From eb2e92d387f98bd896914d22838f8fa091a11b01 Mon Sep 17 00:00:00 2001 From: Michal Schmidt Date: Feb 16 2009 21:16:26 +0000 Subject: bring icecream 0.9.3 from Rawhide the only difference is in a few SELinux policy rules --- diff --git a/icecream-0.9.3-fix-gcc44-ftbfs.patch b/icecream-0.9.3-fix-gcc44-ftbfs.patch new file mode 100644 index 0000000..9d935b8 --- /dev/null +++ b/icecream-0.9.3-fix-gcc44-ftbfs.patch @@ -0,0 +1,38 @@ +With gcc 4.4 this fixes not just a warning, but an error. -- Michal + + +commit f1ed14e4062869f583472f74a1b51b9c5ad42cde +Author: coolo +Date: Mon Feb 16 11:09:03 2009 +0000 + + fix compilation warnings + + + git-svn-id: svn://anonsvn.kde.org/home/kde/trunk/icecream@926812 283d02a7-25f6-0310-bc7c-ecb5cbfe19da + +diff --git a/daemon/load.cpp b/daemon/load.cpp +index 5cb1685..08e6f70 100644 +--- a/daemon/load.cpp ++++ b/daemon/load.cpp +@@ -203,7 +203,7 @@ static void updateCPULoad( CPULoadInfo* load ) + #ifndef USE_SYSCTL + static unsigned long int scan_one( const char* buff, const char *key ) + { +- char *b = strstr( buff, key ); ++ const char *b = strstr( buff, key ); + if ( !b ) + return 0; + unsigned long int val = 0; +diff --git a/daemon/main.cpp b/daemon/main.cpp +index f7be369..ee9c0f3 100644 +--- a/daemon/main.cpp ++++ b/daemon/main.cpp +@@ -619,7 +619,7 @@ bool Daemon::maybe_stats(bool send_ping) + #ifdef HAVE_SYS_VFS_H + struct statfs buf; + int ret = statfs(envbasedir.c_str(), &buf); +- if (!ret && buf.f_bavail < (max_kids + 1 - current_kids) * 4 * 1024 * 1024 / buf.f_bsize) ++ if (!ret && long(buf.f_bavail) < long(max_kids + 1 - current_kids) * 4 * 1024 * 1024 / buf.f_bsize) + msg.load = 1000; + #endif + diff --git a/icecream-compile-fix.patch b/icecream-compile-fix.patch deleted file mode 100644 index 45b3b22..0000000 --- a/icecream-compile-fix.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff -up icecream-0.8.0/client/remote.cpp.orig icecream-0.8.0/client/remote.cpp ---- icecream-0.8.0/client/remote.cpp.orig 2008-02-10 22:15:20.000000000 +0100 -+++ icecream-0.8.0/client/remote.cpp 2008-02-10 22:18:09.000000000 +0100 -@@ -38,6 +38,7 @@ - #include - #include - #include -+#include - #include - #include - #include -diff -up icecream-0.8.0/client/local.cpp.orig icecream-0.8.0/client/local.cpp ---- icecream-0.8.0/client/local.cpp.orig 2008-02-10 22:14:30.000000000 +0100 -+++ icecream-0.8.0/client/local.cpp 2008-02-10 22:16:20.000000000 +0100 -@@ -27,6 +27,7 @@ - #include - #include - #include -+#include - #ifdef HAVE_SIGNAL_H - #include - #endif -diff -up icecream-0.8.0/client/main.cpp.orig icecream-0.8.0/client/main.cpp ---- icecream-0.8.0/client/main.cpp.orig 2008-02-10 22:13:09.000000000 +0100 -+++ icecream-0.8.0/client/main.cpp 2008-02-10 22:18:20.000000000 +0100 -@@ -48,6 +48,7 @@ - #include - #include - #include -+#include - #include - #include - #include diff --git a/icecream-rename-scheduler.patch b/icecream-rename-scheduler.patch index 0f8c9bc..ddbc455 100644 --- a/icecream-rename-scheduler.patch +++ b/icecream-rename-scheduler.patch @@ -1,20 +1,6 @@ ---- services/Makefile.am.orig 2007-05-08 21:09:41.000000000 +0200 -+++ services/Makefile.am 2007-07-15 19:18:41.000000000 +0200 -@@ -11,9 +11,9 @@ ice_HEADERS = job.h comm.h - noinst_HEADERS = bench.h exitcode.h getifaddrs.h logging.h tempfile.h platform.h - icedir = $(includedir)/icecc - --sbin_PROGRAMS = scheduler --scheduler_SOURCES = scheduler.cpp --scheduler_LDADD = libicecc.la -+sbin_PROGRAMS = icecc-scheduler -+icecc_scheduler_SOURCES = scheduler.cpp -+icecc_scheduler_LDADD = libicecc.la - - pkgconfigdir = $(libdir)/pkgconfig - pkgconfig_DATA = icecc.pc ---- doc/man-scheduler.1.docbook.orig 2005-04-25 15:21:14.000000000 +0200 -+++ doc/man-scheduler.1.docbook 2007-07-16 13:53:44.000000000 +0200 +diff -Nurp icecc-0.9.2.orig/doc/man-scheduler.1.docbook icecc-0.9.2/doc/man-scheduler.1.docbook +--- icecc-0.9.2.orig/doc/man-scheduler.1.docbook 2009-02-07 19:07:02.000000000 +0100 ++++ icecc-0.9.2/doc/man-scheduler.1.docbook 2009-02-07 19:07:30.000000000 +0100 @@ -23,13 +23,13 @@ @@ -40,3 +26,79 @@ +diff -Nurp icecc-0.9.2.orig/services/Makefile.am icecc-0.9.2/services/Makefile.am +--- icecc-0.9.2.orig/services/Makefile.am 2009-02-07 19:07:02.000000000 +0100 ++++ icecc-0.9.2/services/Makefile.am 2009-02-07 19:07:30.000000000 +0100 +@@ -11,9 +11,9 @@ ice_HEADERS = job.h comm.h + noinst_HEADERS = bench.h exitcode.h getifaddrs.h logging.h tempfile.h platform.h + icedir = $(includedir)/icecc + +-sbin_PROGRAMS = scheduler +-scheduler_SOURCES = scheduler.cpp +-scheduler_LDADD = libicecc.la ++sbin_PROGRAMS = icecc-scheduler ++icecc_scheduler_SOURCES = scheduler.cpp ++icecc_scheduler_LDADD = libicecc.la + + pkgconfigdir = $(libdir)/pkgconfig + pkgconfig_DATA = icecc.pc +diff -Nurp icecc-0.9.2.orig/services/Makefile.in icecc-0.9.2/services/Makefile.in +--- icecc-0.9.2.orig/services/Makefile.in 2008-11-02 14:14:47.000000000 +0100 ++++ icecc-0.9.2/services/Makefile.in 2009-02-07 19:07:36.000000000 +0100 +@@ -35,7 +35,7 @@ PRE_UNINSTALL = : + POST_UNINSTALL = : + build_triplet = @build@ + host_triplet = @host@ +-sbin_PROGRAMS = scheduler$(EXEEXT) ++sbin_PROGRAMS = icecc-scheduler$(EXEEXT) + subdir = services + DIST_COMMON = $(ice_HEADERS) $(noinst_HEADERS) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in $(srcdir)/icecc.pc.in +@@ -66,9 +66,9 @@ libicecc_la_LINK = $(LIBTOOL) --tag=CXX + $(CXXFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ + sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) + PROGRAMS = $(sbin_PROGRAMS) +-am_scheduler_OBJECTS = scheduler.$(OBJEXT) +-scheduler_OBJECTS = $(am_scheduler_OBJECTS) +-scheduler_DEPENDENCIES = libicecc.la ++am_icecc_scheduler_OBJECTS = scheduler.$(OBJEXT) ++icecc_scheduler_OBJECTS = $(am_icecc_scheduler_OBJECTS) ++icecc_scheduler_DEPENDENCIES = libicecc.la + DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) + depcomp = $(SHELL) $(top_srcdir)/depcomp + am__depfiles_maybe = depfiles +@@ -90,8 +90,8 @@ CXXLD = $(CXX) + CXXLINK = $(LIBTOOL) --tag=CXX $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CXXLD) $(AM_CXXFLAGS) $(CXXFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +-SOURCES = $(libicecc_la_SOURCES) $(scheduler_SOURCES) +-DIST_SOURCES = $(libicecc_la_SOURCES) $(scheduler_SOURCES) ++SOURCES = $(libicecc_la_SOURCES) $(icecc_scheduler_SOURCES) ++DIST_SOURCES = $(libicecc_la_SOURCES) $(icecc_scheduler_SOURCES) + pkgconfigDATA_INSTALL = $(INSTALL_DATA) + DATA = $(pkgconfig_DATA) + iceHEADERS_INSTALL = $(INSTALL_HEADER) +@@ -226,8 +226,8 @@ libicecc_la_CXXFLAGS = -fPIC -DPIC + ice_HEADERS = job.h comm.h + noinst_HEADERS = bench.h exitcode.h getifaddrs.h logging.h tempfile.h platform.h + icedir = $(includedir)/icecc +-scheduler_SOURCES = scheduler.cpp +-scheduler_LDADD = libicecc.la ++icecc_scheduler_SOURCES = scheduler.cpp ++icecc_scheduler_LDADD = libicecc.la + pkgconfigdir = $(libdir)/pkgconfig + pkgconfig_DATA = icecc.pc + all: all-am +@@ -322,9 +322,9 @@ clean-sbinPROGRAMS: + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done +-scheduler$(EXEEXT): $(scheduler_OBJECTS) $(scheduler_DEPENDENCIES) +- @rm -f scheduler$(EXEEXT) +- $(CXXLINK) $(scheduler_OBJECTS) $(scheduler_LDADD) $(LIBS) ++icecc-scheduler$(EXEEXT): $(icecc_scheduler_OBJECTS) $(icecc_scheduler_DEPENDENCIES) ++ @rm -f icecc-scheduler$(EXEEXT) ++ $(CXXLINK) $(icecc_scheduler_OBJECTS) $(icecc_scheduler_LDADD) $(LIBS) + + mostlyclean-compile: + -rm -f *.$(OBJEXT) diff --git a/icecream.fc b/icecream.fc index 8916c3e..aac0f3b 100644 --- a/icecream.fc +++ b/icecream.fc @@ -1,10 +1,5 @@ -# myapp executable will have: -# label: system_u:object_r:myapp_exec_t -# MLS sensitivity: s0 -# MCS categories: - /usr/sbin/iceccd -- gen_context(system_u:object_r:iceccd_exec_t,s0) -/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_helper_exec_t,s0) +/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0) /var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0) /var/log/iceccd -- gen_context(system_u:object_r:iceccd_log_t,s0) -#/var/log/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_log_t,s0) +/usr/sbin/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_exec_t,s0) diff --git a/icecream.spec b/icecream.spec index 4e3be0b..3d8eb18 100644 --- a/icecream.spec +++ b/icecream.spec @@ -1,5 +1,3 @@ -%bcond_without doc - %if 0%{?fedora} %bcond_without fedora %bcond_without selinux @@ -12,17 +10,14 @@ Name: icecream -Version: 0.8.0 -Release: 12.20080117svn%{?dist} +Version: 0.9.3 +Release: 3%{?dist} Summary: Distributed compiler Group: Development/Tools -License: GPLv2 +License: GPLv2+ URL: http://en.opensuse.org/Icecream -# The source was pulled from SVN repository: -# svn export -r 657903 svn://anonsvn.kde.org/home/kde/trunk/icecream icecream-0.8.0 -# tar -cjvf icecream-0.8.0.tar.bz2 icecream-0.8.0/ -Source0: icecream-0.8.0.tar.bz2 +Source0: ftp://ftp.suse.com/pub/projects/icecream/icecc-%{version}.tar.bz2 Source1: icecream.sh.in Source2: icecream.csh.in Source3: icecream.fc @@ -30,20 +25,15 @@ Source4: icecream.te Source5: icecream.if Source6: initscript-iceccd Source7: initscript-scheduler -# This patch was generated with: -# svn export -r 761849 svn://anonsvn.kde.org/home/kde/branches/work/icecream-make-it-cool icecream-mic -# diff -Nurp icecream-0.8.0 icecream-mic > icecream-make-it-cool.patch -# bzip2 icecream-make-it-cool.patch -Patch0: icecream-make-it-cool.patch.bz2 -Patch1: icecream-rename-scheduler.patch -Patch2: icecream-cleanup-conffile.patch -Patch3: icecream-compile-fix.patch +# manpages from http://ftp5.gwdg.de/pub/opensuse/repositories/home:/coolo/openSUSE_11.0/src/icecream-0.9.2-2.1.src.rpm +Source8: %{name}-manpages.tar.bz2 +Patch0: %{name}-rename-scheduler.patch +Patch1: %{name}-cleanup-conffile.patch +Patch2: %{name}-0.9.3-fix-gcc44-ftbfs.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -BuildRequires: automake autoconf libtool symlinks -# To build manpages from KDE-style Docbook sources: -%{?with_doc:BuildRequires: %{!?el5:kdelibs3 kdelibs3-devel} %{?el5:kdelibs kdelibs-devel}} +BuildRequires: symlinks %if %{with selinux} # For SELinux protection: @@ -84,12 +74,10 @@ Requires: %{name} = %{version}-%{release} This package contains development files for %{name}. %prep -%setup -q +%setup -q -a 8 -n icecc-%{version} %patch0 -p1 %patch1 -p0 -%patch2 -p0 -%patch3 -p1 -make -f Makefile.cvs +%patch2 -p1 sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE1} > icecream.sh sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE2} > icecream.csh mkdir SELinux @@ -99,18 +87,11 @@ cp -p %{SOURCE6} %{SOURCE7} fedora %build %configure --disable-static --enable-shared -make %{?_smp_mflags} +# Remove rpath from local libtool copy +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool -%if %{with doc} -pushd doc -for i in man-*.docbook; do - meinproc --stylesheet %{_datadir}/apps/ksgmltools2/customization/kde-man.xsl $i - manfile=${i#man-} - manfile=${manfile%.docbook} - mv manpage.troff $manfile -done -popd -%endif +make %{?_smp_mflags} %if %{with selinux} pushd SELinux @@ -137,14 +118,12 @@ done # relativize the symlinks symlinks -cs %{buildroot}/%{_libdir}/icecc/bin -%if %{with doc} # install manpages mkdir -p %{buildroot}/%{_mandir}/man{1,7,8} -mv doc/scheduler.1 doc/icecc-scheduler.1 -for i in doc/*.1 doc/*.7; do +mv mans/scheduler.1 mans/icecc-scheduler.1 +for i in mans/*.1 mans/*.7; do install -m 644 $i %{buildroot}/%{_mandir}/man${i##*.} done -%endif # install config file and initscripts install -D -m 644 suse/sysconfig.icecream %{buildroot}/%{_sysconfdir}/sysconfig/icecream @@ -186,6 +165,7 @@ restorecon -R %{_localstatedir}/cache/icecream 2>/dev/null ||: restorecon %{_localstatedir}/log/iceccd 2>/dev/null ||: semanage port -a -t iceccd_port_t -p tcp 10245 2>/dev/null ||: semanage port -a -t icecc_scheduler_port_t -p tcp 8765 2>/dev/null ||: +semanage port -a -t icecc_scheduler_port_t -p tcp 8766 2>/dev/null ||: semanage port -a -t icecc_scheduler_port_t -p udp 8765 2>/dev/null ||: %endif # fi @@ -204,6 +184,7 @@ if [ "$1" -eq 0 ]; then # Final removal %if %{with selinux} semanage port -d -t iceccd_port_t -p tcp 10245 2>/dev/null ||: semanage port -d -t icecc_scheduler_port_t -p tcp 8765 2>/dev/null ||: + semanage port -d -t icecc_scheduler_port_t -p tcp 8766 2>/dev/null ||: semanage port -d -t icecc_scheduler_port_t -p udp 8765 2>/dev/null ||: for selinuxvariant in %{selinux_variants}; do semodule -s ${selinuxvariant} -r icecream 2>/dev/null ||: @@ -226,7 +207,7 @@ rm -rf %{buildroot} %files %defattr(-,root,root,-) -%doc COPYING ChangeLog README BENCH NEWS TODO +%doc COPYING README NEWS TODO %{_bindir}/icecc %dir %{_libdir}/icecc/ %dir %{_libdir}/icecc/bin/ @@ -243,7 +224,7 @@ rm -rf %{buildroot} %{_sysconfdir}/rc.d/init.d/iceccd %{_sysconfdir}/rc.d/init.d/icecc-scheduler %{_localstatedir}/cache/icecream -%{?with_doc:%{_mandir}/man*/*} +%{_mandir}/man*/* %{?with_selinux:%{_datadir}/selinux/*/icecream.pp} %files devel @@ -254,6 +235,37 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/icecc.pc %changelog +* Mon Feb 16 2009 Michal Schmidt - 0.9.3-3 +- Do not use --disable-rpath, icecream's configure script does not understand + it and warns about it. We still remove rpath using the sed tricks. +- One more SELinux policy tweak. + +* Mon Feb 16 2009 Michal Schmidt - 0.9.3-2 +- Updated and re-enabled the SELinux policy. The scheduler is now confined too. + +* Mon Feb 16 2009 Michal Schmidt - 0.9.3-1 +- new upstream release +- Dropped merged patches. +- Added an upstream patch to fix compilation with gcc 4.4. + +* Sat Feb 07 2009 Michal Schmidt - 0.9.2-4 +- one more fix for gcc 4.4. +- updated the scheduler renaming patch. + +* Sat Feb 07 2009 Michal Schmidt - 0.9.2-3 +- add an upstream patch to fix FTBFS with gcc 4.4 + +* Wed Jan 28 2009 Michal Schmidt - 0.9.2-2 +- Fix the create-env script not to crash on relative paths in ld.so.conf. +- No need to build the native environment as root anymore. +- Disable the SELinux policy for now, it needs more work. + +* Thu Nov 13 2008 Michal Schmidt - 0.9.2-1 +- Update to upstream release 0.9.2. +- The license is GPLv2+. +- Add manpages from SUSE src package. +- Add patch to run icecc --build-native as root. + * Tue Sep 2 2008 Michael Schwendt - 0.8.0-12.20080117svn - Include unowned icecc directories. - Add defattr in devel pkg. diff --git a/icecream.te b/icecream.te index 6d35d1a..556dea8 100644 --- a/icecream.te +++ b/icecream.te @@ -1,46 +1,47 @@ -policy_module(icecream,0.0.36) +policy_module(icecream,0.0.42) ######################################## # # Declarations # +# the compiler node daemon type iceccd_t; type iceccd_exec_t; init_daemon_domain(iceccd_t, iceccd_exec_t) -type iceccd_var_run_t; -files_pid_file(iceccd_var_run_t) - type iceccd_log_t; logging_log_file(iceccd_log_t) -type iceccd_cache_t; -files_type(iceccd_cache_t) - type iceccd_tmp_t; files_tmp_file(iceccd_tmp_t) -type iceccd_helper_t; -type iceccd_helper_exec_t; -domain_type(iceccd_helper_t) -domain_entry_file(iceccd_helper_t, iceccd_helper_exec_t) -role system_r types iceccd_helper_t; +type iceccd_var_run_t; +files_pid_file(iceccd_var_run_t) + +# the working area +type iceccd_cache_t; +files_type(iceccd_cache_t) + +# icecc-create-env script makes a tarball of the local compiler and its +# dependencies for other nodes to use +type iceccd_createenv_t; +type iceccd_createenv_exec_t; +domain_type(iceccd_createenv_t) +domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t) +role system_r types iceccd_createenv_t; -# the cache contains foreign compilers and libraries -# the whole point of icecream is to run them... +# foreign compilers type iceccd_untrusted_t; domain_type(iceccd_untrusted_t); domain_entry_file(iceccd_untrusted_t, iceccd_cache_t) role system_r types iceccd_untrusted_t; -# XXX: something like this: -# network_port(iceccd, tcp,10245,s0) -#type iceccd_client_packet_t; -#type iceccd_server_packet_t; -# XXX: portcon only works in base policy module -#portcon tcp 10245 gen_context(system_u:object_r:iceccd_port_t, s0) +# the scheduler +type icecc_scheduler_t; +type icecc_scheduler_exec_t; +init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t) type iceccd_port_t; type icecc_scheduler_port_t; @@ -49,39 +50,31 @@ corenet_port(icecc_scheduler_port_t); ######################################## # -# Icecream local policy +# Icecream policy # allow iceccd_t self:process { signal_perms setsched setrlimit }; allow iceccd_t self:netlink_route_socket r_netlink_socket_perms; allow iceccd_t self:tcp_socket create_stream_socket_perms; allow iceccd_t self:udp_socket create_socket_perms; -allow iceccd_t iceccd_port_t:tcp_socket name_bind; -allow iceccd_t icecc_scheduler_port_t:tcp_socket { send_msg recv_msg name_connect }; -allow iceccd_t icecc_scheduler_port_t:udp_socket { send_msg recv_msg }; -allow iceccd_t self:fifo_file { read write ioctl getattr }; -# why exactly?: -allow iceccd_t self:capability { chown dac_override fsetid kill }; -allow iceccd_t self:capability { setgid setuid }; -allow iceccd_t self:capability { sys_chroot }; - +allow iceccd_t self:fifo_file rw_fifo_file_perms; +allow iceccd_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot }; allow iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure signal }; -allow iceccd_helper_t iceccd_t:process { sigchld }; -allow iceccd_helper_t iceccd_log_t:file { append }; -allow iceccd_helper_t self:fifo_file { read write ioctl getattr }; -# needs investigating: -allow iceccd_helper_t iceccd_tmp_t:file { execute }; -# rly needed? -allow iceccd_helper_t iceccd_t:udp_socket { read write }; - -allow iceccd_untrusted_t self:fifo_file { read write getattr }; -allow iceccd_untrusted_t self:process { signal }; -allow iceccd_untrusted_t iceccd_t:process { sigchld }; -allow iceccd_untrusted_t iceccd_t:fifo_file { write }; -allow iceccd_untrusted_t iceccd_t:unix_stream_socket { read write getattr }; -allow iceccd_untrusted_t iceccd_cache_t:dir { search getattr write add_name remove_name }; -allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans write unlink create }; +files_read_etc_files(iceccd_t) +libs_use_ld_so(iceccd_t) +libs_use_shared_libs(iceccd_t) +miscfiles_read_localization(iceccd_t) + +fs_getattr_all_fs(iceccd_t) +kernel_read_system_state(iceccd_t) +sysnet_read_config(iceccd_t) + +corecmd_exec_bin(iceccd_t) +corecmd_read_bin_symlinks(iceccd_t) + +files_getattr_tmp_dirs(iceccd_t) +files_search_tmp(iceccd_t) corenet_all_recvfrom_unlabeled(iceccd_t) corenet_all_recvfrom_netlabel(iceccd_t) @@ -89,79 +82,99 @@ corenet_tcp_sendrecv_all_if(iceccd_t) corenet_udp_sendrecv_all_if(iceccd_t) corenet_tcp_sendrecv_all_nodes(iceccd_t) corenet_udp_sendrecv_all_nodes(iceccd_t) -# corenet_tcp_sendrecv_all_ports(iceccd_t) -# corenet_udp_sendrecv_all_ports(iceccd_t) +corenet_tcp_sendrecv_all_ports(iceccd_t) +corenet_udp_sendrecv_all_ports(iceccd_t) corenet_tcp_bind_all_nodes(iceccd_t) +allow iceccd_t iceccd_port_t:tcp_socket { name_bind }; +allow iceccd_t icecc_scheduler_port_t:tcp_socket { name_connect }; -manage_files_pattern(iceccd_t,iceccd_log_t,iceccd_log_t) +domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t) +domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t) + +manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t) logging_log_filetrans(iceccd_t, iceccd_log_t, file) -manage_files_pattern(iceccd_t,iceccd_var_run_t,iceccd_var_run_t) +manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t) files_pid_filetrans(iceccd_t, iceccd_var_run_t, file) manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) -manage_dirs_pattern(iceccd_helper_t, iceccd_cache_t, iceccd_cache_t) -manage_files_pattern(iceccd_helper_t, iceccd_cache_t, iceccd_cache_t) - -libs_use_ld_so(iceccd_t) -libs_use_shared_libs(iceccd_t) - -# for ldd -libs_exec_ld_so(iceccd_t) - -files_read_etc_files(iceccd_t) -miscfiles_read_localization(iceccd_t) -kernel_read_system_state(iceccd_t) -sysnet_read_config(iceccd_t) -#files_read_usr_files(iceccd_t) - -files_read_etc_files(iceccd_helper_t) -libs_use_ld_so(iceccd_helper_t) -libs_use_shared_libs(iceccd_helper_t) -miscfiles_read_localization(iceccd_helper_t) -corecmd_exec_bin(iceccd_helper_t) -corecmd_exec_shell(iceccd_helper_t) -dev_read_urand(iceccd_helper_t) -kernel_read_system_state(iceccd_helper_t) -files_read_usr_files(iceccd_helper_t) -libs_exec_ld_so(iceccd_helper_t) -libs_exec_lib_files(iceccd_helper_t) -nscd_socket_use(iceccd_helper_t) - -# XXX: iceccd wants this every second. why? -fs_getattr_all_fs(iceccd_t) - -corecmd_exec_bin(iceccd_t) -corecmd_read_bin_symlinks(iceccd_t) - -# XXX: could iceccd be modified to not need this? -corecmd_exec_shell(iceccd_t) - -# for mktemp -#dev_read_urand(iceccd_t) -files_getattr_tmp_dirs(iceccd_t) -files_search_tmp(iceccd_t) - manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) files_tmp_filetrans(iceccd_t, iceccd_tmp_t, file) -manage_dirs_pattern(iceccd_helper_t, iceccd_tmp_t, iceccd_tmp_t) -manage_files_pattern(iceccd_helper_t, iceccd_tmp_t, iceccd_tmp_t) -files_tmp_filetrans(iceccd_helper_t, iceccd_tmp_t, file) -files_tmp_filetrans(iceccd_helper_t, iceccd_tmp_t, dir) -# to re-create /var/cache/icecream +allow iceccd_createenv_t iceccd_log_t:file { append }; +allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms; +# icecc-create-env looks for executable files to strip them. It does not +# really execute them, but the -x check would trigger a denial. Do not allow +# this, typically the binaries are already stripped anyway. Just silence it. +dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute }; + +allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms; +allow iceccd_untrusted_t self:process signal_perms; +allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms; +manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t) +allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans }; + +files_read_etc_files(iceccd_createenv_t) +libs_use_ld_so(iceccd_createenv_t) +libs_use_shared_libs(iceccd_createenv_t) +miscfiles_read_localization(iceccd_createenv_t) + +manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) +manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) + +files_read_usr_files(iceccd_createenv_t) +libs_exec_ld_so(iceccd_createenv_t) +libs_exec_lib_files(iceccd_createenv_t) +libs_domtrans_ldconfig(iceccd_createenv_t) +corecmd_exec_bin(iceccd_createenv_t) +corecmd_exec_shell(iceccd_createenv_t) +dev_read_urand(iceccd_createenv_t) +kernel_read_system_state(iceccd_createenv_t) +# silence file(1) looking for /root/.magic +userdom_dontaudit_list_admin_dir(iceccd_createenv_t) + +manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) +manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) +files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, file) +files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, dir) + +optional_policy(` + nscd_socket_use(iceccd_createenv_t) +') + +# Some rules that can probably go away when iceccd is fixed properly: +# +# XXX: icecc-create-env does not really need to talk to the open UDP socket +# leaked from its parent. +dontaudit iceccd_createenv_t iceccd_t:udp_socket { read write }; +# XXX: iceccd could be modified to avoid the shell completely +corecmd_exec_shell(iceccd_t) +# XXX: fix iceccd to only nuke the contents of /var/cache/icecream, +# not the directory itself. files_var_filetrans(iceccd_t, iceccd_cache_t, dir) -# aka domain_auto_trans -domain_auto_transition_pattern(iceccd_t, iceccd_helper_exec_t, iceccd_helper_t) -domain_auto_transition_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t) - -userdom_dontaudit_getattr_sysadm_home_dirs(iceccd_t) -#userdom_dontaudit_getattr_sysadm_home_dirs(iceccd_helper_t) -userdom_dontaudit_search_sysadm_home_dirs(iceccd_helper_t) -#userdom_getattr_sysadm_home_dirs(iceccd_t) +allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms; +allow icecc_scheduler_t self:udp_socket create_socket_perms; + +files_read_etc_files(icecc_scheduler_t) +libs_use_ld_so(icecc_scheduler_t) +libs_use_shared_libs(icecc_scheduler_t) +miscfiles_read_localization(icecc_scheduler_t) + +corenet_all_recvfrom_unlabeled(icecc_scheduler_t) +corenet_all_recvfrom_netlabel(icecc_scheduler_t) +corenet_tcp_sendrecv_all_if(icecc_scheduler_t) +corenet_udp_sendrecv_all_if(icecc_scheduler_t) +corenet_tcp_sendrecv_all_nodes(icecc_scheduler_t) +corenet_udp_sendrecv_all_nodes(icecc_scheduler_t) +corenet_tcp_sendrecv_all_ports(icecc_scheduler_t) +corenet_udp_sendrecv_all_ports(icecc_scheduler_t) +corenet_tcp_bind_all_nodes(icecc_scheduler_t) +corenet_udp_bind_all_nodes(icecc_scheduler_t) +allow icecc_scheduler_t icecc_scheduler_port_t:tcp_socket { name_bind }; +allow icecc_scheduler_t icecc_scheduler_port_t:udp_socket { name_bind }; diff --git a/sources b/sources index d255e5c..70d5d77 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -5dd4718f52626924a665c1f56b90d403 icecream-0.8.0.tar.bz2 -209f885bd595fc9a203ce4115872250e icecream-make-it-cool.patch.bz2 +34bb950331ef5256299a2de4cf402ea6 icecc-0.9.3.tar.bz2 +a3829775870d5b2b60b750a88ee835b7 icecream-manpages.tar.bz2