rpms/icecream/EL-5 icecream.spec, 1.17, 1.18 icecream.te, 1.6, 1.7 sources, 1.5, 1.6 icecream-0.9.3-fix-gcc44-ftbfs.patch, 1.1, NONE

Mon May 4 11:58:34 UTC 2009

Author: michich

Update of /cvs/pkgs/rpms/icecream/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28500

Modified Files:
	icecream.spec icecream.te sources 
Removed Files:
	icecream-0.9.3-fix-gcc44-ftbfs.patch 
Log Message:
* Thu Apr 30 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.4-1
- Upstream release 0.9.4.
- Dropped merged patches.



Index: icecream.spec
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/EL-5/icecream.spec,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -p -r1.17 -r1.18

--- icecream.spec	16 Feb 2009 20:52:28 -0000	1.17
+++ icecream.spec	4 May 2009 11:58:03 -0000	1.18
@@ -1,5 +1,5 @@
 %if 0%{?fedora}
-%bcond_without  fedora
+%bcond_without	fedora
 %bcond_without	selinux
 %else
 %bcond_with	fedora
@@ -10,8 +10,8 @@
 
 
 Name:		icecream
-Version:	0.9.3
-Release:	3%{?dist}
+Version:	0.9.4
+Release:	1%{?dist}
 Summary:	Distributed compiler
 
 Group:		Development/Tools
@@ -29,7 +29,6 @@ Source7:	initscript-scheduler
 Source8:	%{name}-manpages.tar.bz2
 Patch0:		%{name}-rename-scheduler.patch
 Patch1:		%{name}-cleanup-conffile.patch
-Patch2:		%{name}-0.9.3-fix-gcc44-ftbfs.patch
 
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -51,8 +50,8 @@ Requires(post):		chkconfig policycoreuti
 Requires(preun):	chkconfig initscripts policycoreutils 
 Requires(postun):	initscripts policycoreutils
 
-Provides:	group(icecream) = 44
-Provides:	user(icecream)  = 44
+Provides:	group(icecream)	= 44
+Provides:	user(icecream)	= 44
 
 
 # description copied from Debian icecc package
@@ -77,7 +76,6 @@ This package contains development files 
 %setup -q -a 8 -n icecc-%{version}
 %patch0 -p1
 %patch1 -p0
-%patch2 -p1
 sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE1} > icecream.sh
 sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE2} > icecream.csh
 mkdir SELinux
@@ -235,6 +233,22 @@ rm -rf %{buildroot}
 %{_libdir}/pkgconfig/icecc.pc
 
 %changelog
+* Thu Apr 30 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.4-1
+- Upstream release 0.9.4.
+- Dropped merged patches.
+
+* Mon Apr 06 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.3-6
+- Fix wrong permissions on the cache dir preventing the jobs from being
+  distributed.
+- SELinux policy update based on review comments on refpolicy ML.
+
+* Mon Mar 02 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.3-5
+- Fix a fd leak from iceccd + avoid using system().
+- Allows tighter SELinux policy.
+
+* Tue Feb 24 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.9.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
 * Mon Feb 16 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.3-3
 - Do not use --disable-rpath, icecream's configure script does not understand
   it and warns about it. We still remove rpath using the sed tricks.


Index: icecream.te
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/EL-5/icecream.te,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -p -r1.6 -r1.7
--- icecream.te	16 Feb 2009 20:52:28 -0000	1.6
+++ icecream.te	4 May 2009 11:58:03 -0000	1.7
@@ -1,12 +1,11 @@
 
-policy_module(icecream,0.0.42)
+policy_module(icecream,0.1.3)
 
 ########################################
 #
-# Declarations
+# iceccd declarations
 #
 
-# the compiler node daemon
 type iceccd_t;
 type iceccd_exec_t;
 init_daemon_domain(iceccd_t, iceccd_exec_t)
@@ -20,29 +19,39 @@ files_tmp_file(iceccd_tmp_t)
 type iceccd_var_run_t;
 files_pid_file(iceccd_var_run_t)
 
-# the working area
 type iceccd_cache_t;
 files_type(iceccd_cache_t)
 
-# icecc-create-env script makes a tarball of the local compiler and its
-# dependencies for other nodes to use
+########################################
+#
+# iceccd_createenv declarations
+#
+
 type iceccd_createenv_t;
 type iceccd_createenv_exec_t;
-domain_type(iceccd_createenv_t)
-domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t)
+application_domain(iceccd_createenv_t, iceccd_createenv_exec_t)
 role system_r types iceccd_createenv_t;
 
-# foreign compilers
-type iceccd_untrusted_t;
-domain_type(iceccd_untrusted_t);
-domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
-role system_r types iceccd_untrusted_t;
+########################################
+#
+# icecc_scheduler declarations
+#
 
-# the scheduler
 type icecc_scheduler_t;
 type icecc_scheduler_exec_t;
 init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
 
+########################################
+#
+# iceccd_untrusted declarations
+#
+
+type iceccd_untrusted_t;
+domain_type(iceccd_untrusted_t);
+domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
+role system_r types iceccd_untrusted_t;
+
+# port declarations. for separate module only.
 type iceccd_port_t;
 type icecc_scheduler_port_t;
 corenet_port(iceccd_port_t);
@@ -50,31 +59,39 @@ corenet_port(icecc_scheduler_port_t);
 
 ########################################
 #
-# Icecream policy
+# iceccd policy
 #
 
-allow iceccd_t self:process { signal_perms setsched setrlimit };
+allow iceccd_t self:capability { chown dac_override fowner fsetid kill
+	setgid setuid sys_chroot };
+allow iceccd_t self:fifo_file rw_fifo_file_perms;
 allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iceccd_t self:process { signal_perms setsched setrlimit };
 allow iceccd_t self:tcp_socket create_stream_socket_perms;
 allow iceccd_t self:udp_socket create_socket_perms;
-allow iceccd_t self:fifo_file rw_fifo_file_perms;
-allow iceccd_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot };
-allow iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure signal };
 
-files_read_etc_files(iceccd_t)
-libs_use_ld_so(iceccd_t)
-libs_use_shared_libs(iceccd_t)
-miscfiles_read_localization(iceccd_t)
+dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh
+	noatsecure };
 
-fs_getattr_all_fs(iceccd_t)
-kernel_read_system_state(iceccd_t)
-sysnet_read_config(iceccd_t)
+allow iceccd_t iceccd_untrusted_t:process signal;
 
-corecmd_exec_bin(iceccd_t)
-corecmd_read_bin_symlinks(iceccd_t)
+domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
+domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
+
+manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
+logging_log_filetrans(iceccd_t, iceccd_log_t, file)
+
+manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
+files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
+
+manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file })
 
-files_getattr_tmp_dirs(iceccd_t)
 files_search_tmp(iceccd_t)
+manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file })
 
 corenet_all_recvfrom_unlabeled(iceccd_t)
 corenet_all_recvfrom_netlabel(iceccd_t)
@@ -88,84 +105,89 @@ corenet_tcp_bind_generic_node(iceccd_t)
 allow iceccd_t iceccd_port_t:tcp_socket { name_bind };
 allow iceccd_t icecc_scheduler_port_t:tcp_socket { name_connect };
 
-domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
-domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
+corecmd_exec_bin(iceccd_t)
+corecmd_read_bin_symlinks(iceccd_t)
 
-manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
-logging_log_filetrans(iceccd_t, iceccd_log_t, file)
+#files_getattr_tmp_dirs(iceccd_t)
+files_read_etc_files(iceccd_t)
 
-manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
-files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
+fs_getattr_all_fs(iceccd_t)
 
-manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
-manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+kernel_read_system_state(iceccd_t)
 
-manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
-manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
-files_tmp_filetrans(iceccd_t, iceccd_tmp_t, file)
+sysnet_read_config(iceccd_t)
+
+libs_use_ld_so(iceccd_t)
+libs_use_shared_libs(iceccd_t)
 
+miscfiles_read_localization(iceccd_t)
+
+########################################
+#
+# iceccd_createenv policy
+#
 
-allow iceccd_createenv_t iceccd_log_t:file { append };
 allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
-# icecc-create-env looks for executable files to strip them. It does not
-# really execute them, but the -x check would trigger a denial. Do not allow
-# this, typically the binaries are already stripped anyway. Just silence it.
-dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
 
-allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
-allow iceccd_untrusted_t self:process signal_perms;
-allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
-manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
-allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans };
+dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
 
-files_read_etc_files(iceccd_createenv_t)
-libs_use_ld_so(iceccd_createenv_t)
-libs_use_shared_libs(iceccd_createenv_t)
-miscfiles_read_localization(iceccd_createenv_t)
+allow iceccd_createenv_t iceccd_log_t:file { append };
 
 manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
 manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+# no files_var_filetrans, createenv does not create the cache dir itself
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file })
 
-files_read_usr_files(iceccd_createenv_t)
-libs_exec_ld_so(iceccd_createenv_t)
-libs_exec_lib_files(iceccd_createenv_t)
-libs_domtrans_ldconfig(iceccd_createenv_t)
 corecmd_exec_bin(iceccd_createenv_t)
 corecmd_exec_shell(iceccd_createenv_t)
+
 dev_read_urand(iceccd_createenv_t)
+
+files_read_etc_files(iceccd_createenv_t)
+files_read_usr_files(iceccd_createenv_t)
+
 kernel_read_system_state(iceccd_createenv_t)
-# silence file(1) looking for /root/.magic
-userdom_dontaudit_search_admin_dir(iceccd_createenv_t)
 
-manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
-manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
-files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, file)
-files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, dir)
+libs_exec_ld_so(iceccd_createenv_t)
+libs_exec_lib_files(iceccd_createenv_t)
+
+libs_domtrans_ldconfig(iceccd_createenv_t)
+
+libs_use_ld_so(iceccd_createenv_t)
+libs_use_shared_libs(iceccd_createenv_t)
+
+miscfiles_read_localization(iceccd_createenv_t)
+
+userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t)
 
 optional_policy(`
 	nscd_socket_use(iceccd_createenv_t)
 ')
 
-# Some rules that can probably go away when iceccd is fixed properly:
+########################################
 #
-# XXX: icecc-create-env does not really need to talk to the open UDP socket
-# leaked from its parent.
-dontaudit iceccd_createenv_t iceccd_t:udp_socket { read write };
-# XXX: iceccd could be modified to avoid the shell completely
-corecmd_exec_shell(iceccd_t)
-# XXX: fix iceccd to only nuke the contents of /var/cache/icecream,
-# not the directory itself.
-files_var_filetrans(iceccd_t, iceccd_cache_t, dir)
+# iceccd_untrusted policy
+#
+
+allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_untrusted_t self:process signal_perms;
+allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_stream_socket_perms;
+
+manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
 
+can_exec(iceccd_untrusted_t, iceccd_cache_t)
+
+########################################
+#
+# icecc_scheduler policy
+#
 
 allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
 allow icecc_scheduler_t self:udp_socket create_socket_perms;
 
-files_read_etc_files(icecc_scheduler_t)
-libs_use_ld_so(icecc_scheduler_t)
-libs_use_shared_libs(icecc_scheduler_t)
-miscfiles_read_localization(icecc_scheduler_t)
-
 corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
 corenet_all_recvfrom_netlabel(icecc_scheduler_t)
 corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
@@ -178,3 +200,10 @@ corenet_tcp_bind_generic_node(icecc_sche
 corenet_udp_bind_generic_node(icecc_scheduler_t)
 allow icecc_scheduler_t icecc_scheduler_port_t:tcp_socket { name_bind };
 allow icecc_scheduler_t icecc_scheduler_port_t:udp_socket { name_bind };
+
+files_read_etc_files(icecc_scheduler_t)
+
+libs_use_ld_so(icecc_scheduler_t)
+libs_use_shared_libs(icecc_scheduler_t)
+
+miscfiles_read_localization(icecc_scheduler_t)


Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/EL-5/sources,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -p -r1.5 -r1.6
--- sources	16 Feb 2009 12:22:04 -0000	1.5
+++ sources	4 May 2009 11:58:03 -0000	1.6
@@ -1,2 +1,2 @@
-34bb950331ef5256299a2de4cf402ea6  icecc-0.9.3.tar.bz2
+b52192df5aa3713910fdf481dda4119e  icecc-0.9.4.tar.bz2
 a3829775870d5b2b60b750a88ee835b7  icecream-manpages.tar.bz2


--- icecream-0.9.3-fix-gcc44-ftbfs.patch DELETED ---


