[refpolicy] [PATCH] add policy for Icecream

[mschmidt@redhat.com (Michal Schmidt)]

Hello,

Icecream is a distributed compiler similar to distcc, but there are
important differences:
 - It uses a central scheduler (icecc-scheduler) which decides on which
   node each job will be compiled. Typically there are many nodes on the
   local network, all running iceccd.
 - It automatically copies the local compiler binary with its
   dependencies to the other nodes to ensure they're all using the same
   compiler. The nodes execute the compiler in a chroot.

As you can see, running iceccd implies running arbitrary code from
networked users. Confining Icecream with SELinux is a good idea.

This patch adds the policy for Icecream to refpolicy. It is based on
the latest icecream policy module from the icecream RPM in Fedora.

Michal

Index: policy/modules/kernel/corenetwork.te.in
===================================================================
--- policy/modules/kernel/corenetwork.te.in	(revision 2912)
+++ policy/modules/kernel/corenetwork.te.in	(working copy)
@@ -103,6 +103,8 @@
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
 network_port(i18n_input, tcp,9010,s0)
+network_port(iceccd, tcp,10245,s0)
+network_port(icecc_scheduler, tcp,8765,s0, tcp,8766,s0, udp,8765,s0)
 network_port(imaze, tcp,5323,s0, udp,5323,s0)
 network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
 network_port(innd, tcp,119,s0)
Index: policy/modules/services/icecream.te
===================================================================
--- policy/modules/services/icecream.te	(revision 0)
+++ policy/modules/services/icecream.te	(revision 0)
@@ -0,0 +1,170 @@
+
+policy_module(icecream,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# the compiler node daemon
+type iceccd_t;
+type iceccd_exec_t;
+init_daemon_domain(iceccd_t, iceccd_exec_t)
+
+type iceccd_log_t;
+logging_log_file(iceccd_log_t)
+
+type iceccd_tmp_t;
+files_tmp_file(iceccd_tmp_t)
+
+type iceccd_var_run_t;
+files_pid_file(iceccd_var_run_t)
+
+# the working area
+type iceccd_cache_t;
+files_type(iceccd_cache_t)
+
+# icecc-create-env script makes a tarball of the local compiler and its
+# dependencies for other nodes to use
+type iceccd_createenv_t;
+type iceccd_createenv_exec_t;
+domain_type(iceccd_createenv_t)
+domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t)
+role system_r types iceccd_createenv_t;
+
+# foreign compilers
+type iceccd_untrusted_t;
+domain_type(iceccd_untrusted_t);
+domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
+role system_r types iceccd_untrusted_t;
+
+# the scheduler
+type icecc_scheduler_t;
+type icecc_scheduler_exec_t;
+init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
+
+########################################
+#
+# Icecream policy
+#
+
+allow iceccd_t self:process { signal_perms setsched setrlimit };
+allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iceccd_t self:tcp_socket create_stream_socket_perms;
+allow iceccd_t self:udp_socket create_socket_perms;
+allow iceccd_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot };
+allow iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure signal };
+
+files_read_etc_files(iceccd_t)
+libs_use_ld_so(iceccd_t)
+libs_use_shared_libs(iceccd_t)
+miscfiles_read_localization(iceccd_t)
+
+fs_getattr_all_fs(iceccd_t)
+kernel_read_system_state(iceccd_t)
+sysnet_read_config(iceccd_t)
+
+corecmd_exec_bin(iceccd_t)
+corecmd_read_bin_symlinks(iceccd_t)
+
+files_getattr_tmp_dirs(iceccd_t)
+files_search_tmp(iceccd_t)
+
+corenet_all_recvfrom_unlabeled(iceccd_t)
+corenet_all_recvfrom_netlabel(iceccd_t)
+corenet_tcp_sendrecv_generic_if(iceccd_t)
+corenet_udp_sendrecv_generic_if(iceccd_t)
+corenet_tcp_sendrecv_generic_node(iceccd_t)
+corenet_udp_sendrecv_generic_node(iceccd_t)
+corenet_tcp_sendrecv_all_ports(iceccd_t)
+corenet_udp_sendrecv_all_ports(iceccd_t)
+corenet_tcp_bind_generic_node(iceccd_t)
+corenet_tcp_bind_iceccd_port(iceccd_t)
+corenet_sendrecv_iceccd_server_packets(iceccd_t)
+corenet_tcp_connect_icecc_scheduler_port(iceccd_t)
+
+domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
+domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
+
+manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
+logging_log_filetrans(iceccd_t, iceccd_log_t, file)
+
+manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
+files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
+
+manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+
+manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_t, iceccd_tmp_t, file)
+
+
+allow iceccd_createenv_t iceccd_log_t:file { append };
+allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
+# icecc-create-env looks for executable files to strip them. It does not
+# really execute them, but the -x check would trigger a denial. Do not allow
+# this, typically the binaries are already stripped anyway. Just silence it.
+dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
+
+allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_untrusted_t self:process signal_perms;
+allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
+manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
+allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans };
+
+files_read_etc_files(iceccd_createenv_t)
+libs_use_ld_so(iceccd_createenv_t)
+libs_use_shared_libs(iceccd_createenv_t)
+miscfiles_read_localization(iceccd_createenv_t)
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+
+files_read_usr_files(iceccd_createenv_t)
+libs_exec_ld_so(iceccd_createenv_t)
+libs_exec_lib_files(iceccd_createenv_t)
+libs_domtrans_ldconfig(iceccd_createenv_t)
+corecmd_exec_bin(iceccd_createenv_t)
+corecmd_exec_shell(iceccd_createenv_t)
+dev_read_urand(iceccd_createenv_t)
+kernel_read_system_state(iceccd_createenv_t)
+# silence file(1) looking for /root/.magic
+userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t)
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, file)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, dir)
+
+optional_policy(`
+	nscd_socket_use(iceccd_createenv_t)
+')
+
+# XXX: This could be avoided if iceccd only nuked the contents of
+# /var/cache/icecream, not the directory itself.
+files_var_filetrans(iceccd_t, iceccd_cache_t, dir)
+
+
+allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
+allow icecc_scheduler_t self:udp_socket create_socket_perms;
+
+files_read_etc_files(icecc_scheduler_t)
+libs_use_ld_so(icecc_scheduler_t)
+libs_use_shared_libs(icecc_scheduler_t)
+miscfiles_read_localization(icecc_scheduler_t)
+
+corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
+corenet_all_recvfrom_netlabel(icecc_scheduler_t)
+corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
+corenet_udp_sendrecv_generic_if(icecc_scheduler_t)
+corenet_tcp_sendrecv_generic_node(icecc_scheduler_t)
+corenet_udp_sendrecv_generic_node(icecc_scheduler_t)
+corenet_tcp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_udp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_tcp_bind_generic_node(icecc_scheduler_t)
+corenet_udp_bind_generic_node(icecc_scheduler_t)
+corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t)
+corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t)
+corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t)
Index: policy/modules/services/icecream.fc
===================================================================
--- policy/modules/services/icecream.fc	(revision 0)
+++ policy/modules/services/icecream.fc	(revision 0)
@@ -0,0 +1,5 @@
+/usr/sbin/iceccd			--	gen_context(system_u:object_r:iceccd_exec_t,s0)
+/usr/lib(64)?/icecc/icecc-create-env	--	gen_context(system_u:object_r:iceccd_createenv_exec_t,s0)
+/var/cache/icecream(/.*)?			gen_context(system_u:object_r:iceccd_cache_t,s0)
+/var/log/iceccd				--	gen_context(system_u:object_r:iceccd_log_t,s0)
+/usr/sbin/icecc-scheduler		--	gen_context(system_u:object_r:icecc_scheduler_exec_t,s0)
Index: policy/modules/services/icecream.if
===================================================================
--- policy/modules/services/icecream.if	(revision 0)
+++ policy/modules/services/icecream.if	(revision 0)
@@ -0,0 +1 @@
+## <summary>Icecream distributed compiler daemon</summary>