[refpolicy] [PATCH] add policy for Icecream

[mschmidt@redhat.com (Michal Schmidt)]

Dne Mon, 02 Mar 2009 14:16:54 +0100
Dominick Grift <domg472@gmail.com> napsal:

> Here is my take on the policy. It may or may not work but it may give
> you some ideas on how to clean it up a bit.

Thank you for your suggestions! I'll redo the policy accordingly.
There are some bits, however, where I'd like some clarification.
It's these pieces of the diff between my and your version of
the .te file:
>  
> -# the compiler node daemon
>  type iceccd_t;
>  type iceccd_exec_t;
>  init_daemon_domain(iceccd_t, iceccd_exec_t)
> @@ -20,141 +311,182 @@
>  type iceccd_var_run_t;
>  files_pid_file(iceccd_var_run_t)
>  
> -# the working area
>  type iceccd_cache_t;
>  files_type(iceccd_cache_t)
>  
> -# icecc-create-env script makes a tarball of the local compiler and
> its -# dependencies for other nodes to use

You removed most of my comments which were meant to give the reader some idea
why the policy says what it says. Does it mean comments like these are really
not wanted?

>  type iceccd_createenv_t;
>  type iceccd_createenv_exec_t;
> -domain_type(iceccd_createenv_t)
> -domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t)
> +application_executable_file(iceccd_createenv_exec_t)
> +application_domain(iceccd_createenv_t, iceccd_createenv_exec_t)
>  role system_r types iceccd_createenv_t;

The application_* interfaces mark programs which are expected to be run by
users from interactive shells? OK, it makes sense for icecc-create-env.

> -domain_type(iceccd_untrusted_t);
> -domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
> +application_executable_file(iceccd_cache_t);
> +application_domain(iceccd_untrusted_t, iceccd_cache_t)

... however, I do not think it's useful to mark the untrusted foreign compilers
as such. These should never be run by users.

> +dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh
> +noatsecure };

In the original version, these three permissions were 'allow'. I don't know
exactly what they mean, I got them by observing the AVC denials during normal
operation of Icecream. If you think 'dontaudit' should be enough, I believe
you. I'll test it.
 
> +# use interface: iceccd_untrusted_signal()
> +allow iceccd_t iceccd_untrusted_t:process signal;

You suggest "use interface: ..." several times. To make it absolutely clear -
are you asking me to create the named interfaces in icecream.if and use them in
icecream.te?
I thought interfaces were only useful for interaction with other policy
modules. And at the moment I can't imagine any other users of these interfaces.
 
>  corenet_all_recvfrom_unlabeled(iceccd_t)
>  corenet_all_recvfrom_netlabel(iceccd_t)
>  corenet_tcp_sendrecv_generic_if(iceccd_t)
> -corenet_udp_sendrecv_generic_if(iceccd_t)
>  corenet_tcp_sendrecv_generic_node(iceccd_t)
> -corenet_udp_sendrecv_generic_node(iceccd_t)
>  corenet_tcp_sendrecv_all_ports(iceccd_t)
> -corenet_udp_sendrecv_all_ports(iceccd_t)
>  corenet_tcp_bind_generic_node(iceccd_t)
>  corenet_tcp_bind_iceccd_port(iceccd_t)

iceccd sends UDP broadcasts to find the scheduler on the LAN. Won't removing
these rules block it?


Michal