rpms/icecream/devel icecream-0.9.3-fix-perms-of-cache.patch, NONE, 1.1 icecream.spec, 1.19, 1.20 icecream.te, 1.7, 1.8

Michal Schmidt michich at fedoraproject.org
Sun Apr 5 23:01:07 UTC 2009 

Author: michich

Update of /cvs/pkgs/rpms/icecream/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14354

Modified Files:
	icecream.spec icecream.te 
Added Files:
	icecream-0.9.3-fix-perms-of-cache.patch 
Log Message:
* Mon Apr 06 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.3-6
- Fix wrong permissions on the cache dir preventing the jobs from being
  distributed.
- SELinux policy update based on review comments on refpolicy ML.


icecream-0.9.3-fix-perms-of-cache.patch:

--- NEW FILE icecream-0.9.3-fix-perms-of-cache.patch ---
Patch sent upstream (to Stephan Kulow) on 2009-04-06. -- Michal

commit e5dcc8beda99ffb4cb19b8eef024dbc22b010d54
Author: Michal Schmidt <mschmidt at redhat.com>
Date:   Sun Apr 5 23:32:32 2009 +0200

    fix permissions in the cache dir
    
    The way icecream changes permissions of /var/cache/icecream is buggy.
    When the daemon initializes, it creates the directory owned by root:root
    and readable for everyone. As soon as it installs a foreign environment,
    it changes the owner to root:icecream and removes access for everyone
    else.  This causes trouble for locally run icecc which wants read access
    to /var/cache/icecream/native. As a result, local compile jobs can no
    longer determine the native environment and fail to get distributed to
    other nodes.
    
    This patch assigns the owners and permissions like this:
    0755 root:root      /var/cache/icecream/
    0775 root:icecream  /var/cache/icecream/native/
    0770 root:icecream  /var/cache/icecream/target=<target>/
    0770 root:icecream  /var/cache/icecream/target=<target>/<hash>/
    
    It also sets the umask in the initialization of the daemon so that we
    can depend on it being sane and we no longer need some of the chmods.
    
    The access() check in start_install_environment() can be dropped,
    because if we don't have access, we'll soon find out anyway.

diff --git a/daemon/environment.cpp b/daemon/environment.cpp
index 9dc2831..979da91 100644
--- a/daemon/environment.cpp
+++ b/daemon/environment.cpp
@@ -180,8 +180,6 @@ bool cleanup_cache( const string &basedir )
             log_perror( "mkdir in cleanup_cache() failed" );
         return false;
     }
-    chown( basedir.c_str(), 0, 0 );
-    chmod( basedir.c_str(), 0755 );
 
     return ret;
 }
@@ -219,14 +217,14 @@ size_t setup_env_cache(const string &basedir, string &native_environment, uid_t
     if ( ::access( "/usr/bin/gcc", X_OK ) || ::access( "/usr/bin/g++", X_OK ) ) 
 	return 0;
 
-    if ( mkdir( nativedir.c_str(), 0755 ) )
+    if ( mkdir( nativedir.c_str(), 0775 ) )
    	return 0; 
 
-    if ( chown( nativedir.c_str(), nobody_uid, nobody_gid) ) {
+    if ( chown( nativedir.c_str(), 0, nobody_gid ) ||
+         chmod( nativedir.c_str(), 0775 ) ) {
 	rmdir( nativedir.c_str() );
 	return 0;
     }
-    chmod( nativedir.c_str(), 0755 );
 
     flush_debug();
     pid_t pid = fork();
@@ -251,7 +249,6 @@ size_t setup_env_cache(const string &basedir, string &native_environment, uid_t
         }
     }
     // else
-    umask(022);
 
     if ( setgid( nobody_gid ) < 0) {
       log_perror("setgid failed");
@@ -313,30 +310,28 @@ pid_t start_install_environment( const std::string &basename, const std::string
             compression = BZip2;
     }
 
-    if( ::access( basename.c_str(), W_OK ) ) {
-       log_error() << "access for basename " <<  basename.c_str() << " gives " << strerror(errno) << endl;
-       return 0;
-    }
-
-    chown( basename.c_str(), 0, nobody_gid );
-    chmod( basename.c_str(), 0770 );
-
-    if ( mkdir( dirname.c_str(), 0755 ) && errno != EEXIST ) {
+    if ( mkdir( dirname.c_str(), 0770 ) && errno != EEXIST ) {
         log_perror( "mkdir target" );
         return 0;
     }
 
-    chown( dirname.c_str(), 0, nobody_gid );
-    chmod( dirname.c_str(), 0770 );
+    if ( chown( dirname.c_str(), 0, nobody_gid ) ||
+         chmod( dirname.c_str(), 0770 ) ) {
+        log_perror( "chown,chmod target" );
+        return 0;
+    }
 
     dirname = dirname + "/" + name;
-    if ( mkdir( dirname.c_str(), 0700 ) ) {
+    if ( mkdir( dirname.c_str(), 0770 ) ) {
         log_perror( "mkdir name" );
         return 0;
     }
 
-    chown( dirname.c_str(), 0, nobody_gid );
-    chmod( dirname.c_str(), 0770 );
+    if ( chown( dirname.c_str(), 0, nobody_gid ) ||
+         chmod( dirname.c_str(), 0770 ) ) {
+        log_perror( "chown,chmod name" );
+        return 0;
+    }
 
     int fds[2];
     if ( pipe( fds ) )
diff --git a/daemon/main.cpp b/daemon/main.cpp
index 17fc761..7a6498f 100644
--- a/daemon/main.cpp
+++ b/daemon/main.cpp
@@ -1598,6 +1598,8 @@ int main( int argc, char ** argv )
         }
     }
 
+    umask(022);
+
     if ( !logfile.length() && detach)
         logfile = "/var/log/iceccd";
 


Index: icecream.spec
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/devel/icecream.spec,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- icecream.spec	2 Mar 2009 10:21:00 -0000	1.19
+++ icecream.spec	5 Apr 2009 23:00:36 -0000	1.20
@@ -11,7 +11,7 @@
 
 Name:		icecream
 Version:	0.9.3
-Release:	5%{?dist}
+Release:	6%{?dist}
 Summary:	Distributed compiler
 
 Group:		Development/Tools
@@ -31,6 +31,7 @@
 Patch1:		%{name}-cleanup-conffile.patch
 Patch2:		%{name}-0.9.3-fix-gcc44-ftbfs.patch
 Patch3:		%{name}-0.9.3-tighten-security.patch
+Patch4:		%{name}-0.9.3-fix-perms-of-cache.patch
 
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -80,6 +81,7 @@
 %patch1 -p0
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE1} > icecream.sh
 sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE2} > icecream.csh
 mkdir SELinux
@@ -237,6 +239,11 @@
 %{_libdir}/pkgconfig/icecc.pc
 
 %changelog
+* Mon Apr 06 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.3-6
+- Fix wrong permissions on the cache dir preventing the jobs from being
+  distributed.
+- SELinux policy update based on review comments on refpolicy ML.
+
 * Mon Mar 02 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.3-5
 - Fix a fd leak from iceccd + avoid using system().
 - Allows tighter SELinux policy.


Index: icecream.te
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/devel/icecream.te,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- icecream.te	2 Mar 2009 10:21:00 -0000	1.7
+++ icecream.te	5 Apr 2009 23:00:36 -0000	1.8
@@ -1,12 +1,11 @@
 
-policy_module(icecream,0.0.43)
+policy_module(icecream,0.1.3)
 
 ########################################
 #
-# Declarations
+# iceccd declarations
 #
 
-# the compiler node daemon
 type iceccd_t;
 type iceccd_exec_t;
 init_daemon_domain(iceccd_t, iceccd_exec_t)
@@ -20,29 +19,39 @@
 type iceccd_var_run_t;
 files_pid_file(iceccd_var_run_t)
 
-# the working area
 type iceccd_cache_t;
 files_type(iceccd_cache_t)
 
-# icecc-create-env script makes a tarball of the local compiler and its
-# dependencies for other nodes to use
+########################################
+#
+# iceccd_createenv declarations
+#
+
 type iceccd_createenv_t;
 type iceccd_createenv_exec_t;
-domain_type(iceccd_createenv_t)
-domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t)
+application_domain(iceccd_createenv_t, iceccd_createenv_exec_t)
 role system_r types iceccd_createenv_t;
 
-# foreign compilers
-type iceccd_untrusted_t;
-domain_type(iceccd_untrusted_t);
-domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
-role system_r types iceccd_untrusted_t;
+########################################
+#
+# icecc_scheduler declarations
+#
 
-# the scheduler
 type icecc_scheduler_t;
 type icecc_scheduler_exec_t;
 init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
 
+########################################
+#
+# iceccd_untrusted declarations
+#
+
+type iceccd_untrusted_t;
+domain_type(iceccd_untrusted_t);
+domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
+role system_r types iceccd_untrusted_t;
+
+# port declarations. for separate module only.
 type iceccd_port_t;
 type icecc_scheduler_port_t;
 corenet_port(iceccd_port_t);
@@ -50,31 +59,39 @@
 
 ########################################
 #
-# Icecream policy
+# iceccd policy
 #
 
-allow iceccd_t self:process { signal_perms setsched setrlimit };
+allow iceccd_t self:capability { chown dac_override fowner fsetid kill
+	setgid setuid sys_chroot };
+allow iceccd_t self:fifo_file rw_fifo_file_perms;
 allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iceccd_t self:process { signal_perms setsched setrlimit };
 allow iceccd_t self:tcp_socket create_stream_socket_perms;
 allow iceccd_t self:udp_socket create_socket_perms;
-allow iceccd_t self:fifo_file rw_fifo_file_perms;
-allow iceccd_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot };
-allow iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure signal };
 
-files_read_etc_files(iceccd_t)
-libs_use_ld_so(iceccd_t)
-libs_use_shared_libs(iceccd_t)
-miscfiles_read_localization(iceccd_t)
+dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh
+	noatsecure };
 
-fs_getattr_all_fs(iceccd_t)
-kernel_read_system_state(iceccd_t)
-sysnet_read_config(iceccd_t)
+allow iceccd_t iceccd_untrusted_t:process signal;
 
-corecmd_exec_bin(iceccd_t)
-corecmd_read_bin_symlinks(iceccd_t)
+domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
+domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
+
+manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
+logging_log_filetrans(iceccd_t, iceccd_log_t, file)
+
+manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
+files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
+
+manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file })
 
-files_getattr_tmp_dirs(iceccd_t)
 files_search_tmp(iceccd_t)
+manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file })
 
 corenet_all_recvfrom_unlabeled(iceccd_t)
 corenet_all_recvfrom_netlabel(iceccd_t)
@@ -88,77 +105,89 @@
 allow iceccd_t iceccd_port_t:tcp_socket { name_bind };
 allow iceccd_t icecc_scheduler_port_t:tcp_socket { name_connect };
 
-domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
-domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
+corecmd_exec_bin(iceccd_t)
+corecmd_read_bin_symlinks(iceccd_t)
 
-manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
-logging_log_filetrans(iceccd_t, iceccd_log_t, file)
+#files_getattr_tmp_dirs(iceccd_t)
+files_read_etc_files(iceccd_t)
 
-manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
-files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
+fs_getattr_all_fs(iceccd_t)
 
-manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
-manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+kernel_read_system_state(iceccd_t)
 
-manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
-manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
-files_tmp_filetrans(iceccd_t, iceccd_tmp_t, file)
+sysnet_read_config(iceccd_t)
 
+libs_use_ld_so(iceccd_t)
+libs_use_shared_libs(iceccd_t)
+
+miscfiles_read_localization(iceccd_t)
+
+########################################
+#
+# iceccd_createenv policy
+#
 
-allow iceccd_createenv_t iceccd_log_t:file { append };
 allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
-# icecc-create-env looks for executable files to strip them. It does not
-# really execute them, but the -x check would trigger a denial. Do not allow
-# this, typically the binaries are already stripped anyway. Just silence it.
-dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
 
-allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
-allow iceccd_untrusted_t self:process signal_perms;
-allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
-manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
-allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans };
+dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
 
-files_read_etc_files(iceccd_createenv_t)
-libs_use_ld_so(iceccd_createenv_t)
-libs_use_shared_libs(iceccd_createenv_t)
-miscfiles_read_localization(iceccd_createenv_t)
+allow iceccd_createenv_t iceccd_log_t:file { append };
 
 manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
 manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+# no files_var_filetrans, createenv does not create the cache dir itself
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file })
 
-files_read_usr_files(iceccd_createenv_t)
-libs_exec_ld_so(iceccd_createenv_t)
-libs_exec_lib_files(iceccd_createenv_t)
-libs_domtrans_ldconfig(iceccd_createenv_t)
 corecmd_exec_bin(iceccd_createenv_t)
 corecmd_exec_shell(iceccd_createenv_t)
+
 dev_read_urand(iceccd_createenv_t)
+
+files_read_etc_files(iceccd_createenv_t)
+files_read_usr_files(iceccd_createenv_t)
+
 kernel_read_system_state(iceccd_createenv_t)
-# silence file(1) looking for /root/.magic
-userdom_dontaudit_search_admin_dir(iceccd_createenv_t)
 
-manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
-manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
-files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, file)
-files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, dir)
+libs_exec_ld_so(iceccd_createenv_t)
+libs_exec_lib_files(iceccd_createenv_t)
+
+libs_domtrans_ldconfig(iceccd_createenv_t)
+
+libs_use_ld_so(iceccd_createenv_t)
+libs_use_shared_libs(iceccd_createenv_t)
+
+miscfiles_read_localization(iceccd_createenv_t)
+
+userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t)
 
 optional_policy(`
 	nscd_socket_use(iceccd_createenv_t)
 ')
 
-# XXX: This could be avoided if iceccd only nuked the contents of
-# /var/cache/icecream, not the directory itself.
-files_var_filetrans(iceccd_t, iceccd_cache_t, dir)
+########################################
+#
+# iceccd_untrusted policy
+#
+
+allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_untrusted_t self:process signal_perms;
+allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_stream_socket_perms;
+
+manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
+
+can_exec(iceccd_untrusted_t, iceccd_cache_t)
 
+########################################
+#
+# icecc_scheduler policy
+#
 
 allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
 allow icecc_scheduler_t self:udp_socket create_socket_perms;
 
-files_read_etc_files(icecc_scheduler_t)
-libs_use_ld_so(icecc_scheduler_t)
-libs_use_shared_libs(icecc_scheduler_t)
-miscfiles_read_localization(icecc_scheduler_t)
-
 corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
 corenet_all_recvfrom_netlabel(icecc_scheduler_t)
 corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
@@ -171,3 +200,10 @@
 corenet_udp_bind_generic_node(icecc_scheduler_t)
 allow icecc_scheduler_t icecc_scheduler_port_t:tcp_socket { name_bind };
 allow icecc_scheduler_t icecc_scheduler_port_t:udp_socket { name_bind };
+
+files_read_etc_files(icecc_scheduler_t)
+
+libs_use_ld_so(icecc_scheduler_t)
+libs_use_shared_libs(icecc_scheduler_t)
+
+miscfiles_read_localization(icecc_scheduler_t)

More information about the scm-commits mailing list