ bool Daemon::maybe_stats(bool send_ping)
- #ifdef HAVE_SYS_VFS_H
-         struct statfs buf;
-         int ret = statfs(envbasedir.c_str(), &buf);
--        if (!ret && buf.f_bavail < (max_kids + 1 - current_kids) * 4 * 1024 * 1024 / buf.f_bsize)
-+        if (!ret && long(buf.f_bavail) < long(max_kids + 1 - current_kids) * 4 * 1024 * 1024 / buf.f_bsize)
-             msg.load = 1000;
- #endif
- 
diff --git a/icecream.spec b/icecream.spec
index 3d8eb18..dc673d9 100644
--- a/icecream.spec
+++ b/icecream.spec
@@ -1,5 +1,5 @@
 %if 0%{?fedora}
-%bcond_without  fedora
+%bcond_without	fedora
 %bcond_without	selinux
 %else
 %bcond_with	fedora
@@ -10,8 +10,8 @@
 
 
 Name:		icecream
-Version:	0.9.3
-Release:	3%{?dist}
+Version:	0.9.4
+Release:	1%{?dist}
 Summary:	Distributed compiler
 
 Group:		Development/Tools
@@ -29,7 +29,6 @@ Source7:	initscript-scheduler
 Source8:	%{name}-manpages.tar.bz2
 Patch0:		%{name}-rename-scheduler.patch
 Patch1:		%{name}-cleanup-conffile.patch
-Patch2:		%{name}-0.9.3-fix-gcc44-ftbfs.patch
 
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -51,8 +50,8 @@ Requires(post):		chkconfig policycoreutils
 Requires(preun):	chkconfig initscripts policycoreutils 
 Requires(postun):	initscripts policycoreutils
 
-Provides:	group(icecream) = 44
-Provides:	user(icecream)  = 44
+Provides:	group(icecream)	= 44
+Provides:	user(icecream)	= 44
 
 
 # description copied from Debian icecc package
@@ -77,7 +76,6 @@ This package contains development files for %{name}.
 %setup -q -a 8 -n icecc-%{version}
 %patch0 -p1
 %patch1 -p0
-%patch2 -p1
 sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE1} > icecream.sh
 sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE2} > icecream.csh
 mkdir SELinux
@@ -235,6 +233,22 @@ rm -rf %{buildroot}
 %{_libdir}/pkgconfig/icecc.pc
 
 %changelog
+* Thu Apr 30 2009 Michal Schmidt <mschmidt@redhat.com> - 0.9.4-1
+- Upstream release 0.9.4.
+- Dropped merged patches.
+
+* Mon Apr 06 2009 Michal Schmidt <mschmidt@redhat.com> - 0.9.3-6
+- Fix wrong permissions on the cache dir preventing the jobs from being
+  distributed.
+- SELinux policy update based on review comments on refpolicy ML.
+
+* Mon Mar 02 2009 Michal Schmidt <mschmidt@redhat.com> - 0.9.3-5
+- Fix a fd leak from iceccd + avoid using system().
+- Allows tighter SELinux policy.
+
+* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
 * Mon Feb 16 2009 Michal Schmidt <mschmidt@redhat.com> - 0.9.3-3
 - Do not use --disable-rpath, icecream's configure script does not understand
   it and warns about it. We still remove rpath using the sed tricks.
diff --git a/icecream.te b/icecream.te
index 310f337..b16b880 100644
--- a/icecream.te
+++ b/icecream.te
@@ -1,12 +1,11 @@
 
-policy_module(icecream,0.0.42)
+policy_module(icecream,0.1.3)
 
 ########################################
 #
-# Declarations
+# iceccd declarations
 #
 
-# the compiler node daemon
 type iceccd_t;
 type iceccd_exec_t;
 init_daemon_domain(iceccd_t, iceccd_exec_t)
@@ -20,29 +19,39 @@ files_tmp_file(iceccd_tmp_t)
 type iceccd_var_run_t;
 files_pid_file(iceccd_var_run_t)
 
-# the working area
 type iceccd_cache_t;
 files_type(iceccd_cache_t)
 
-# icecc-create-env script makes a tarball of the local compiler and its
-# dependencies for other nodes to use
+########################################
+#
+# iceccd_createenv declarations
+#
+
 type iceccd_createenv_t;
 type iceccd_createenv_exec_t;
-domain_type(iceccd_createenv_t)
-domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t)
+application_domain(iceccd_createenv_t, iceccd_createenv_exec_t)
 role system_r types iceccd_createenv_t;
 
-# foreign compilers
-type iceccd_untrusted_t;
-domain_type(iceccd_untrusted_t);
-domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
-role system_r types iceccd_untrusted_t;
+########################################
+#
+# icecc_scheduler declarations
+#
 
-# the scheduler
 type icecc_scheduler_t;
 type icecc_scheduler_exec_t;
 init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
 
+########################################
+#
+# iceccd_untrusted declarations
+#
+
+type iceccd_untrusted_t;
+domain_type(iceccd_untrusted_t);
+domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
+role system_r types iceccd_untrusted_t;
+
+# port declarations. for separate module only.
 type iceccd_port_t;
 type icecc_scheduler_port_t;
 corenet_port(iceccd_port_t);
@@ -50,31 +59,39 @@ corenet_port(icecc_scheduler_port_t);
 
 ########################################
 #
-# Icecream policy
+# iceccd policy
 #
 
-allow iceccd_t self:process { signal_perms setsched setrlimit };
+allow iceccd_t self:capability { chown dac_override fowner fsetid kill
+	setgid setuid sys_chroot };
+allow iceccd_t self:fifo_file rw_fifo_file_perms;
 allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iceccd_t self:process { signal_perms setsched setrlimit };
 allow iceccd_t self:tcp_socket create_stream_socket_perms;
 allow iceccd_t self:udp_socket create_socket_perms;
-allow iceccd_t self:fifo_file rw_fifo_file_perms;
-allow iceccd_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot };
-allow iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure signal };
 
-files_read_etc_files(iceccd_t)
-libs_use_ld_so(iceccd_t)
-libs_use_shared_libs(iceccd_t)
-miscfiles_read_localization(iceccd_t)
+dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh
+	noatsecure };
 
-fs_getattr_all_fs(iceccd_t)
-kernel_read_system_state(iceccd_t)
-sysnet_read_config(iceccd_t)
+allow iceccd_t iceccd_untrusted_t:process signal;
 
-corecmd_exec_bin(iceccd_t)
-corecmd_read_bin_symlinks(iceccd_t)
+domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
+domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
+
+manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
+logging_log_filetrans(iceccd_t, iceccd_log_t, file)
+
+manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
+files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
+
+manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file })
 
-files_getattr_tmp_dirs(iceccd_t)
 files_search_tmp(iceccd_t)
+manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file })
 
 corenet_all_recvfrom_unlabeled(iceccd_t)
 corenet_all_recvfrom_netlabel(iceccd_t)
@@ -88,84 +105,89 @@ corenet_tcp_bind_generic_node(iceccd_t)
 allow iceccd_t iceccd_port_t:tcp_socket { name_bind };
 allow iceccd_t icecc_scheduler_port_t:tcp_socket { name_connect };
 
-domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
-domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
+corecmd_exec_bin(iceccd_t)
+corecmd_read_bin_symlinks(iceccd_t)
 
-manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
-logging_log_filetrans(iceccd_t, iceccd_log_t, file)
+#files_getattr_tmp_dirs(iceccd_t)
+files_read_etc_files(iceccd_t)
 
-manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
-files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
+fs_getattr_all_fs(iceccd_t)
 
-manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
-manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+kernel_read_system_state(iceccd_t)
 
-manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
-manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
-files_tmp_filetrans(iceccd_t, iceccd_tmp_t, file)
+sysnet_read_config(iceccd_t)
+
+libs_use_ld_so(iceccd_t)
+libs_use_shared_libs(iceccd_t)
 
+miscfiles_read_localization(iceccd_t)
+
+########################################
+#
+# iceccd_createenv policy
+#
 
-allow iceccd_createenv_t iceccd_log_t:file { append };
 allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
-# icecc-create-env looks for executable files to strip them. It does not
-# really execute them, but the -x check would trigger a denial. Do not allow
-# this, typically the binaries are already stripped anyway. Just silence it.
-dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
 
-allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
-allow iceccd_untrusted_t self:process signal_perms;
-allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
-manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
-allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans };
+dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
 
-files_read_etc_files(iceccd_createenv_t)
-libs_use_ld_so(iceccd_createenv_t)
-libs_use_shared_libs(iceccd_createenv_t)
-miscfiles_read_localization(iceccd_createenv_t)
+allow iceccd_createenv_t iceccd_log_t:file { append };
 
 manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
 manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+# no files_var_filetrans, createenv does not create the cache dir itself
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file })
 
-files_read_usr_files(iceccd_createenv_t)
-libs_exec_ld_so(iceccd_createenv_t)
-libs_exec_lib_files(iceccd_createenv_t)
-libs_domtrans_ldconfig(iceccd_createenv_t)
 corecmd_exec_bin(iceccd_createenv_t)
 corecmd_exec_shell(iceccd_createenv_t)
+
 dev_read_urand(iceccd_createenv_t)
+
+files_read_etc_files(iceccd_createenv_t)
+files_read_usr_files(iceccd_createenv_t)
+
 kernel_read_system_state(iceccd_createenv_t)
-# silence file(1) looking for /root/.magic
-userdom_dontaudit_search_admin_dir(iceccd_createenv_t)
 
-manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
-manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
-files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, file)
-files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, dir)
+libs_exec_ld_so(iceccd_createenv_t)
+libs_exec_lib_files(iceccd_createenv_t)
+
+libs_domtrans_ldconfig(iceccd_createenv_t)
+
+libs_use_ld_so(iceccd_createenv_t)
+libs_use_shared_libs(iceccd_createenv_t)
+
+miscfiles_read_localization(iceccd_createenv_t)
+
+userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t)
 
 optional_policy(`
 	nscd_socket_use(iceccd_createenv_t)
 ')
 
-# Some rules that can probably go away when iceccd is fixed properly:
+########################################
 #
-# XXX: icecc-create-env does not really need to talk to the open UDP socket
-# leaked from its parent.
-dontaudit iceccd_createenv_t iceccd_t:udp_socket { read write };
-# XXX: iceccd could be modified to avoid the shell completely
-corecmd_exec_shell(iceccd_t)
-# XXX: fix iceccd to only nuke the contents of /var/cache/icecream,
-# not the directory itself.
-files_var_filetrans(iceccd_t, iceccd_cache_t, dir)
+# iceccd_untrusted policy
+#
+
+allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_untrusted_t self:process signal_perms;
+allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_stream_socket_perms;
+
+manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
 
+can_exec(iceccd_untrusted_t, iceccd_cache_t)
+
+########################################
+#
+# icecc_scheduler policy
+#
 
 allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
 allow icecc_scheduler_t self:udp_socket create_socket_perms;
 
-files_read_etc_files(icecc_scheduler_t)
-libs_use_ld_so(icecc_scheduler_t)
-libs_use_shared_libs(icecc_scheduler_t)
-miscfiles_read_localization(icecc_scheduler_t)
-
 corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
 corenet_all_recvfrom_netlabel(icecc_scheduler_t)
 corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
@@ -178,3 +200,10 @@ corenet_tcp_bind_generic_node(icecc_scheduler_t)
 corenet_udp_bind_generic_node(icecc_scheduler_t)
 allow icecc_scheduler_t icecc_scheduler_port_t:tcp_socket { name_bind };
 allow icecc_scheduler_t icecc_scheduler_port_t:udp_socket { name_bind };
+
+files_read_etc_files(icecc_scheduler_t)
+
+libs_use_ld_so(icecc_scheduler_t)
+libs_use_shared_libs(icecc_scheduler_t)
+
+miscfiles_read_localization(icecc_scheduler_t)
diff --git a/sources b/sources
index 70d5d77..cc9df79 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-34bb950331ef5256299a2de4cf402ea6  icecc-0.9.3.tar.bz2
+b52192df5aa3713910fdf481dda4119e  icecc-0.9.4.tar.bz2
 a3829775870d5b2b60b750a88ee835b7  icecream-manpages.tar.bz2