* [refpolicy] [PATCH] add policy for Icecream
@ 2009-03-02 12:04 Michal Schmidt
2009-03-02 13:16 ` Dominick Grift
2009-03-02 16:35 ` Dominick Grift
0 siblings, 2 replies; 9+ messages in thread
From: Michal Schmidt @ 2009-03-02 12:04 UTC (permalink / raw)
To: refpolicy
Hello,
Icecream is a distributed compiler similar to distcc, but there are
important differences:
- It uses a central scheduler (icecc-scheduler) which decides on which
node each job will be compiled. Typically there are many nodes on the
local network, all running iceccd.
- It automatically copies the local compiler binary with its
dependencies to the other nodes to ensure they're all using the same
compiler. The nodes execute the compiler in a chroot.
As you can see, running iceccd implies running arbitrary code from
networked users. Confining Icecream with SELinux is a good idea.
This patch adds the policy for Icecream to refpolicy. It is based on
the latest icecream policy module from the icecream RPM in Fedora.
Michal
Index: policy/modules/kernel/corenetwork.te.in
===================================================================
--- policy/modules/kernel/corenetwork.te.in (revision 2912)
+++ policy/modules/kernel/corenetwork.te.in (working copy)
@@ -103,6 +103,8 @@
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(i18n_input, tcp,9010,s0)
+network_port(iceccd, tcp,10245,s0)
+network_port(icecc_scheduler, tcp,8765,s0, tcp,8766,s0, udp,8765,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
Index: policy/modules/services/icecream.te
===================================================================
--- policy/modules/services/icecream.te (revision 0)
+++ policy/modules/services/icecream.te (revision 0)
@@ -0,0 +1,170 @@
+
+policy_module(icecream,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# the compiler node daemon
+type iceccd_t;
+type iceccd_exec_t;
+init_daemon_domain(iceccd_t, iceccd_exec_t)
+
+type iceccd_log_t;
+logging_log_file(iceccd_log_t)
+
+type iceccd_tmp_t;
+files_tmp_file(iceccd_tmp_t)
+
+type iceccd_var_run_t;
+files_pid_file(iceccd_var_run_t)
+
+# the working area
+type iceccd_cache_t;
+files_type(iceccd_cache_t)
+
+# icecc-create-env script makes a tarball of the local compiler and its
+# dependencies for other nodes to use
+type iceccd_createenv_t;
+type iceccd_createenv_exec_t;
+domain_type(iceccd_createenv_t)
+domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t)
+role system_r types iceccd_createenv_t;
+
+# foreign compilers
+type iceccd_untrusted_t;
+domain_type(iceccd_untrusted_t);
+domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
+role system_r types iceccd_untrusted_t;
+
+# the scheduler
+type icecc_scheduler_t;
+type icecc_scheduler_exec_t;
+init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
+
+########################################
+#
+# Icecream policy
+#
+
+allow iceccd_t self:process { signal_perms setsched setrlimit };
+allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iceccd_t self:tcp_socket create_stream_socket_perms;
+allow iceccd_t self:udp_socket create_socket_perms;
+allow iceccd_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot };
+allow iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure signal };
+
+files_read_etc_files(iceccd_t)
+libs_use_ld_so(iceccd_t)
+libs_use_shared_libs(iceccd_t)
+miscfiles_read_localization(iceccd_t)
+
+fs_getattr_all_fs(iceccd_t)
+kernel_read_system_state(iceccd_t)
+sysnet_read_config(iceccd_t)
+
+corecmd_exec_bin(iceccd_t)
+corecmd_read_bin_symlinks(iceccd_t)
+
+files_getattr_tmp_dirs(iceccd_t)
+files_search_tmp(iceccd_t)
+
+corenet_all_recvfrom_unlabeled(iceccd_t)
+corenet_all_recvfrom_netlabel(iceccd_t)
+corenet_tcp_sendrecv_generic_if(iceccd_t)
+corenet_udp_sendrecv_generic_if(iceccd_t)
+corenet_tcp_sendrecv_generic_node(iceccd_t)
+corenet_udp_sendrecv_generic_node(iceccd_t)
+corenet_tcp_sendrecv_all_ports(iceccd_t)
+corenet_udp_sendrecv_all_ports(iceccd_t)
+corenet_tcp_bind_generic_node(iceccd_t)
+corenet_tcp_bind_iceccd_port(iceccd_t)
+corenet_sendrecv_iceccd_server_packets(iceccd_t)
+corenet_tcp_connect_icecc_scheduler_port(iceccd_t)
+
+domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
+domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
+
+manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
+logging_log_filetrans(iceccd_t, iceccd_log_t, file)
+
+manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
+files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
+
+manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+
+manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_t, iceccd_tmp_t, file)
+
+
+allow iceccd_createenv_t iceccd_log_t:file { append };
+allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
+# icecc-create-env looks for executable files to strip them. It does not
+# really execute them, but the -x check would trigger a denial. Do not allow
+# this, typically the binaries are already stripped anyway. Just silence it.
+dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
+
+allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_untrusted_t self:process signal_perms;
+allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
+manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
+allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans };
+
+files_read_etc_files(iceccd_createenv_t)
+libs_use_ld_so(iceccd_createenv_t)
+libs_use_shared_libs(iceccd_createenv_t)
+miscfiles_read_localization(iceccd_createenv_t)
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+
+files_read_usr_files(iceccd_createenv_t)
+libs_exec_ld_so(iceccd_createenv_t)
+libs_exec_lib_files(iceccd_createenv_t)
+libs_domtrans_ldconfig(iceccd_createenv_t)
+corecmd_exec_bin(iceccd_createenv_t)
+corecmd_exec_shell(iceccd_createenv_t)
+dev_read_urand(iceccd_createenv_t)
+kernel_read_system_state(iceccd_createenv_t)
+# silence file(1) looking for /root/.magic
+userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t)
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, file)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, dir)
+
+optional_policy(`
+ nscd_socket_use(iceccd_createenv_t)
+')
+
+# XXX: This could be avoided if iceccd only nuked the contents of
+# /var/cache/icecream, not the directory itself.
+files_var_filetrans(iceccd_t, iceccd_cache_t, dir)
+
+
+allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
+allow icecc_scheduler_t self:udp_socket create_socket_perms;
+
+files_read_etc_files(icecc_scheduler_t)
+libs_use_ld_so(icecc_scheduler_t)
+libs_use_shared_libs(icecc_scheduler_t)
+miscfiles_read_localization(icecc_scheduler_t)
+
+corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
+corenet_all_recvfrom_netlabel(icecc_scheduler_t)
+corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
+corenet_udp_sendrecv_generic_if(icecc_scheduler_t)
+corenet_tcp_sendrecv_generic_node(icecc_scheduler_t)
+corenet_udp_sendrecv_generic_node(icecc_scheduler_t)
+corenet_tcp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_udp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_tcp_bind_generic_node(icecc_scheduler_t)
+corenet_udp_bind_generic_node(icecc_scheduler_t)
+corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t)
+corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t)
+corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t)
Index: policy/modules/services/icecream.fc
===================================================================
--- policy/modules/services/icecream.fc (revision 0)
+++ policy/modules/services/icecream.fc (revision 0)
@@ -0,0 +1,5 @@
+/usr/sbin/iceccd -- gen_context(system_u:object_r:iceccd_exec_t,s0)
+/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0)
+/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0)
+/var/log/iceccd -- gen_context(system_u:object_r:iceccd_log_t,s0)
+/usr/sbin/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_exec_t,s0)
Index: policy/modules/services/icecream.if
===================================================================
--- policy/modules/services/icecream.if (revision 0)
+++ policy/modules/services/icecream.if (revision 0)
@@ -0,0 +1 @@
+## <summary>Icecream distributed compiler daemon</summary>
^ permalink raw reply [flat|nested] 9+ messages in thread* [refpolicy] [PATCH] add policy for Icecream 2009-03-02 12:04 [refpolicy] [PATCH] add policy for Icecream Michal Schmidt @ 2009-03-02 13:16 ` Dominick Grift 2009-03-02 15:37 ` Michal Schmidt 2009-03-02 16:35 ` Dominick Grift 1 sibling, 1 reply; 9+ messages in thread From: Dominick Grift @ 2009-03-02 13:16 UTC (permalink / raw) To: refpolicy On Mon, 2009-03-02 at 13:04 +0100, Michal Schmidt wrote: > Hello, > > Icecream is a distributed compiler similar to distcc, but there are > important differences: > - It uses a central scheduler (icecc-scheduler) which decides on which > node each job will be compiled. Typically there are many nodes on the > local network, all running iceccd. > - It automatically copies the local compiler binary with its > dependencies to the other nodes to ensure they're all using the same > compiler. The nodes execute the compiler in a chroot. > > As you can see, running iceccd implies running arbitrary code from > networked users. Confining Icecream with SELinux is a good idea. > > This patch adds the policy for Icecream to refpolicy. It is based on > the latest icecream policy module from the icecream RPM in Fedora. > > Michal > > Index: policy/modules/kernel/corenetwork.te.in > =================================================================== > --- policy/modules/kernel/corenetwork.te.in (revision 2912) > +++ policy/modules/kernel/corenetwork.te.in (working copy) > @@ -103,6 +103,8 @@ > network_port(howl, tcp,5335,s0, udp,5353,s0) > network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) > network_port(i18n_input, tcp,9010,s0) > +network_port(iceccd, tcp,10245,s0) > +network_port(icecc_scheduler, tcp,8765,s0, tcp,8766,s0, udp,8765,s0) > network_port(imaze, tcp,5323,s0, udp,5323,s0) > network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) > network_port(innd, tcp,119,s0) > Index: policy/modules/services/icecream.te > =================================================================== > --- policy/modules/services/icecream.te (revision 0) > +++ policy/modules/services/icecream.te (revision 0) > @@ -0,0 +1,170 @@ > + > +policy_module(icecream,1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +# the compiler node daemon > +type iceccd_t; > +type iceccd_exec_t; > +init_daemon_domain(iceccd_t, iceccd_exec_t) > + > +type iceccd_log_t; > +logging_log_file(iceccd_log_t) > + > +type iceccd_tmp_t; > +files_tmp_file(iceccd_tmp_t) > + > +type iceccd_var_run_t; > +files_pid_file(iceccd_var_run_t) > + > +# the working area > +type iceccd_cache_t; > +files_type(iceccd_cache_t) > + > +# icecc-create-env script makes a tarball of the local compiler and its > +# dependencies for other nodes to use > +type iceccd_createenv_t; > +type iceccd_createenv_exec_t; > +domain_type(iceccd_createenv_t) > +domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t) > +role system_r types iceccd_createenv_t; > + > +# foreign compilers > +type iceccd_untrusted_t; > +domain_type(iceccd_untrusted_t); > +domain_entry_file(iceccd_untrusted_t, iceccd_cache_t) > +role system_r types iceccd_untrusted_t; > + > +# the scheduler > +type icecc_scheduler_t; > +type icecc_scheduler_exec_t; > +init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t) > + > +######################################## > +# > +# Icecream policy > +# > + > +allow iceccd_t self:process { signal_perms setsched setrlimit }; > +allow iceccd_t self:netlink_route_socket r_netlink_socket_perms; > +allow iceccd_t self:tcp_socket create_stream_socket_perms; > +allow iceccd_t self:udp_socket create_socket_perms; > +allow iceccd_t self:fifo_file rw_fifo_file_perms; > +allow iceccd_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot }; > +allow iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure signal }; > + > +files_read_etc_files(iceccd_t) > +libs_use_ld_so(iceccd_t) > +libs_use_shared_libs(iceccd_t) > +miscfiles_read_localization(iceccd_t) > + > +fs_getattr_all_fs(iceccd_t) > +kernel_read_system_state(iceccd_t) > +sysnet_read_config(iceccd_t) > + > +corecmd_exec_bin(iceccd_t) > +corecmd_read_bin_symlinks(iceccd_t) > + > +files_getattr_tmp_dirs(iceccd_t) > +files_search_tmp(iceccd_t) > + > +corenet_all_recvfrom_unlabeled(iceccd_t) > +corenet_all_recvfrom_netlabel(iceccd_t) > +corenet_tcp_sendrecv_generic_if(iceccd_t) > +corenet_udp_sendrecv_generic_if(iceccd_t) > +corenet_tcp_sendrecv_generic_node(iceccd_t) > +corenet_udp_sendrecv_generic_node(iceccd_t) > +corenet_tcp_sendrecv_all_ports(iceccd_t) > +corenet_udp_sendrecv_all_ports(iceccd_t) > +corenet_tcp_bind_generic_node(iceccd_t) > +corenet_tcp_bind_iceccd_port(iceccd_t) > +corenet_sendrecv_iceccd_server_packets(iceccd_t) > +corenet_tcp_connect_icecc_scheduler_port(iceccd_t) > + > +domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t) > +domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t) > + > +manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t) > +logging_log_filetrans(iceccd_t, iceccd_log_t, file) > + > +manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t) > +files_pid_filetrans(iceccd_t, iceccd_var_run_t, file) > + > +manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) > +manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) > + > +manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) > +manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) > +files_tmp_filetrans(iceccd_t, iceccd_tmp_t, file) > + > + > +allow iceccd_createenv_t iceccd_log_t:file { append }; > +allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms; > +# icecc-create-env looks for executable files to strip them. It does not > +# really execute them, but the -x check would trigger a denial. Do not allow > +# this, typically the binaries are already stripped anyway. Just silence it. > +dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute }; > + > +allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms; > +allow iceccd_untrusted_t self:process signal_perms; > +allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms; > +manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t) > +allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans }; > + > +files_read_etc_files(iceccd_createenv_t) > +libs_use_ld_so(iceccd_createenv_t) > +libs_use_shared_libs(iceccd_createenv_t) > +miscfiles_read_localization(iceccd_createenv_t) > + > +manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) > +manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) > + > +files_read_usr_files(iceccd_createenv_t) > +libs_exec_ld_so(iceccd_createenv_t) > +libs_exec_lib_files(iceccd_createenv_t) > +libs_domtrans_ldconfig(iceccd_createenv_t) > +corecmd_exec_bin(iceccd_createenv_t) > +corecmd_exec_shell(iceccd_createenv_t) > +dev_read_urand(iceccd_createenv_t) > +kernel_read_system_state(iceccd_createenv_t) > +# silence file(1) looking for /root/.magic > +userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t) > + > +manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) > +manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) > +files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, file) > +files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, dir) > + > +optional_policy(` > + nscd_socket_use(iceccd_createenv_t) > +') > + > +# XXX: This could be avoided if iceccd only nuked the contents of > +# /var/cache/icecream, not the directory itself. > +files_var_filetrans(iceccd_t, iceccd_cache_t, dir) > + > + > +allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms; > +allow icecc_scheduler_t self:udp_socket create_socket_perms; > + > +files_read_etc_files(icecc_scheduler_t) > +libs_use_ld_so(icecc_scheduler_t) > +libs_use_shared_libs(icecc_scheduler_t) > +miscfiles_read_localization(icecc_scheduler_t) > + > +corenet_all_recvfrom_unlabeled(icecc_scheduler_t) > +corenet_all_recvfrom_netlabel(icecc_scheduler_t) > +corenet_tcp_sendrecv_generic_if(icecc_scheduler_t) > +corenet_udp_sendrecv_generic_if(icecc_scheduler_t) > +corenet_tcp_sendrecv_generic_node(icecc_scheduler_t) > +corenet_udp_sendrecv_generic_node(icecc_scheduler_t) > +corenet_tcp_sendrecv_all_ports(icecc_scheduler_t) > +corenet_udp_sendrecv_all_ports(icecc_scheduler_t) > +corenet_tcp_bind_generic_node(icecc_scheduler_t) > +corenet_udp_bind_generic_node(icecc_scheduler_t) > +corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t) > +corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t) > +corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t) > Index: policy/modules/services/icecream.fc > =================================================================== > --- policy/modules/services/icecream.fc (revision 0) > +++ policy/modules/services/icecream.fc (revision 0) > @@ -0,0 +1,5 @@ > +/usr/sbin/iceccd -- gen_context(system_u:object_r:iceccd_exec_t,s0) > +/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0) > +/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0) > +/var/log/iceccd -- gen_context(system_u:object_r:iceccd_log_t,s0) > +/usr/sbin/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_exec_t,s0) > Index: policy/modules/services/icecream.if > =================================================================== > --- policy/modules/services/icecream.if (revision 0) > +++ policy/modules/services/icecream.if (revision 0) > @@ -0,0 +1 @@ > +## <summary>Icecream distributed compiler daemon</summary> > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy Here is my take on the policy. It may or may not work but it may give you some ideas on how to clean it up a bit. Use it at your own risk policy_module(icecream, 1.0.1) ######################################## # # iceccd declarations # type iceccd_t; type iceccd_exec_t; init_daemon_domain(iceccd_t, iceccd_exec_t) type iceccd_log_t; logging_log_file(iceccd_log_t) type iceccd_tmp_t; files_tmp_file(iceccd_tmp_t) type iceccd_var_run_t; files_pid_file(iceccd_var_run_t) type iceccd_cache_t; files_type(iceccd_cache_t) ######################################## # # iceccd-createenv declarations # type iceccd_createenv_t; type iceccd_createenv_exec_t; application_executable_file(iceccd_createenv_exec_t) application_domain(iceccd_createenv_t, iceccd_createenv_exec_t) role system_r types iceccd_createenv_t; ######################################## # # iceccd-scheduler declarations # type icecc_scheduler_t; type icecc_scheduler_exec_t; init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t) ######################################## # # iceccd-untrusted declarations # type iceccd_untrusted_t; application_executable_file(iceccd_cache_t); application_domain(iceccd_untrusted_t, iceccd_cache_t) role system_r types iceccd_untrusted_t; ######################################## # # iceccd policy # # this block in alphabetical order allow iceccd_t self:process { signal_perms setsched setrlimit }; allow iceccd_t self:netlink_route_socket r_netlink_socket_perms; allow iceccd_t self:tcp_socket create_stream_socket_perms; allow iceccd_t self:udp_socket create_socket_perms; allow iceccd_t self:fifo_file rw_fifo_file_perms; allow iceccd_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot }; # use interface: iceccd_untrusted_dontaudit...() dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure }; # use interface: iceccd_untrusted_signal() allow iceccd_t iceccd_untrusted_t:process signal; # use interface: iceccd_createenv_domtrans() domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t) # use interface: iceccd_untrusted_domtrans() domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t) # can it search /var? manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t) logging_log_filetrans(iceccd_t, iceccd_log_t, file) manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t) files_pid_filetrans(iceccd_t, iceccd_var_run_t, file) manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file }) files_search_tmp(iceccd_t) manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file }) corenet_all_recvfrom_unlabeled(iceccd_t) corenet_all_recvfrom_netlabel(iceccd_t) corenet_tcp_sendrecv_generic_if(iceccd_t) corenet_tcp_sendrecv_generic_node(iceccd_t) corenet_tcp_sendrecv_all_ports(iceccd_t) corenet_tcp_bind_generic_node(iceccd_t) corenet_tcp_bind_iceccd_port(iceccd_t) corenet_tcp_connect_icecc_scheduler_port(iceccd_t) corenet_sendrecv_iceccd_server_packets(iceccd_t) corecmd_exec_bin(iceccd_t) corecmd_read_bin_symlinks(iceccd_t) files_read_etc_files(iceccd_t) fs_getattr_all_fs(iceccd_t) kernel_read_system_state(iceccd_t) sysnet_read_config(iceccd_t) libs_use_ld_so(iceccd_t) libs_use_shared_libs(iceccd_t) miscfiles_read_localization(iceccd_t) ######################################## # # iceccd-createenv policy # allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms; # use interface: iceccd_dontaudit_exec_tmp() dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute }; # use interface: iceccd_append_log() allow iceccd_createenv_t iceccd_log_t:file { append }; # use interface: iceccd_manage_cache() # can it search /var? manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) files_var_filetrans(iceccd_createenv_t, iceccd_cache_t, { dir file }) # use interface: iceccd_manage_tmp() # can it search /tmp? manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file }) corecmd_exec_bin(iceccd_createenv_t) corecmd_exec_shell(iceccd_createenv_t) dev_read_urand(iceccd_createenv_t) files_read_etc_files(iceccd_createenv_t) files_read_usr_files(iceccd_createenv_t) kernel_read_system_state(iceccd_createenv_t) libs_exec_ld_so(iceccd_createenv_t) libs_exec_lib_files(iceccd_createenv_t) libs_domtrans_ldconfig(iceccd_createenv_t) libs_use_ld_so(iceccd_createenv_t) libs_use_shared_libs(iceccd_createenv_t) miscfiles_read_localization(iceccd_createenv_t) userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t) optional_policy(` nscd_socket_use(iceccd_createenv_t) ') ######################################## # # iceccd-untrusted policy # allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms; allow iceccd_untrusted_t self:process signal_perms; allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms; # use interface: iceccd_manage_cache() manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t) # use interface: iceccd_can_exec_cache() allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans }; ######################################## # # icecc-scheduler policy # allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms; allow icecc_scheduler_t self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled(icecc_scheduler_t) corenet_all_recvfrom_netlabel(icecc_scheduler_t) corenet_tcp_sendrecv_generic_if(icecc_scheduler_t) corenet_udp_sendrecv_generic_if(icecc_scheduler_t) corenet_tcp_sendrecv_generic_node(icecc_scheduler_t) corenet_udp_sendrecv_generic_node(icecc_scheduler_t) corenet_tcp_sendrecv_all_ports(icecc_scheduler_t) corenet_udp_sendrecv_all_ports(icecc_scheduler_t) corenet_tcp_bind_generic_node(icecc_scheduler_t) corenet_udp_bind_generic_node(icecc_scheduler_t) corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t) corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t) corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t) files_read_etc_files(icecc_scheduler_t) libs_use_ld_so(icecc_scheduler_t) libs_use_shared_libs(icecc_scheduler_t) miscfiles_read_localization(icecc_scheduler_t) ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH] add policy for Icecream 2009-03-02 13:16 ` Dominick Grift @ 2009-03-02 15:37 ` Michal Schmidt 2009-03-02 15:57 ` Christopher J. PeBenito 2009-03-02 16:23 ` Dominick Grift 0 siblings, 2 replies; 9+ messages in thread From: Michal Schmidt @ 2009-03-02 15:37 UTC (permalink / raw) To: refpolicy Dne Mon, 02 Mar 2009 14:16:54 +0100 Dominick Grift <domg472@gmail.com> napsal: > Here is my take on the policy. It may or may not work but it may give > you some ideas on how to clean it up a bit. Thank you for your suggestions! I'll redo the policy accordingly. There are some bits, however, where I'd like some clarification. It's these pieces of the diff between my and your version of the .te file: > > -# the compiler node daemon > type iceccd_t; > type iceccd_exec_t; > init_daemon_domain(iceccd_t, iceccd_exec_t) > @@ -20,141 +311,182 @@ > type iceccd_var_run_t; > files_pid_file(iceccd_var_run_t) > > -# the working area > type iceccd_cache_t; > files_type(iceccd_cache_t) > > -# icecc-create-env script makes a tarball of the local compiler and > its -# dependencies for other nodes to use You removed most of my comments which were meant to give the reader some idea why the policy says what it says. Does it mean comments like these are really not wanted? > type iceccd_createenv_t; > type iceccd_createenv_exec_t; > -domain_type(iceccd_createenv_t) > -domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t) > +application_executable_file(iceccd_createenv_exec_t) > +application_domain(iceccd_createenv_t, iceccd_createenv_exec_t) > role system_r types iceccd_createenv_t; The application_* interfaces mark programs which are expected to be run by users from interactive shells? OK, it makes sense for icecc-create-env. > -domain_type(iceccd_untrusted_t); > -domain_entry_file(iceccd_untrusted_t, iceccd_cache_t) > +application_executable_file(iceccd_cache_t); > +application_domain(iceccd_untrusted_t, iceccd_cache_t) ... however, I do not think it's useful to mark the untrusted foreign compilers as such. These should never be run by users. > +dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh > +noatsecure }; In the original version, these three permissions were 'allow'. I don't know exactly what they mean, I got them by observing the AVC denials during normal operation of Icecream. If you think 'dontaudit' should be enough, I believe you. I'll test it. > +# use interface: iceccd_untrusted_signal() > +allow iceccd_t iceccd_untrusted_t:process signal; You suggest "use interface: ..." several times. To make it absolutely clear - are you asking me to create the named interfaces in icecream.if and use them in icecream.te? I thought interfaces were only useful for interaction with other policy modules. And at the moment I can't imagine any other users of these interfaces. > corenet_all_recvfrom_unlabeled(iceccd_t) > corenet_all_recvfrom_netlabel(iceccd_t) > corenet_tcp_sendrecv_generic_if(iceccd_t) > -corenet_udp_sendrecv_generic_if(iceccd_t) > corenet_tcp_sendrecv_generic_node(iceccd_t) > -corenet_udp_sendrecv_generic_node(iceccd_t) > corenet_tcp_sendrecv_all_ports(iceccd_t) > -corenet_udp_sendrecv_all_ports(iceccd_t) > corenet_tcp_bind_generic_node(iceccd_t) > corenet_tcp_bind_iceccd_port(iceccd_t) iceccd sends UDP broadcasts to find the scheduler on the LAN. Won't removing these rules block it? Michal ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH] add policy for Icecream 2009-03-02 15:37 ` Michal Schmidt @ 2009-03-02 15:57 ` Christopher J. PeBenito 2009-03-02 16:23 ` Dominick Grift 1 sibling, 0 replies; 9+ messages in thread From: Christopher J. PeBenito @ 2009-03-02 15:57 UTC (permalink / raw) To: refpolicy On Mon, 2009-03-02 at 16:37 +0100, Michal Schmidt wrote: > Dne Mon, 02 Mar 2009 14:16:54 +0100 > Dominick Grift <domg472@gmail.com> napsal: > > > Here is my take on the policy. It may or may not work but it may give > > you some ideas on how to clean it up a bit. > > Thank you for your suggestions! I'll redo the policy accordingly. > There are some bits, however, where I'd like some clarification. > It's these pieces of the diff between my and your version of > the .te file: [...] > > type iceccd_createenv_t; > > type iceccd_createenv_exec_t; > > -domain_type(iceccd_createenv_t) > > -domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t) > > +application_executable_file(iceccd_createenv_exec_t) > > +application_domain(iceccd_createenv_t, iceccd_createenv_exec_t) > > role system_r types iceccd_createenv_t; > > The application_* interfaces mark programs which are expected to be run by > users from interactive shells? Yes. > OK, it makes sense for icecc-create-env. > > > -domain_type(iceccd_untrusted_t); > > -domain_entry_file(iceccd_untrusted_t, iceccd_cache_t) > > +application_executable_file(iceccd_cache_t); > > +application_domain(iceccd_untrusted_t, iceccd_cache_t) > > ... however, I do not think it's useful to mark the untrusted foreign compilers > as such. These should never be run by users. I agree in this case. > > +dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh > > +noatsecure }; > > In the original version, these three permissions were 'allow'. I don't know > exactly what they mean, I got them by observing the AVC denials during normal > operation of Icecream. If you think 'dontaudit' should be enough, I believe > you. I'll test it. With dontaudit, the transition to icecd_untrusted_t, signals and resource limits won't be inherited, and the environment variables will be cleansed. Its rare that these permissions need to be allowed. > > +# use interface: iceccd_untrusted_signal() > > +allow iceccd_t iceccd_untrusted_t:process signal; > > You suggest "use interface: ..." several times. To make it absolutely clear - > are you asking me to create the named interfaces in icecream.if and use them in > icecream.te? > I thought interfaces were only useful for interaction with other policy > modules. And at the moment I can't imagine any other users of these interfaces. I'd lean towards skipping the interface for now. > > corenet_all_recvfrom_unlabeled(iceccd_t) > > corenet_all_recvfrom_netlabel(iceccd_t) > > corenet_tcp_sendrecv_generic_if(iceccd_t) > > -corenet_udp_sendrecv_generic_if(iceccd_t) > > corenet_tcp_sendrecv_generic_node(iceccd_t) > > -corenet_udp_sendrecv_generic_node(iceccd_t) > > corenet_tcp_sendrecv_all_ports(iceccd_t) > > -corenet_udp_sendrecv_all_ports(iceccd_t) > > corenet_tcp_bind_generic_node(iceccd_t) > > corenet_tcp_bind_iceccd_port(iceccd_t) > > iceccd sends UDP broadcasts to find the scheduler on the LAN. Won't removing > these rules block it? Yes. Sounds like you need to keep those lines. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH] add policy for Icecream 2009-03-02 15:37 ` Michal Schmidt 2009-03-02 15:57 ` Christopher J. PeBenito @ 2009-03-02 16:23 ` Dominick Grift 1 sibling, 0 replies; 9+ messages in thread From: Dominick Grift @ 2009-03-02 16:23 UTC (permalink / raw) To: refpolicy On Mon, 2009-03-02 at 16:37 +0100, Michal Schmidt wrote: > Dne Mon, 02 Mar 2009 14:16:54 +0100 > Dominick Grift <domg472@gmail.com> napsal: > > > Here is my take on the policy. It may or may not work but it may give > > you some ideas on how to clean it up a bit. > > Thank you for your suggestions! I'll redo the policy accordingly. > There are some bits, however, where I'd like some clarification. > It's these pieces of the diff between my and your version of > the .te file: > > > > -# the compiler node daemon > > type iceccd_t; > > type iceccd_exec_t; > > init_daemon_domain(iceccd_t, iceccd_exec_t) > > @@ -20,141 +311,182 @@ > > type iceccd_var_run_t; > > files_pid_file(iceccd_var_run_t) > > > > -# the working area > > type iceccd_cache_t; > > files_type(iceccd_cache_t) > > > > -# icecc-create-env script makes a tarball of the local compiler and > > its -# dependencies for other nodes to use > > You removed most of my comments which were meant to give the reader some idea > why the policy says what it says. Does it mean comments like these are really > not wanted? Comments are fine. If they are not too obvious. I removed them because that is my personal taste. > > type iceccd_createenv_t; > > type iceccd_createenv_exec_t; > > -domain_type(iceccd_createenv_t) > > -domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t) > > +application_executable_file(iceccd_createenv_exec_t) > > +application_domain(iceccd_createenv_t, iceccd_createenv_exec_t) > > role system_r types iceccd_createenv_t; > > The application_* interfaces mark programs which are expected to be run by > users from interactive shells? OK, it makes sense for icecc-create-env. If user have access to the executable type and have a transition set up. > > -domain_type(iceccd_untrusted_t); > > -domain_entry_file(iceccd_untrusted_t, iceccd_cache_t) > > +application_executable_file(iceccd_cache_t); > > +application_domain(iceccd_untrusted_t, iceccd_cache_t) > > ... however, I do not think it's useful to mark the untrusted foreign compilers > as such. These should never be run by users. Alright you could also use domain_entry_type, but users wont be able to use application executables if they cannot access then or if no transition is set up. > > +dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh > > +noatsecure }; > > In the original version, these three permissions were 'allow'. I don't know > exactly what they mean, I got them by observing the AVC denials during normal > operation of Icecream. If you think 'dontaudit' should be enough, I believe > you. I'll test it. Try it, These permissions usually get silently denied. > > +# use interface: iceccd_untrusted_signal() > > +allow iceccd_t iceccd_untrusted_t:process signal; > > You suggest "use interface: ..." several times. To make it absolutely clear - > are you asking me to create the named interfaces in icecream.if and use them in > icecream.te? > I thought interfaces were only useful for interaction with other policy > modules. And at the moment I can't imagine any other users of these interfaces. Interface make it easier for you to maintain policy, be it local to the module or not. I suggested the use of interfaces but its a personal taste. > > corenet_all_recvfrom_unlabeled(iceccd_t) > > corenet_all_recvfrom_netlabel(iceccd_t) > > corenet_tcp_sendrecv_generic_if(iceccd_t) > > -corenet_udp_sendrecv_generic_if(iceccd_t) > > corenet_tcp_sendrecv_generic_node(iceccd_t) > > -corenet_udp_sendrecv_generic_node(iceccd_t) > > corenet_tcp_sendrecv_all_ports(iceccd_t) > > -corenet_udp_sendrecv_all_ports(iceccd_t) > > corenet_tcp_bind_generic_node(iceccd_t) > > corenet_tcp_bind_iceccd_port(iceccd_t) > > iceccd sends UDP broadcasts to find the scheduler on the LAN. Won't removing > these rules block it? If you need them , add them. > > Michal ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH] add policy for Icecream 2009-03-02 12:04 [refpolicy] [PATCH] add policy for Icecream Michal Schmidt 2009-03-02 13:16 ` Dominick Grift @ 2009-03-02 16:35 ` Dominick Grift 2009-03-02 23:40 ` [refpolicy] [PATCH v1.0.2] " Michal Schmidt 1 sibling, 1 reply; 9+ messages in thread From: Dominick Grift @ 2009-03-02 16:35 UTC (permalink / raw) To: refpolicy On Mon, 2009-03-02 at 13:04 +0100, Michal Schmidt wrote: > +allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans }; This can be: can_exec(iceccd_untrusted_t, iceccd_cache_t) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH v1.0.2] add policy for Icecream 2009-03-02 16:35 ` Dominick Grift @ 2009-03-02 23:40 ` Michal Schmidt 2009-03-03 0:08 ` Dominick Grift 0 siblings, 1 reply; 9+ messages in thread From: Michal Schmidt @ 2009-03-02 23:40 UTC (permalink / raw) To: refpolicy Hello, This patch adds the policy for Icecream, a distributed compiler. Notable changes since the first version: - as suggested by Dominick Grift: - reordered lots of the lines - removed the comments - dontaudit siginh, rlimitinh, noatsecure - use application_domain() for iceccd_createenv_t - use can_exec() I did not add any interfaces, I like it better without them. Michal Index: policy/modules/kernel/corenetwork.te.in =================================================================== --- policy/modules/kernel/corenetwork.te.in (revision 2912) +++ policy/modules/kernel/corenetwork.te.in (working copy) @@ -103,6 +103,8 @@ network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(i18n_input, tcp,9010,s0) +network_port(iceccd, tcp,10245,s0) +network_port(icecc_scheduler, tcp,8765,s0, tcp,8766,s0, udp,8765,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) network_port(innd, tcp,119,s0) Index: policy/modules/services/icecream.te =================================================================== --- policy/modules/services/icecream.te (revision 0) +++ policy/modules/services/icecream.te (revision 0) @@ -0,0 +1,204 @@ + +policy_module(icecream,1.0.2) + +######################################## +# +# iceccd declarations +# + +type iceccd_t; +type iceccd_exec_t; +init_daemon_domain(iceccd_t, iceccd_exec_t) + +type iceccd_log_t; +logging_log_file(iceccd_log_t) + +type iceccd_tmp_t; +files_tmp_file(iceccd_tmp_t) + +type iceccd_var_run_t; +files_pid_file(iceccd_var_run_t) + +type iceccd_cache_t; +files_type(iceccd_cache_t) + +######################################## +# +# iceccd_createenv declarations +# + +type iceccd_createenv_t; +type iceccd_createenv_exec_t; +application_domain(iceccd_createenv_t, iceccd_createenv_exec_t) +role system_r types iceccd_createenv_t; + +######################################## +# +# icecc_scheduler declarations +# + +type icecc_scheduler_t; +type icecc_scheduler_exec_t; +init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t) + +######################################## +# +# iceccd_untrusted declarations +# + +type iceccd_untrusted_t; +domain_type(iceccd_untrusted_t); +domain_entry_file(iceccd_untrusted_t, iceccd_cache_t) +role system_r types iceccd_untrusted_t; + +######################################## +# +# iceccd policy +# + +allow iceccd_t self:capability { chown dac_override fowner fsetid kill + setgid setuid sys_chroot }; +allow iceccd_t self:fifo_file rw_fifo_file_perms; +allow iceccd_t self:netlink_route_socket r_netlink_socket_perms; +allow iceccd_t self:process { signal_perms setsched setrlimit }; +allow iceccd_t self:tcp_socket create_stream_socket_perms; +allow iceccd_t self:udp_socket create_socket_perms; + +dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh + noatsecure }; + +allow iceccd_t iceccd_untrusted_t:process signal; + +domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t) +domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t) + +manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t) +logging_log_filetrans(iceccd_t, iceccd_log_t, file) + +manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t) +files_pid_filetrans(iceccd_t, iceccd_var_run_t, file) + +manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) +manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) +files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file }) + +files_search_tmp(iceccd_t) +manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) +manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) +files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file }) + +corenet_all_recvfrom_unlabeled(iceccd_t) +corenet_all_recvfrom_netlabel(iceccd_t) +corenet_tcp_sendrecv_generic_if(iceccd_t) +corenet_udp_sendrecv_generic_if(iceccd_t) +corenet_tcp_sendrecv_generic_node(iceccd_t) +corenet_udp_sendrecv_generic_node(iceccd_t) +corenet_tcp_sendrecv_all_ports(iceccd_t) +corenet_udp_sendrecv_all_ports(iceccd_t) +corenet_tcp_bind_generic_node(iceccd_t) +corenet_tcp_bind_iceccd_port(iceccd_t) +corenet_tcp_connect_icecc_scheduler_port(iceccd_t) +corenet_sendrecv_iceccd_server_packets(iceccd_t) + +corecmd_exec_bin(iceccd_t) +corecmd_read_bin_symlinks(iceccd_t) + +files_read_etc_files(iceccd_t) + +fs_getattr_all_fs(iceccd_t) + +kernel_read_system_state(iceccd_t) + +sysnet_read_config(iceccd_t) + +libs_use_ld_so(iceccd_t) +libs_use_shared_libs(iceccd_t) + +miscfiles_read_localization(iceccd_t) + +######################################## +# +# iceccd_createenv policy +# + +allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms; + +dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute }; + +allow iceccd_createenv_t iceccd_log_t:file { append }; + +manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) +manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) +# no files_var_filetrans, createenv does not create the cache dir itself + +manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) +manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) +files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file }) + +corecmd_exec_bin(iceccd_createenv_t) +corecmd_exec_shell(iceccd_createenv_t) + +dev_read_urand(iceccd_createenv_t) + +files_read_etc_files(iceccd_createenv_t) +files_read_usr_files(iceccd_createenv_t) + +kernel_read_system_state(iceccd_createenv_t) + +libs_exec_ld_so(iceccd_createenv_t) +libs_exec_lib_files(iceccd_createenv_t) + +libs_domtrans_ldconfig(iceccd_createenv_t) + +libs_use_ld_so(iceccd_createenv_t) +libs_use_shared_libs(iceccd_createenv_t) + +miscfiles_read_localization(iceccd_createenv_t) + +userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t) + +optional_policy(` + nscd_socket_use(iceccd_createenv_t) +') + +######################################## +# +# iceccd_untrusted policy +# + +allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms; +allow iceccd_untrusted_t self:process signal_perms; +allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms; + +manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t) + +can_exec(iceccd_untrusted_t, iceccd_cache_t) + +######################################## +# +# icecc_scheduler policy +# + +allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms; +allow icecc_scheduler_t self:udp_socket create_socket_perms; + +corenet_all_recvfrom_unlabeled(icecc_scheduler_t) +corenet_all_recvfrom_netlabel(icecc_scheduler_t) +corenet_tcp_sendrecv_generic_if(icecc_scheduler_t) +corenet_udp_sendrecv_generic_if(icecc_scheduler_t) +corenet_tcp_sendrecv_generic_node(icecc_scheduler_t) +corenet_udp_sendrecv_generic_node(icecc_scheduler_t) +corenet_tcp_sendrecv_all_ports(icecc_scheduler_t) +corenet_udp_sendrecv_all_ports(icecc_scheduler_t) +corenet_tcp_bind_generic_node(icecc_scheduler_t) +corenet_udp_bind_generic_node(icecc_scheduler_t) +corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t) +corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t) +corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t) + +files_read_etc_files(icecc_scheduler_t) + +libs_use_ld_so(icecc_scheduler_t) +libs_use_shared_libs(icecc_scheduler_t) + +miscfiles_read_localization(icecc_scheduler_t) Index: policy/modules/services/icecream.fc =================================================================== --- policy/modules/services/icecream.fc (revision 0) +++ policy/modules/services/icecream.fc (revision 0) @@ -0,0 +1,5 @@ +/usr/sbin/iceccd -- gen_context(system_u:object_r:iceccd_exec_t,s0) +/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0) +/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0) +/var/log/iceccd -- gen_context(system_u:object_r:iceccd_log_t,s0) +/usr/sbin/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_exec_t,s0) Index: policy/modules/services/icecream.if =================================================================== --- policy/modules/services/icecream.if (revision 0) +++ policy/modules/services/icecream.if (revision 0) @@ -0,0 +1 @@ +## <summary>Icecream distributed compiler daemon</summary> ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH v1.0.2] add policy for Icecream 2009-03-02 23:40 ` [refpolicy] [PATCH v1.0.2] " Michal Schmidt @ 2009-03-03 0:08 ` Dominick Grift 2009-03-03 15:22 ` [refpolicy] [PATCH v1.0.3] " Michal Schmidt 0 siblings, 1 reply; 9+ messages in thread From: Dominick Grift @ 2009-03-03 0:08 UTC (permalink / raw) To: refpolicy On Tue, 2009-03-03 at 00:40 +0100, Michal Schmidt wrote: > Hello, > > This patch adds the policy for Icecream, a distributed compiler. > > Notable changes since the first version: > - as suggested by Dominick Grift: > - reordered lots of the lines > - removed the comments > - dontaudit siginh, rlimitinh, noatsecure > - use application_domain() for iceccd_createenv_t > - use can_exec() > I did not add any interfaces, I like it better without them. > > Michal > > Index: policy/modules/kernel/corenetwork.te.in > =================================================================== > --- policy/modules/kernel/corenetwork.te.in (revision 2912) > +++ policy/modules/kernel/corenetwork.te.in (working copy) > @@ -103,6 +103,8 @@ > network_port(howl, tcp,5335,s0, udp,5353,s0) > network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) > network_port(i18n_input, tcp,9010,s0) > +network_port(iceccd, tcp,10245,s0) > +network_port(icecc_scheduler, tcp,8765,s0, tcp,8766,s0, udp,8765,s0) > network_port(imaze, tcp,5323,s0, udp,5323,s0) > network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) > network_port(innd, tcp,119,s0) > Index: policy/modules/services/icecream.te > =================================================================== > --- policy/modules/services/icecream.te (revision 0) > +++ policy/modules/services/icecream.te (revision 0) > @@ -0,0 +1,204 @@ > + > +policy_module(icecream,1.0.2) > + > +######################################## > +# > +# iceccd declarations > +# > + > +type iceccd_t; > +type iceccd_exec_t; > +init_daemon_domain(iceccd_t, iceccd_exec_t) > + > +type iceccd_log_t; > +logging_log_file(iceccd_log_t) > + > +type iceccd_tmp_t; > +files_tmp_file(iceccd_tmp_t) > + > +type iceccd_var_run_t; > +files_pid_file(iceccd_var_run_t) > + > +type iceccd_cache_t; > +files_type(iceccd_cache_t) > + > +######################################## > +# > +# iceccd_createenv declarations > +# > + > +type iceccd_createenv_t; > +type iceccd_createenv_exec_t; > +application_domain(iceccd_createenv_t, iceccd_createenv_exec_t) > +role system_r types iceccd_createenv_t; > + > +######################################## > +# > +# icecc_scheduler declarations > +# > + > +type icecc_scheduler_t; > +type icecc_scheduler_exec_t; > +init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t) > + > +######################################## > +# > +# iceccd_untrusted declarations > +# > + > +type iceccd_untrusted_t; > +domain_type(iceccd_untrusted_t); > +domain_entry_file(iceccd_untrusted_t, iceccd_cache_t) > +role system_r types iceccd_untrusted_t; > + > +######################################## > +# > +# iceccd policy > +# > + > +allow iceccd_t self:capability { chown dac_override fowner fsetid kill > + setgid setuid sys_chroot }; > +allow iceccd_t self:fifo_file rw_fifo_file_perms; > +allow iceccd_t self:netlink_route_socket r_netlink_socket_perms; > +allow iceccd_t self:process { signal_perms setsched setrlimit }; > +allow iceccd_t self:tcp_socket create_stream_socket_perms; > +allow iceccd_t self:udp_socket create_socket_perms; > + > +dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh > + noatsecure }; > + > +allow iceccd_t iceccd_untrusted_t:process signal; > + > +domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t) > +domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t) > + > +manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t) > +logging_log_filetrans(iceccd_t, iceccd_log_t, file) > + > +manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t) > +files_pid_filetrans(iceccd_t, iceccd_var_run_t, file) > + > +manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) > +manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) > +files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file }) Does iceccd_t not need: files_search_var(iceccd_t)? I expect that it needs to search /var to be able to find files/dirs with type iceccd_cache_t/iceccd_log_t/iceccd_var_run_t and i do not see where it is allowed to search /var It might also need permission to search var_run_t, var_log_t? It can be that the search perm is included in one of the interfaces below. > +files_search_tmp(iceccd_t) > +manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) > +manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) > +files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file }) > + > +corenet_all_recvfrom_unlabeled(iceccd_t) > +corenet_all_recvfrom_netlabel(iceccd_t) > +corenet_tcp_sendrecv_generic_if(iceccd_t) > +corenet_udp_sendrecv_generic_if(iceccd_t) > +corenet_tcp_sendrecv_generic_node(iceccd_t) > +corenet_udp_sendrecv_generic_node(iceccd_t) > +corenet_tcp_sendrecv_all_ports(iceccd_t) > +corenet_udp_sendrecv_all_ports(iceccd_t) > +corenet_tcp_bind_generic_node(iceccd_t) > +corenet_tcp_bind_iceccd_port(iceccd_t) > +corenet_tcp_connect_icecc_scheduler_port(iceccd_t) > +corenet_sendrecv_iceccd_server_packets(iceccd_t) > + > +corecmd_exec_bin(iceccd_t) > +corecmd_read_bin_symlinks(iceccd_t) > + > +files_read_etc_files(iceccd_t) > + > +fs_getattr_all_fs(iceccd_t) > + > +kernel_read_system_state(iceccd_t) > + > +sysnet_read_config(iceccd_t) > + > +libs_use_ld_so(iceccd_t) > +libs_use_shared_libs(iceccd_t) > + > +miscfiles_read_localization(iceccd_t) > + > +######################################## > +# > +# iceccd_createenv policy > +# > + > +allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms; > + > +dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute }; > + > +allow iceccd_createenv_t iceccd_log_t:file { append }; > + > +manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) > +manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) > +# no files_var_filetrans, createenv does not create the cache dir itself Does iceccd_createenv_t not need: files_search_var(iceccd_createenv_t)? I expect that it needs to search /var to be able to find files/dirs with type iceccd_cache_t and i do not see where it is allowed to search /var It can be that the search perm is included in one of the interfaces below . > + > +manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) > +manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) > +files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file }) Does iceccd_createenv_t not need: files_search_tmp(iceccd_createenv_t)? I expect that it needs to search /tmp to be able to find files/dirs with type iceccd_tmp_t and i do not see where it is allowed to search /tmp. It can be that the search perm is included in one of the interfaces below > + > +corecmd_exec_bin(iceccd_createenv_t) > +corecmd_exec_shell(iceccd_createenv_t) > + > +dev_read_urand(iceccd_createenv_t) > + > +files_read_etc_files(iceccd_createenv_t) > +files_read_usr_files(iceccd_createenv_t) > + > +kernel_read_system_state(iceccd_createenv_t) > + > +libs_exec_ld_so(iceccd_createenv_t) > +libs_exec_lib_files(iceccd_createenv_t) > + > +libs_domtrans_ldconfig(iceccd_createenv_t) > + > +libs_use_ld_so(iceccd_createenv_t) > +libs_use_shared_libs(iceccd_createenv_t) > + > +miscfiles_read_localization(iceccd_createenv_t) > + > +userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t) > + > +optional_policy(` > + nscd_socket_use(iceccd_createenv_t) > +') > + > +######################################## > +# > +# iceccd_untrusted policy > +# > + > +allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms; > +allow iceccd_untrusted_t self:process signal_perms; > +allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms; > + > +manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t) > + Does iceccd_untrusted_t not need: files_search_var(iceccd_untrusted_t)? I expect that it needs to search /var to be able to find files/dirs with type iceccd_cache_t and i do not see where it is allowed to search /var > +can_exec(iceccd_untrusted_t, iceccd_cache_t) > + > +######################################## > +# > +# icecc_scheduler policy > +# > + > +allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms; > +allow icecc_scheduler_t self:udp_socket create_socket_perms; > + > +corenet_all_recvfrom_unlabeled(icecc_scheduler_t) > +corenet_all_recvfrom_netlabel(icecc_scheduler_t) > +corenet_tcp_sendrecv_generic_if(icecc_scheduler_t) > +corenet_udp_sendrecv_generic_if(icecc_scheduler_t) > +corenet_tcp_sendrecv_generic_node(icecc_scheduler_t) > +corenet_udp_sendrecv_generic_node(icecc_scheduler_t) > +corenet_tcp_sendrecv_all_ports(icecc_scheduler_t) > +corenet_udp_sendrecv_all_ports(icecc_scheduler_t) > +corenet_tcp_bind_generic_node(icecc_scheduler_t) > +corenet_udp_bind_generic_node(icecc_scheduler_t) > +corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t) > +corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t) > +corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t) > + > +files_read_etc_files(icecc_scheduler_t) > + > +libs_use_ld_so(icecc_scheduler_t) > +libs_use_shared_libs(icecc_scheduler_t) > + > +miscfiles_read_localization(icecc_scheduler_t) > Index: policy/modules/services/icecream.fc > =================================================================== > --- policy/modules/services/icecream.fc (revision 0) > +++ policy/modules/services/icecream.fc (revision 0) > @@ -0,0 +1,5 @@ > +/usr/sbin/iceccd -- gen_context(system_u:object_r:iceccd_exec_t,s0) > +/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0) > +/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0) > +/var/log/iceccd -- gen_context(system_u:object_r:iceccd_log_t,s0) > +/usr/sbin/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_exec_t,s0) > Index: policy/modules/services/icecream.if > =================================================================== > --- policy/modules/services/icecream.if (revision 0) > +++ policy/modules/services/icecream.if (revision 0) > @@ -0,0 +1 @@ > +## <summary>Icecream distributed compiler daemon</summary> ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH v1.0.3] add policy for Icecream 2009-03-03 0:08 ` Dominick Grift @ 2009-03-03 15:22 ` Michal Schmidt 0 siblings, 0 replies; 9+ messages in thread From: Michal Schmidt @ 2009-03-03 15:22 UTC (permalink / raw) To: refpolicy On Tue, 03 Mar 2009 01:08:46 +0100 Dominick Grift wrote: > On Tue, 2009-03-03 at 00:40 +0100, Michal Schmidt wrote: > > +domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, > > iceccd_createenv_t) +domtrans_pattern(iceccd_t, iceccd_cache_t, > > iceccd_untrusted_t) + > > +manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t) > > +logging_log_filetrans(iceccd_t, iceccd_log_t, file) > > + > > +manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t) > > +files_pid_filetrans(iceccd_t, iceccd_var_run_t, file) > > + > > +manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) > > +manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) > > +files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file }) > > Does iceccd_t not need: files_search_var(iceccd_t)? > I expect that it needs to search /var to be able to find files/dirs > with type iceccd_cache_t/iceccd_log_t/iceccd_var_run_t and i do not > see where it is allowed to search /var > > It might also need permission to search var_run_t, var_log_t? > > It can be that the search perm is included in one of the interfaces > below. Permission to search /var is already implied: files_var_filetrans(iceccd_t, ..., ...) => filetrans_pattern(iceccd_t, var_t, ..., ...) => allow iceccd_t var_t:dir rw_dir_perms; (and rw_dir_perms contain the search permission.) Similarly, files_pid_filetrans implies the permission to search var_run_t and logging_log_filetrans implies the permission to search var_log_t. > > +files_search_tmp(iceccd_t) > > +manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) > > +manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) > > +files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file }) I see that by the same logic I can remove the explicit files_search_tmp, because it's already given by files_tmp_filetrans. > > +manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, > > iceccd_cache_t) +manage_files_pattern(iceccd_createenv_t, > > iceccd_cache_t, iceccd_cache_t) +# no files_var_filetrans, > > createenv does not create the cache dir itself > > Does iceccd_createenv_t not need: > files_search_var(iceccd_createenv_t)? I expect that it needs to > search /var to be able to find files/dirs with type iceccd_cache_t > and i do not see where it is allowed to search /var > > It can be that the search perm is included in one of the interfaces > below. Ah, it gets included via nscd_socket_use. And since this is only in an optional_policy block, it's a bug. I must explicitly add files_search_var(iceccd_createenv_t) > > + > > +manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) > > +manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, > > iceccd_tmp_t) +files_tmp_filetrans(iceccd_createenv_t, > > iceccd_tmp_t, { dir file }) > > Does iceccd_createenv_t not need: > files_search_tmp(iceccd_createenv_t)? I expect that it needs to > search /tmp to be able to find files/dirs with type iceccd_tmp_t and > i do not see where it is allowed to search /tmp. This is included via files_tmp_filetrans. > > +allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms; > > +allow iceccd_untrusted_t self:process signal_perms; > > +allow iceccd_untrusted_t iceccd_t:unix_stream_socket > > rw_sock_file_perms; + > > +manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, > > iceccd_cache_t) + > Does iceccd_untrusted_t not need: > files_search_var(iceccd_untrusted_t)? I expect that it needs to > search /var to be able to find files/dirs with type iceccd_cache_t > and i do not see where it is allowed to search /var iceccd_untrusted_t runs in a chroot, with iceccd_cache_t files and directories only. It never sees the leading components of the path (/var/cache/). Updated patch below. Michal This adds the policy for Icecream, a distributed compiler. Index: policy/modules/kernel/corenetwork.te.in =================================================================== --- policy/modules/kernel/corenetwork.te.in (revision 2913) +++ policy/modules/kernel/corenetwork.te.in (working copy) @@ -103,6 +103,8 @@ network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(i18n_input, tcp,9010,s0) +network_port(iceccd, tcp,10245,s0) +network_port(icecc_scheduler, tcp,8765,s0, tcp,8766,s0, udp,8765,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) network_port(innd, tcp,119,s0) Index: policy/modules/services/icecream.te =================================================================== --- policy/modules/services/icecream.te (revision 0) +++ policy/modules/services/icecream.te (revision 0) @@ -0,0 +1,204 @@ + +policy_module(icecream,1.0.3) + +######################################## +# +# iceccd declarations +# + +type iceccd_t; +type iceccd_exec_t; +init_daemon_domain(iceccd_t, iceccd_exec_t) + +type iceccd_log_t; +logging_log_file(iceccd_log_t) + +type iceccd_tmp_t; +files_tmp_file(iceccd_tmp_t) + +type iceccd_var_run_t; +files_pid_file(iceccd_var_run_t) + +type iceccd_cache_t; +files_type(iceccd_cache_t) + +######################################## +# +# iceccd_createenv declarations +# + +type iceccd_createenv_t; +type iceccd_createenv_exec_t; +application_domain(iceccd_createenv_t, iceccd_createenv_exec_t) +role system_r types iceccd_createenv_t; + +######################################## +# +# icecc_scheduler declarations +# + +type icecc_scheduler_t; +type icecc_scheduler_exec_t; +init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t) + +######################################## +# +# iceccd_untrusted declarations +# + +type iceccd_untrusted_t; +domain_type(iceccd_untrusted_t); +domain_entry_file(iceccd_untrusted_t, iceccd_cache_t) +role system_r types iceccd_untrusted_t; + +######################################## +# +# iceccd policy +# + +allow iceccd_t self:capability { chown dac_override fowner fsetid kill + setgid setuid sys_chroot }; +allow iceccd_t self:fifo_file rw_fifo_file_perms; +allow iceccd_t self:netlink_route_socket r_netlink_socket_perms; +allow iceccd_t self:process { signal_perms setsched setrlimit }; +allow iceccd_t self:tcp_socket create_stream_socket_perms; +allow iceccd_t self:udp_socket create_socket_perms; + +dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh + noatsecure }; + +allow iceccd_t iceccd_untrusted_t:process signal; + +domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t) +domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t) + +manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t) +logging_log_filetrans(iceccd_t, iceccd_log_t, file) + +manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t) +files_pid_filetrans(iceccd_t, iceccd_var_run_t, file) + +manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) +manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) +files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file }) + +manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) +manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) +files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file }) + +corenet_all_recvfrom_unlabeled(iceccd_t) +corenet_all_recvfrom_netlabel(iceccd_t) +corenet_tcp_sendrecv_generic_if(iceccd_t) +corenet_udp_sendrecv_generic_if(iceccd_t) +corenet_tcp_sendrecv_generic_node(iceccd_t) +corenet_udp_sendrecv_generic_node(iceccd_t) +corenet_tcp_sendrecv_all_ports(iceccd_t) +corenet_udp_sendrecv_all_ports(iceccd_t) +corenet_tcp_bind_generic_node(iceccd_t) +corenet_tcp_bind_iceccd_port(iceccd_t) +corenet_tcp_connect_icecc_scheduler_port(iceccd_t) +corenet_sendrecv_iceccd_server_packets(iceccd_t) + +corecmd_exec_bin(iceccd_t) +corecmd_read_bin_symlinks(iceccd_t) + +files_read_etc_files(iceccd_t) + +fs_getattr_all_fs(iceccd_t) + +kernel_read_system_state(iceccd_t) + +sysnet_read_config(iceccd_t) + +libs_use_ld_so(iceccd_t) +libs_use_shared_libs(iceccd_t) + +miscfiles_read_localization(iceccd_t) + +######################################## +# +# iceccd_createenv policy +# + +allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms; + +dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute }; + +allow iceccd_createenv_t iceccd_log_t:file { append }; + +files_search_var(iceccd_createenv_t) +manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) +manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) +# no files_var_filetrans, createenv does not create the cache dir itself + +manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) +manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) +files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file }) + +corecmd_exec_bin(iceccd_createenv_t) +corecmd_exec_shell(iceccd_createenv_t) + +dev_read_urand(iceccd_createenv_t) + +files_read_etc_files(iceccd_createenv_t) +files_read_usr_files(iceccd_createenv_t) + +kernel_read_system_state(iceccd_createenv_t) + +libs_exec_ld_so(iceccd_createenv_t) +libs_exec_lib_files(iceccd_createenv_t) + +libs_domtrans_ldconfig(iceccd_createenv_t) + +libs_use_ld_so(iceccd_createenv_t) +libs_use_shared_libs(iceccd_createenv_t) + +miscfiles_read_localization(iceccd_createenv_t) + +userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t) + +optional_policy(` + nscd_socket_use(iceccd_createenv_t) +') + +######################################## +# +# iceccd_untrusted policy +# + +allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms; +allow iceccd_untrusted_t self:process signal_perms; +allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms; + +manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t) + +can_exec(iceccd_untrusted_t, iceccd_cache_t) + +######################################## +# +# icecc_scheduler policy +# + +allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms; +allow icecc_scheduler_t self:udp_socket create_socket_perms; + +corenet_all_recvfrom_unlabeled(icecc_scheduler_t) +corenet_all_recvfrom_netlabel(icecc_scheduler_t) +corenet_tcp_sendrecv_generic_if(icecc_scheduler_t) +corenet_udp_sendrecv_generic_if(icecc_scheduler_t) +corenet_tcp_sendrecv_generic_node(icecc_scheduler_t) +corenet_udp_sendrecv_generic_node(icecc_scheduler_t) +corenet_tcp_sendrecv_all_ports(icecc_scheduler_t) +corenet_udp_sendrecv_all_ports(icecc_scheduler_t) +corenet_tcp_bind_generic_node(icecc_scheduler_t) +corenet_udp_bind_generic_node(icecc_scheduler_t) +corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t) +corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t) +corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t) + +files_read_etc_files(icecc_scheduler_t) + +libs_use_ld_so(icecc_scheduler_t) +libs_use_shared_libs(icecc_scheduler_t) + +miscfiles_read_localization(icecc_scheduler_t) Index: policy/modules/services/icecream.fc =================================================================== --- policy/modules/services/icecream.fc (revision 0) +++ policy/modules/services/icecream.fc (revision 0) @@ -0,0 +1,5 @@ +/usr/sbin/iceccd -- gen_context(system_u:object_r:iceccd_exec_t,s0) +/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0) +/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0) +/var/log/iceccd -- gen_context(system_u:object_r:iceccd_log_t,s0) +/usr/sbin/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_exec_t,s0) Index: policy/modules/services/icecream.if =================================================================== --- policy/modules/services/icecream.if (revision 0) +++ policy/modules/services/icecream.if (revision 0) @@ -0,0 +1 @@ +## <summary>Icecream distributed compiler daemon</summary> ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2009-03-03 15:22 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-03-02 12:04 [refpolicy] [PATCH] add policy for Icecream Michal Schmidt 2009-03-02 13:16 ` Dominick Grift 2009-03-02 15:37 ` Michal Schmidt 2009-03-02 15:57 ` Christopher J. PeBenito 2009-03-02 16:23 ` Dominick Grift 2009-03-02 16:35 ` Dominick Grift 2009-03-02 23:40 ` [refpolicy] [PATCH v1.0.2] " Michal Schmidt 2009-03-03 0:08 ` Dominick Grift 2009-03-03 15:22 ` [refpolicy] [PATCH v1.0.3] " Michal Schmidt
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.