From d592b35347674e99ac425456f8dd7d5eebdd3aca Mon Sep 17 00:00:00 2001 From: Michal Schmidt Date: Feb 16 2009 13:54:52 +0000 Subject: - Updated and re-enabled the SELinux policy. The scheduler is now confined too. --- diff --git a/icecream.fc b/icecream.fc index 8916c3e..aac0f3b 100644 --- a/icecream.fc +++ b/icecream.fc @@ -1,10 +1,5 @@ -# myapp executable will have: -# label: system_u:object_r:myapp_exec_t -# MLS sensitivity: s0 -# MCS categories: - /usr/sbin/iceccd -- gen_context(system_u:object_r:iceccd_exec_t,s0) -/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_helper_exec_t,s0) +/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0) /var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0) /var/log/iceccd -- gen_context(system_u:object_r:iceccd_log_t,s0) -#/var/log/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_log_t,s0) +/usr/sbin/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_exec_t,s0) diff --git a/icecream.spec b/icecream.spec index f3ebe25..5d72192 100644 --- a/icecream.spec +++ b/icecream.spec @@ -1,6 +1,6 @@ %if 0%{?fedora} %bcond_without fedora -%bcond_with selinux +%bcond_without selinux %else %bcond_with fedora # I'd need to modify the policy a bit to make it work on RHEL, @@ -11,7 +11,7 @@ Name: icecream Version: 0.9.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Distributed compiler Group: Development/Tools @@ -165,6 +165,7 @@ restorecon -R %{_localstatedir}/cache/icecream 2>/dev/null ||: restorecon %{_localstatedir}/log/iceccd 2>/dev/null ||: semanage port -a -t iceccd_port_t -p tcp 10245 2>/dev/null ||: semanage port -a -t icecc_scheduler_port_t -p tcp 8765 2>/dev/null ||: +semanage port -a -t icecc_scheduler_port_t -p tcp 8766 2>/dev/null ||: semanage port -a -t icecc_scheduler_port_t -p udp 8765 2>/dev/null ||: %endif # fi @@ -183,6 +184,7 @@ if [ "$1" -eq 0 ]; then # Final removal %if %{with selinux} semanage port -d -t iceccd_port_t -p tcp 10245 2>/dev/null ||: semanage port -d -t icecc_scheduler_port_t -p tcp 8765 2>/dev/null ||: + semanage port -d -t icecc_scheduler_port_t -p tcp 8766 2>/dev/null ||: semanage port -d -t icecc_scheduler_port_t -p udp 8765 2>/dev/null ||: for selinuxvariant in %{selinux_variants}; do semodule -s ${selinuxvariant} -r icecream 2>/dev/null ||: @@ -233,6 +235,9 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/icecc.pc %changelog +* Mon Feb 16 2009 Michal Schmidt - 0.9.3-2 +- Updated and re-enabled the SELinux policy. The scheduler is now confined too. + * Mon Feb 16 2009 Michal Schmidt - 0.9.3-1 - new upstream release - Dropped merged patches. diff --git a/icecream.te b/icecream.te index 6d35d1a..ca6a45e 100644 --- a/icecream.te +++ b/icecream.te @@ -1,46 +1,47 @@ -policy_module(icecream,0.0.36) +policy_module(icecream,0.0.42) ######################################## # # Declarations # +# the compiler node daemon type iceccd_t; type iceccd_exec_t; init_daemon_domain(iceccd_t, iceccd_exec_t) -type iceccd_var_run_t; -files_pid_file(iceccd_var_run_t) - type iceccd_log_t; logging_log_file(iceccd_log_t) -type iceccd_cache_t; -files_type(iceccd_cache_t) - type iceccd_tmp_t; files_tmp_file(iceccd_tmp_t) -type iceccd_helper_t; -type iceccd_helper_exec_t; -domain_type(iceccd_helper_t) -domain_entry_file(iceccd_helper_t, iceccd_helper_exec_t) -role system_r types iceccd_helper_t; +type iceccd_var_run_t; +files_pid_file(iceccd_var_run_t) + +# the working area +type iceccd_cache_t; +files_type(iceccd_cache_t) + +# icecc-create-env script makes a tarball of the local compiler and its +# dependencies for other nodes to use +type iceccd_createenv_t; +type iceccd_createenv_exec_t; +domain_type(iceccd_createenv_t) +domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t) +role system_r types iceccd_createenv_t; -# the cache contains foreign compilers and libraries -# the whole point of icecream is to run them... +# foreign compilers type iceccd_untrusted_t; domain_type(iceccd_untrusted_t); domain_entry_file(iceccd_untrusted_t, iceccd_cache_t) role system_r types iceccd_untrusted_t; -# XXX: something like this: -# network_port(iceccd, tcp,10245,s0) -#type iceccd_client_packet_t; -#type iceccd_server_packet_t; -# XXX: portcon only works in base policy module -#portcon tcp 10245 gen_context(system_u:object_r:iceccd_port_t, s0) +# the scheduler +type icecc_scheduler_t; +type icecc_scheduler_exec_t; +init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t) type iceccd_port_t; type icecc_scheduler_port_t; @@ -49,119 +50,131 @@ corenet_port(icecc_scheduler_port_t); ######################################## # -# Icecream local policy +# Icecream policy # allow iceccd_t self:process { signal_perms setsched setrlimit }; allow iceccd_t self:netlink_route_socket r_netlink_socket_perms; allow iceccd_t self:tcp_socket create_stream_socket_perms; allow iceccd_t self:udp_socket create_socket_perms; -allow iceccd_t iceccd_port_t:tcp_socket name_bind; -allow iceccd_t icecc_scheduler_port_t:tcp_socket { send_msg recv_msg name_connect }; -allow iceccd_t icecc_scheduler_port_t:udp_socket { send_msg recv_msg }; -allow iceccd_t self:fifo_file { read write ioctl getattr }; -# why exactly?: -allow iceccd_t self:capability { chown dac_override fsetid kill }; -allow iceccd_t self:capability { setgid setuid }; -allow iceccd_t self:capability { sys_chroot }; - +allow iceccd_t self:fifo_file rw_fifo_file_perms; +allow iceccd_t self:capability { chown dac_override fsetid kill setgid setuid sys_chroot }; allow iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure signal }; -allow iceccd_helper_t iceccd_t:process { sigchld }; -allow iceccd_helper_t iceccd_log_t:file { append }; -allow iceccd_helper_t self:fifo_file { read write ioctl getattr }; -# needs investigating: -allow iceccd_helper_t iceccd_tmp_t:file { execute }; -# rly needed? -allow iceccd_helper_t iceccd_t:udp_socket { read write }; - -allow iceccd_untrusted_t self:fifo_file { read write getattr }; -allow iceccd_untrusted_t self:process { signal }; -allow iceccd_untrusted_t iceccd_t:process { sigchld }; -allow iceccd_untrusted_t iceccd_t:fifo_file { write }; -allow iceccd_untrusted_t iceccd_t:unix_stream_socket { read write getattr }; -allow iceccd_untrusted_t iceccd_cache_t:dir { search getattr write add_name remove_name }; -allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans write unlink create }; - -corenet_all_recvfrom_unlabeled(iceccd_t) -corenet_all_recvfrom_netlabel(iceccd_t) -corenet_tcp_sendrecv_all_if(iceccd_t) -corenet_udp_sendrecv_all_if(iceccd_t) -corenet_tcp_sendrecv_all_nodes(iceccd_t) -corenet_udp_sendrecv_all_nodes(iceccd_t) -# corenet_tcp_sendrecv_all_ports(iceccd_t) -# corenet_udp_sendrecv_all_ports(iceccd_t) -corenet_tcp_bind_all_nodes(iceccd_t) - -manage_files_pattern(iceccd_t,iceccd_log_t,iceccd_log_t) -logging_log_filetrans(iceccd_t, iceccd_log_t, file) - -manage_files_pattern(iceccd_t,iceccd_var_run_t,iceccd_var_run_t) -files_pid_filetrans(iceccd_t, iceccd_var_run_t, file) - -manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) -manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) - -manage_dirs_pattern(iceccd_helper_t, iceccd_cache_t, iceccd_cache_t) -manage_files_pattern(iceccd_helper_t, iceccd_cache_t, iceccd_cache_t) - +files_read_etc_files(iceccd_t) libs_use_ld_so(iceccd_t) libs_use_shared_libs(iceccd_t) - -# for ldd -libs_exec_ld_so(iceccd_t) - -files_read_etc_files(iceccd_t) miscfiles_read_localization(iceccd_t) + +fs_getattr_all_fs(iceccd_t) kernel_read_system_state(iceccd_t) sysnet_read_config(iceccd_t) -#files_read_usr_files(iceccd_t) - -files_read_etc_files(iceccd_helper_t) -libs_use_ld_so(iceccd_helper_t) -libs_use_shared_libs(iceccd_helper_t) -miscfiles_read_localization(iceccd_helper_t) -corecmd_exec_bin(iceccd_helper_t) -corecmd_exec_shell(iceccd_helper_t) -dev_read_urand(iceccd_helper_t) -kernel_read_system_state(iceccd_helper_t) -files_read_usr_files(iceccd_helper_t) -libs_exec_ld_so(iceccd_helper_t) -libs_exec_lib_files(iceccd_helper_t) -nscd_socket_use(iceccd_helper_t) - -# XXX: iceccd wants this every second. why? -fs_getattr_all_fs(iceccd_t) corecmd_exec_bin(iceccd_t) corecmd_read_bin_symlinks(iceccd_t) -# XXX: could iceccd be modified to not need this? -corecmd_exec_shell(iceccd_t) - -# for mktemp -#dev_read_urand(iceccd_t) files_getattr_tmp_dirs(iceccd_t) files_search_tmp(iceccd_t) +corenet_all_recvfrom_unlabeled(iceccd_t) +corenet_all_recvfrom_netlabel(iceccd_t) +corenet_tcp_sendrecv_generic_if(iceccd_t) +corenet_udp_sendrecv_generic_if(iceccd_t) +corenet_tcp_sendrecv_generic_node(iceccd_t) +corenet_udp_sendrecv_generic_node(iceccd_t) +corenet_tcp_sendrecv_all_ports(iceccd_t) +corenet_udp_sendrecv_all_ports(iceccd_t) +corenet_tcp_bind_generic_node(iceccd_t) +allow iceccd_t iceccd_port_t:tcp_socket { name_bind }; +allow iceccd_t icecc_scheduler_port_t:tcp_socket { name_connect }; + +domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t) +domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t) + +manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t) +logging_log_filetrans(iceccd_t, iceccd_log_t, file) + +manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t) +files_pid_filetrans(iceccd_t, iceccd_var_run_t, file) + +manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) +manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) + manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) files_tmp_filetrans(iceccd_t, iceccd_tmp_t, file) -manage_dirs_pattern(iceccd_helper_t, iceccd_tmp_t, iceccd_tmp_t) -manage_files_pattern(iceccd_helper_t, iceccd_tmp_t, iceccd_tmp_t) -files_tmp_filetrans(iceccd_helper_t, iceccd_tmp_t, file) -files_tmp_filetrans(iceccd_helper_t, iceccd_tmp_t, dir) -# to re-create /var/cache/icecream +allow iceccd_createenv_t iceccd_log_t:file { append }; +allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms; +# icecc-create-env looks for executable files to strip them. It does not +# really execute them, but the -x check would trigger a denial. Do not allow +# this, typically the binaries are already stripped anyway. Just silence it. +dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute }; + +allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms; +allow iceccd_untrusted_t self:process signal_perms; +allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms; +manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t) +allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans }; + +files_read_etc_files(iceccd_createenv_t) +libs_use_ld_so(iceccd_createenv_t) +libs_use_shared_libs(iceccd_createenv_t) +miscfiles_read_localization(iceccd_createenv_t) + +manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) +manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) + +files_read_usr_files(iceccd_createenv_t) +libs_exec_ld_so(iceccd_createenv_t) +libs_exec_lib_files(iceccd_createenv_t) +libs_domtrans_ldconfig(iceccd_createenv_t) +corecmd_exec_bin(iceccd_createenv_t) +corecmd_exec_shell(iceccd_createenv_t) +dev_read_urand(iceccd_createenv_t) +kernel_read_system_state(iceccd_createenv_t) +# silence file(1) looking for /root/.magic +userdom_dontaudit_search_admin_dir(iceccd_createenv_t) + +manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) +manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) +files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, file) +files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, dir) + +optional_policy(` + nscd_socket_use(iceccd_createenv_t) +') + +# Some rules that can probably go away when iceccd is fixed properly: +# +# XXX: icecc-create-env does not really need to talk to the open UDP socket +# leaked from its parent. +dontaudit iceccd_createenv_t iceccd_t:udp_socket { read write }; +# XXX: iceccd could be modified to avoid the shell completely +corecmd_exec_shell(iceccd_t) +# XXX: fix iceccd to only nuke the contents of /var/cache/icecream, +# not the directory itself. files_var_filetrans(iceccd_t, iceccd_cache_t, dir) -# aka domain_auto_trans -domain_auto_transition_pattern(iceccd_t, iceccd_helper_exec_t, iceccd_helper_t) -domain_auto_transition_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t) - -userdom_dontaudit_getattr_sysadm_home_dirs(iceccd_t) -#userdom_dontaudit_getattr_sysadm_home_dirs(iceccd_helper_t) -userdom_dontaudit_search_sysadm_home_dirs(iceccd_helper_t) -#userdom_getattr_sysadm_home_dirs(iceccd_t) +allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms; +allow icecc_scheduler_t self:udp_socket create_socket_perms; + +files_read_etc_files(icecc_scheduler_t) +libs_use_ld_so(icecc_scheduler_t) +libs_use_shared_libs(icecc_scheduler_t) +miscfiles_read_localization(icecc_scheduler_t) + +corenet_all_recvfrom_unlabeled(icecc_scheduler_t) +corenet_all_recvfrom_netlabel(icecc_scheduler_t) +corenet_tcp_sendrecv_generic_if(icecc_scheduler_t) +corenet_udp_sendrecv_generic_if(icecc_scheduler_t) +corenet_tcp_sendrecv_generic_node(icecc_scheduler_t) +corenet_udp_sendrecv_generic_node(icecc_scheduler_t) +corenet_tcp_sendrecv_all_ports(icecc_scheduler_t) +corenet_udp_sendrecv_all_ports(icecc_scheduler_t) +corenet_tcp_bind_generic_node(icecc_scheduler_t) +corenet_udp_bind_generic_node(icecc_scheduler_t) +allow icecc_scheduler_t icecc_scheduler_port_t:tcp_socket { name_bind }; +allow icecc_scheduler_t icecc_scheduler_port_t:udp_socket { name_bind };