From 48d39d8a2c5de13323da3945336f5baf75016d30 Mon Sep 17 00:00:00 2001 From: Michal Schmidt Date: Aug 30 2013 14:16:19 +0000 Subject: revive the SELinux module - Update the SELinux policy module and build it. - Use tmpfiles.d to create /run/icecc instead of letting the daemon write to var_run_t directly. - Add a patch to stop icecc-create-env from reading /etc/passwd. - Batch semenage calls in scriptlets. --- diff --git a/0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch b/0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch new file mode 100644 index 0000000..e142b90 --- /dev/null +++ b/0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch @@ -0,0 +1,28 @@ +From 26461a88508f277c33d95f5c5eb52cdd8d7c7737 Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Thu, 29 Aug 2013 15:54:19 +0200 +Subject: [PATCH 6/6] icecc-create-env: avoid tar looking at /etc/passwd + +If we invoke tar with --numeric-owner, it won't try to read /etc/passwd. +This has the minor benefit of not having to worry about this access in +the SELinux policy. +--- + client/icecc-create-env | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/client/icecc-create-env b/client/icecc-create-env +index 029e351..1379ce1 100755 +--- a/client/icecc-create-env ++++ b/client/icecc-create-env +@@ -337,7 +337,7 @@ md5=`for i in $target_files; do $md5sum $tempdir/$i; done | sed -e 's/ .*$//' | + echo "creating $md5.tar.gz" + mydir=`pwd` + cd $tempdir +-tar -czhf "$mydir/$md5".tar.gz $target_files || { ++tar -czh --numeric-owner -f "$mydir/$md5".tar.gz $target_files || { + echo "Couldn't create archive" + exit 3 + } +-- +1.8.3.1 + diff --git a/0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch b/0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch new file mode 100644 index 0000000..8619deb --- /dev/null +++ b/0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch @@ -0,0 +1,30 @@ +From b67c1d823282b062c9804772756487f78a599ade Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Thu, 29 Aug 2013 18:12:02 +0200 +Subject: [PATCH 7/7] daemon/main: do not create /run/icecc by ourselves + +In order to be able to restrict the daemon's SELinux policy even more, +let's rely on tmpfiles.d to create the /run/icecc directory for us +instead of creating it from the daemon. +--- + daemon/main.cpp | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/daemon/main.cpp b/daemon/main.cpp +index e08b1e1..387d4e2 100644 +--- a/daemon/main.cpp ++++ b/daemon/main.cpp +@@ -1801,10 +1801,6 @@ int main( int argc, char ** argv ) + logfile = "/var/log/icecc/iceccd.log"; + } + +- mkdir("/var/run/icecc", S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); +- chmod("/var/run/icecc", S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); +- chown("/var/run/icecc", d.user_uid, d.user_gid); +- + #ifdef HAVE_LIBCAP_NG + capng_clear(CAPNG_SELECT_BOTH); + capng_update(CAPNG_ADD, (capng_type_t)(CAPNG_EFFECTIVE|CAPNG_PERMITTED), CAP_SYS_CHROOT); +-- +1.8.3.1 + diff --git a/iceccd.service b/iceccd.service index 6a61dda..2e8743f 100644 --- a/iceccd.service +++ b/iceccd.service @@ -4,6 +4,9 @@ After=network.target nss-lookup.target [Service] Type=simple +# Set SHELL so that icecc-create-env does not have to attempt to detect its +# value by reading /etc/passwd. The SELinux policy does not need to allow it. +Environment=SHELL=/bin/bash ExecStart=/usr/libexec/icecc/iceccd-wrapper -u icecream -b /var/cache/icecream -l /var/log/icecc/iceccd.log Nice=5 diff --git a/icecream-tmpfiles.conf b/icecream-tmpfiles.conf new file mode 100644 index 0000000..5367dac --- /dev/null +++ b/icecream-tmpfiles.conf @@ -0,0 +1 @@ +d /run/icecc 0775 root icecream - diff --git a/icecream.fc b/icecream.fc index 808cfcc..d9d3613 100644 --- a/icecream.fc +++ b/icecream.fc @@ -1,6 +1,6 @@ /usr/sbin/iceccd -- gen_context(system_u:object_r:iceccd_exec_t,s0) -/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0) -/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0) -/var/log/iceccd -- gen_context(system_u:object_r:iceccd_log_t,s0) /usr/sbin/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_exec_t,s0) -/var/log/icecc[-_]scheduler -- gen_context(system_u:object_r:icecc_scheduler_log_t,s0) +/usr/libexec/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0) +/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0) +/var/log/icecc(/.*)? gen_context(system_u:object_r:icecc_log_t,s0) +/var/run/icecc(/.*)? gen_context(system_u:object_r:iceccd_var_run_t,s0) diff --git a/icecream.spec b/icecream.spec index ba78ad0..6facd94 100644 --- a/icecream.spec +++ b/icecream.spec @@ -1,11 +1,10 @@ %global _hardened_build 1 -# TODO: Reenable SELinux by default. It needs updating first. -%bcond_with selinux +%bcond_without selinux Name: icecream Version: 1.0.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Distributed compiler Group: Development/Tools @@ -21,12 +20,15 @@ Source6: iceccd.service Source7: icecc-scheduler.service Source9: iceccd-wrapper Source10: icecc-scheduler-wrapper +Source11: icecream-tmpfiles.conf Patch0001: 0001-make-dist-hook-work-also-with-srcdir-builddir.patch Patch0002: 0002-handle-HOME-not-being-set.patch Patch0003: 0003-Debian-and-Ubuntu-uses-docbook2x-man-instead-of-docb.patch Patch0004: 0004-Mac-brew-has-docbook2man-instead-of-docbook-to-man.patch -PAtch0005: 0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch +Patch0005: 0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch +Patch0006: 0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch +Patch0007: 0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch Patch10000: %{name}-cleanup-conffile.patch @@ -81,13 +83,15 @@ This package contains development files for %{name}. %patch0003 -p1 %patch0004 -p1 %patch0005 -p1 +%patch0006 -p1 +%patch0007 -p1 %patch10000 -p0 sed -e 's|@LIBDIR@|%{_libdir}|g;s|@LIBEXECDIR@|%{_libexecdir}|g' %{SOURCE1} > icecream.sh sed -e 's|@LIBDIR@|%{_libdir}|g;s|@LIBEXECDIR@|%{_libexecdir}|g' %{SOURCE2} > icecream.csh mkdir SELinux cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} SELinux mkdir fedora -cp -p %{SOURCE6} %{SOURCE7} %{SOURCE9} %{SOURCE10} fedora +cp -p %{SOURCE6} %{SOURCE7} %{SOURCE9} %{SOURCE10} %{SOURCE11} fedora %build autoreconf -fi @@ -113,16 +117,20 @@ make install DESTDIR=%{buildroot} rm -f %{buildroot}/%{_libdir}/libicecc.la # install config file and initscripts -install -D -m 644 suse/sysconfig.icecream %{buildroot}/%{_sysconfdir}/sysconfig/icecream +install -D -m 644 suse/sysconfig.icecream %{buildroot}/%{_sysconfdir}/sysconfig/icecream install -d -m 755 %{buildroot}/%{_unitdir} -install -p -m 644 fedora/*.service %{buildroot}/%{_unitdir} -install -p -m 755 fedora/*-wrapper %{buildroot}/%{_libexecdir}/icecc +install -p -m 644 fedora/*.service %{buildroot}/%{_unitdir} +install -p -m 755 fedora/*-wrapper %{buildroot}/%{_libexecdir}/icecc +mkdir -p %{buildroot}%{_tmpfilesdir} +install -p -m 644 fedora/icecream-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/icecream.conf install -d -m 755 %{buildroot}/%{_sysconfdir}/profile.d install -p -m 644 icecream.sh icecream.csh %{buildroot}/%{_sysconfdir}/profile.d # create default working dir mkdir -p %{buildroot}/%{_localstatedir}/cache/icecream +mkdir -p %{buildroot}/run/icecc/ + %if %{with selinux} for selinuxvariant in %{selinux_variants}; do install -d %{buildroot}/%{_datadir}/selinux/${selinuxvariant} @@ -170,16 +178,24 @@ exit 0 %if %{with selinux} for selinuxvariant in %{selinux_variants}; do semodule -s ${selinuxvariant} -i \ - %{_datadir}/selinux/${selinuxvariant}/icecream.pp 2>/dev/null ||: - semanage port -a -S ${selinuxvariant} -t iceccd_port_t -p tcp 10245 2>/dev/null ||: - semanage port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8766 2>/dev/null ||: + %{_datadir}/selinux/${selinuxvariant}/icecream.pp 2>/dev/null +done + +for selinuxvariant in %{selinux_variants}; do + { + echo "port -a -S ${selinuxvariant} -t iceccd_port_t -p tcp 10245" + echo "port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8766" + echo "port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p udp 8765" # tcp 8765 is taken by LIRC. icecream.te knows it. - #semanage port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8765 2>/dev/null ||: - semanage port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p udp 8765 2>/dev/null ||: + # echo "port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8765" + } | semanage -i - 2>/dev/null +done + +for selinuxvariant in %{selinux_variants}; do %relabel ${selinuxvariant} done -restorecon -R %{_localstatedir}/cache/icecream 2>/dev/null ||: -restorecon %{_localstatedir}/log/iceccd 2>/dev/null ||: + +restorecon -R %{_localstatedir}/cache/icecream %{_localstatedir}/log/icecc /run/icecc 2>/dev/null %endif %systemd_post iceccd.service icecc-scheduler.service @@ -191,10 +207,13 @@ exit 0 if [ $1 -eq 0 ]; then # Final removal for selinuxvariant in %{selinux_variants}; do %saveFileContext ${selinuxvariant} - semanage port -d -S ${selinuxvariant} -t iceccd_port_t -p tcp 10245 2>/dev/null ||: - semanage port -d -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8765 2>/dev/null ||: - semanage port -d -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8766 2>/dev/null ||: - semanage port -d -S ${selinuxvariant} -t icecc_scheduler_port_t -p udp 8765 2>/dev/null ||: + done + for selinuxvariant in %{selinux_variants}; do + { + echo "port -d -S ${selinuxvariant} -t iceccd_port_t -p tcp 10245" + echo "port -d -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8766" + echo "port -d -S ${selinuxvariant} -t icecc_scheduler_port_t -p udp 8765" + } | semanage -i - 2>/dev/null done fi %endif @@ -206,7 +225,7 @@ exit 0 %if %{with selinux} if [ $1 -eq 0 ]; then # Final removal for selinuxvariant in %{selinux_variants}; do - semodule -s ${selinuxvariant} -r icecream 2>/dev/null ||: + semodule -s ${selinuxvariant} -r icecream 2>/dev/null %relabel ${selinuxvariant} done fi @@ -225,7 +244,9 @@ exit 0 %config(noreplace) %{_sysconfdir}/profile.d/icecream.*sh %{_unitdir}/icecc*.service %attr(0775, root, icecream) %{_localstatedir}/cache/icecream +%attr(0775, root, icecream) /run/icecc %{_mandir}/man*/* +%{_tmpfilesdir}/icecream.conf %{?with_selinux:%{_datadir}/selinux/*/icecream.pp} %files devel @@ -235,6 +256,13 @@ exit 0 %{_libdir}/pkgconfig/icecc.pc %changelog +* Fri Aug 30 2013 Michal Schmidt - 1.0.1-2 +- Update the SELinux policy module and build it. +- Use tmpfiles.d to create /run/icecc instead of letting the daemon write to + var_run_t directly. +- Add a patch to stop icecc-create-env from reading /etc/passwd. +- Batch semenage calls in scriptlets. + * Mon Aug 26 2013 Michal Schmidt - 1.0.1-1 - Rebase to current upstream release. (#888183, #914087, #925572, #992557) - Build with librsync and libcap-ng support. diff --git a/icecream.te b/icecream.te index 137eaa8..b4681b3 100644 --- a/icecream.te +++ b/icecream.te @@ -1,5 +1,5 @@ -policy_module(icecream,0.1.5) +policy_module(icecream,0.1.6) ######################################## # @@ -10,8 +10,8 @@ type iceccd_t; type iceccd_exec_t; init_daemon_domain(iceccd_t, iceccd_exec_t) -type iceccd_log_t; -logging_log_file(iceccd_log_t) +type icecc_log_t; +logging_log_file(icecc_log_t) type iceccd_tmp_t; files_tmp_file(iceccd_tmp_t) @@ -41,9 +41,6 @@ type icecc_scheduler_t; type icecc_scheduler_exec_t; init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t) -type icecc_scheduler_log_t; -logging_log_file(icecc_scheduler_log_t) - ######################################## # # iceccd_untrusted declarations @@ -66,10 +63,10 @@ corenet_port(icecc_scheduler_port_t); # allow iceccd_t self:capability { chown dac_override fowner fsetid kill - setgid setuid sys_chroot }; + setgid setuid sys_chroot setpcap }; allow iceccd_t self:fifo_file rw_fifo_file_perms; allow iceccd_t self:netlink_route_socket r_netlink_socket_perms; -allow iceccd_t self:process { signal_perms setsched setrlimit }; +allow iceccd_t self:process { signal_perms setsched setrlimit setcap }; allow iceccd_t self:tcp_socket create_stream_socket_perms; allow iceccd_t self:udp_socket create_socket_perms; @@ -78,11 +75,13 @@ dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh allow iceccd_t iceccd_untrusted_t:process signal; +allow iceccd_t iceccd_var_run_t:sock_file { create unlink }; + domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t) domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t) -manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t) -logging_log_filetrans(iceccd_t, iceccd_log_t, file) +manage_files_pattern(iceccd_t, icecc_log_t, icecc_log_t) +logging_log_filetrans(iceccd_t, icecc_log_t, file) manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t) files_pid_filetrans(iceccd_t, iceccd_var_run_t, file) @@ -107,6 +106,7 @@ corenet_udp_sendrecv_all_ports(iceccd_t) corenet_tcp_bind_generic_node(iceccd_t) allow iceccd_t iceccd_port_t:tcp_socket { name_bind }; allow iceccd_t icecc_scheduler_port_t:tcp_socket { name_connect }; +# tcp port 8765 is lirc_port_t corenet_tcp_connect_lirc_port(iceccd_t) corecmd_exec_bin(iceccd_t) @@ -126,6 +126,8 @@ libs_use_shared_libs(iceccd_t) miscfiles_read_localization(iceccd_t) +auth_use_nsswitch(iceccd_t) + ######################################## # # iceccd_createenv policy @@ -135,7 +137,7 @@ allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms; dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute }; -allow iceccd_createenv_t iceccd_log_t:file { append }; +allow iceccd_createenv_t icecc_log_t:file { append }; manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) @@ -158,7 +160,7 @@ kernel_read_system_state(iceccd_createenv_t) libs_exec_ld_so(iceccd_createenv_t) libs_exec_lib_files(iceccd_createenv_t) -libs_domtrans_ldconfig(iceccd_createenv_t) +libs_exec_ldconfig(iceccd_createenv_t) libs_use_ld_so(iceccd_createenv_t) libs_use_shared_libs(iceccd_createenv_t) @@ -194,8 +196,8 @@ fs_getattr_all_fs(iceccd_untrusted_t) allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms; allow icecc_scheduler_t self:udp_socket create_socket_perms; -manage_files_pattern(icecc_scheduler_t, icecc_scheduler_log_t, icecc_scheduler_log_t) -logging_log_filetrans(icecc_scheduler_t, icecc_scheduler_log_t, file) +manage_files_pattern(icecc_scheduler_t, icecc_log_t, icecc_log_t) +logging_log_filetrans(icecc_scheduler_t, icecc_log_t, file) corenet_all_recvfrom_unlabeled(icecc_scheduler_t) corenet_all_recvfrom_netlabel(icecc_scheduler_t)