From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v1.0.2] add policy for Icecream
Date: Tue, 03 Mar 2009 01:08:46 +0100 [thread overview]
Message-ID: <1236038926.19155.60.camel@notebook1.grift.internal> (raw)
In-Reply-To: <20090303004052.18311ded@leela>
On Tue, 2009-03-03 at 00:40 +0100, Michal Schmidt wrote:
> Hello,
>
> This patch adds the policy for Icecream, a distributed compiler.
>
> Notable changes since the first version:
> - as suggested by Dominick Grift:
> - reordered lots of the lines
> - removed the comments
> - dontaudit siginh, rlimitinh, noatsecure
> - use application_domain() for iceccd_createenv_t
> - use can_exec()
> I did not add any interfaces, I like it better without them.
>
> Michal
>
> Index: policy/modules/kernel/corenetwork.te.in
> ===================================================================
> --- policy/modules/kernel/corenetwork.te.in (revision 2912)
> +++ policy/modules/kernel/corenetwork.te.in (working copy)
> @@ -103,6 +103,8 @@
> network_port(howl, tcp,5335,s0, udp,5353,s0)
> network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
> network_port(i18n_input, tcp,9010,s0)
> +network_port(iceccd, tcp,10245,s0)
> +network_port(icecc_scheduler, tcp,8765,s0, tcp,8766,s0, udp,8765,s0)
> network_port(imaze, tcp,5323,s0, udp,5323,s0)
> network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
> network_port(innd, tcp,119,s0)
> Index: policy/modules/services/icecream.te
> ===================================================================
> --- policy/modules/services/icecream.te (revision 0)
> +++ policy/modules/services/icecream.te (revision 0)
> @@ -0,0 +1,204 @@
> +
> +policy_module(icecream,1.0.2)
> +
> +########################################
> +#
> +# iceccd declarations
> +#
> +
> +type iceccd_t;
> +type iceccd_exec_t;
> +init_daemon_domain(iceccd_t, iceccd_exec_t)
> +
> +type iceccd_log_t;
> +logging_log_file(iceccd_log_t)
> +
> +type iceccd_tmp_t;
> +files_tmp_file(iceccd_tmp_t)
> +
> +type iceccd_var_run_t;
> +files_pid_file(iceccd_var_run_t)
> +
> +type iceccd_cache_t;
> +files_type(iceccd_cache_t)
> +
> +########################################
> +#
> +# iceccd_createenv declarations
> +#
> +
> +type iceccd_createenv_t;
> +type iceccd_createenv_exec_t;
> +application_domain(iceccd_createenv_t, iceccd_createenv_exec_t)
> +role system_r types iceccd_createenv_t;
> +
> +########################################
> +#
> +# icecc_scheduler declarations
> +#
> +
> +type icecc_scheduler_t;
> +type icecc_scheduler_exec_t;
> +init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
> +
> +########################################
> +#
> +# iceccd_untrusted declarations
> +#
> +
> +type iceccd_untrusted_t;
> +domain_type(iceccd_untrusted_t);
> +domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
> +role system_r types iceccd_untrusted_t;
> +
> +########################################
> +#
> +# iceccd policy
> +#
> +
> +allow iceccd_t self:capability { chown dac_override fowner fsetid kill
> + setgid setuid sys_chroot };
> +allow iceccd_t self:fifo_file rw_fifo_file_perms;
> +allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
> +allow iceccd_t self:process { signal_perms setsched setrlimit };
> +allow iceccd_t self:tcp_socket create_stream_socket_perms;
> +allow iceccd_t self:udp_socket create_socket_perms;
> +
> +dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh
> + noatsecure };
> +
> +allow iceccd_t iceccd_untrusted_t:process signal;
> +
> +domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
> +domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
> +
> +manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
> +logging_log_filetrans(iceccd_t, iceccd_log_t, file)
> +
> +manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
> +files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
> +
> +manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
> +manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
> +files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file })
Does iceccd_t not need: files_search_var(iceccd_t)?
I expect that it needs to search /var to be able to find files/dirs with
type iceccd_cache_t/iceccd_log_t/iceccd_var_run_t and i do not see where
it is allowed to search /var
It might also need permission to search var_run_t, var_log_t?
It can be that the search perm is included in one of the interfaces
below.
> +files_search_tmp(iceccd_t)
> +manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
> +manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
> +files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file })
> +
> +corenet_all_recvfrom_unlabeled(iceccd_t)
> +corenet_all_recvfrom_netlabel(iceccd_t)
> +corenet_tcp_sendrecv_generic_if(iceccd_t)
> +corenet_udp_sendrecv_generic_if(iceccd_t)
> +corenet_tcp_sendrecv_generic_node(iceccd_t)
> +corenet_udp_sendrecv_generic_node(iceccd_t)
> +corenet_tcp_sendrecv_all_ports(iceccd_t)
> +corenet_udp_sendrecv_all_ports(iceccd_t)
> +corenet_tcp_bind_generic_node(iceccd_t)
> +corenet_tcp_bind_iceccd_port(iceccd_t)
> +corenet_tcp_connect_icecc_scheduler_port(iceccd_t)
> +corenet_sendrecv_iceccd_server_packets(iceccd_t)
> +
> +corecmd_exec_bin(iceccd_t)
> +corecmd_read_bin_symlinks(iceccd_t)
> +
> +files_read_etc_files(iceccd_t)
> +
> +fs_getattr_all_fs(iceccd_t)
> +
> +kernel_read_system_state(iceccd_t)
> +
> +sysnet_read_config(iceccd_t)
> +
> +libs_use_ld_so(iceccd_t)
> +libs_use_shared_libs(iceccd_t)
> +
> +miscfiles_read_localization(iceccd_t)
> +
> +########################################
> +#
> +# iceccd_createenv policy
> +#
> +
> +allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
> +
> +dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
> +
> +allow iceccd_createenv_t iceccd_log_t:file { append };
> +
> +manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
> +manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
> +# no files_var_filetrans, createenv does not create the cache dir itself
Does iceccd_createenv_t not need: files_search_var(iceccd_createenv_t)?
I expect that it needs to search /var to be able to find files/dirs with
type iceccd_cache_t and i do not see where it is allowed to search /var
It can be that the search perm is included in one of the interfaces
below
.
> +
> +manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
> +manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
> +files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file })
Does iceccd_createenv_t not need: files_search_tmp(iceccd_createenv_t)?
I expect that it needs to search /tmp to be able to find files/dirs with
type iceccd_tmp_t and i do not see where it is allowed to search /tmp.
It can be that the search perm is included in one of the interfaces
below
> +
> +corecmd_exec_bin(iceccd_createenv_t)
> +corecmd_exec_shell(iceccd_createenv_t)
> +
> +dev_read_urand(iceccd_createenv_t)
> +
> +files_read_etc_files(iceccd_createenv_t)
> +files_read_usr_files(iceccd_createenv_t)
> +
> +kernel_read_system_state(iceccd_createenv_t)
> +
> +libs_exec_ld_so(iceccd_createenv_t)
> +libs_exec_lib_files(iceccd_createenv_t)
> +
> +libs_domtrans_ldconfig(iceccd_createenv_t)
> +
> +libs_use_ld_so(iceccd_createenv_t)
> +libs_use_shared_libs(iceccd_createenv_t)
> +
> +miscfiles_read_localization(iceccd_createenv_t)
> +
> +userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t)
> +
> +optional_policy(`
> + nscd_socket_use(iceccd_createenv_t)
> +')
> +
> +########################################
> +#
> +# iceccd_untrusted policy
> +#
> +
> +allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
> +allow iceccd_untrusted_t self:process signal_perms;
> +allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
> +
> +manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
> +
Does iceccd_untrusted_t not need: files_search_var(iceccd_untrusted_t)?
I expect that it needs to search /var to be able to find files/dirs with
type iceccd_cache_t and i do not see where it is allowed to search /var
> +can_exec(iceccd_untrusted_t, iceccd_cache_t)
> +
> +########################################
> +#
> +# icecc_scheduler policy
> +#
> +
> +allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
> +allow icecc_scheduler_t self:udp_socket create_socket_perms;
> +
> +corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
> +corenet_all_recvfrom_netlabel(icecc_scheduler_t)
> +corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
> +corenet_udp_sendrecv_generic_if(icecc_scheduler_t)
> +corenet_tcp_sendrecv_generic_node(icecc_scheduler_t)
> +corenet_udp_sendrecv_generic_node(icecc_scheduler_t)
> +corenet_tcp_sendrecv_all_ports(icecc_scheduler_t)
> +corenet_udp_sendrecv_all_ports(icecc_scheduler_t)
> +corenet_tcp_bind_generic_node(icecc_scheduler_t)
> +corenet_udp_bind_generic_node(icecc_scheduler_t)
> +corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t)
> +corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t)
> +corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t)
> +
> +files_read_etc_files(icecc_scheduler_t)
> +
> +libs_use_ld_so(icecc_scheduler_t)
> +libs_use_shared_libs(icecc_scheduler_t)
> +
> +miscfiles_read_localization(icecc_scheduler_t)
> Index: policy/modules/services/icecream.fc
> ===================================================================
> --- policy/modules/services/icecream.fc (revision 0)
> +++ policy/modules/services/icecream.fc (revision 0)
> @@ -0,0 +1,5 @@
> +/usr/sbin/iceccd -- gen_context(system_u:object_r:iceccd_exec_t,s0)
> +/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0)
> +/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0)
> +/var/log/iceccd -- gen_context(system_u:object_r:iceccd_log_t,s0)
> +/usr/sbin/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_exec_t,s0)
> Index: policy/modules/services/icecream.if
> ===================================================================
> --- policy/modules/services/icecream.if (revision 0)
> +++ policy/modules/services/icecream.if (revision 0)
> @@ -0,0 +1 @@
> +## <summary>Icecream distributed compiler daemon</summary>
next prev parent reply other threads:[~2009-03-03 0:08 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-02 12:04 [refpolicy] [PATCH] add policy for Icecream Michal Schmidt
2009-03-02 13:16 ` Dominick Grift
2009-03-02 15:37 ` Michal Schmidt
2009-03-02 15:57 ` Christopher J. PeBenito
2009-03-02 16:23 ` Dominick Grift
2009-03-02 16:35 ` Dominick Grift
2009-03-02 23:40 ` [refpolicy] [PATCH v1.0.2] " Michal Schmidt
2009-03-03 0:08 ` Dominick Grift [this message]
2009-03-03 15:22 ` [refpolicy] [PATCH v1.0.3] " Michal Schmidt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1236038926.19155.60.camel@notebook1.grift.internal \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.