rpms/icecream/EL-5 icecream.spec, 1.17, 1.18 icecream.te, 1.6, 1.7 sources, 1.5, 1.6 icecream-0.9.3-fix-gcc44-ftbfs.patch, 1.1, NONE
Michal Schmidt
michich at fedoraproject.org
Mon May 4 11:58:34 UTC 2009
- Previous message: rpms/fcoe-utils/devel fcoe-utils-1.0.7-free.patch, NONE, 1.1 fcoe-utils.spec, 1.2, 1.3 fcoe-utils-1.0.7-make.patch, 1.1, NONE
- Next message: rpms/perl-DBD-Pg/devel .cvsignore, 1.21, 1.22 perl-DBD-Pg.spec, 1.49, 1.50 sources, 1.22, 1.23
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: michich
Update of /cvs/pkgs/rpms/icecream/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28500
Modified Files:
icecream.spec icecream.te sources
Removed Files:
icecream-0.9.3-fix-gcc44-ftbfs.patch
Log Message:
* Thu Apr 30 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.4-1
- Upstream release 0.9.4.
- Dropped merged patches.
Index: icecream.spec
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/EL-5/icecream.spec,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -p -r1.17 -r1.18
--- icecream.spec 16 Feb 2009 20:52:28 -0000 1.17
+++ icecream.spec 4 May 2009 11:58:03 -0000 1.18
@@ -1,5 +1,5 @@
%if 0%{?fedora}
-%bcond_without fedora
+%bcond_without fedora
%bcond_without selinux
%else
%bcond_with fedora
@@ -10,8 +10,8 @@
Name: icecream
-Version: 0.9.3
-Release: 3%{?dist}
+Version: 0.9.4
+Release: 1%{?dist}
Summary: Distributed compiler
Group: Development/Tools
@@ -29,7 +29,6 @@ Source7: initscript-scheduler
Source8: %{name}-manpages.tar.bz2
Patch0: %{name}-rename-scheduler.patch
Patch1: %{name}-cleanup-conffile.patch
-Patch2: %{name}-0.9.3-fix-gcc44-ftbfs.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -51,8 +50,8 @@ Requires(post): chkconfig policycoreuti
Requires(preun): chkconfig initscripts policycoreutils
Requires(postun): initscripts policycoreutils
-Provides: group(icecream) = 44
-Provides: user(icecream) = 44
+Provides: group(icecream) = 44
+Provides: user(icecream) = 44
# description copied from Debian icecc package
@@ -77,7 +76,6 @@ This package contains development files
%setup -q -a 8 -n icecc-%{version}
%patch0 -p1
%patch1 -p0
-%patch2 -p1
sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE1} > icecream.sh
sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE2} > icecream.csh
mkdir SELinux
@@ -235,6 +233,22 @@ rm -rf %{buildroot}
%{_libdir}/pkgconfig/icecc.pc
%changelog
+* Thu Apr 30 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.4-1
+- Upstream release 0.9.4.
+- Dropped merged patches.
+
+* Mon Apr 06 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.3-6
+- Fix wrong permissions on the cache dir preventing the jobs from being
+ distributed.
+- SELinux policy update based on review comments on refpolicy ML.
+
+* Mon Mar 02 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.3-5
+- Fix a fd leak from iceccd + avoid using system().
+- Allows tighter SELinux policy.
+
+* Tue Feb 24 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.9.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
* Mon Feb 16 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.3-3
- Do not use --disable-rpath, icecream's configure script does not understand
it and warns about it. We still remove rpath using the sed tricks.
Index: icecream.te
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/EL-5/icecream.te,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -p -r1.6 -r1.7
--- icecream.te 16 Feb 2009 20:52:28 -0000 1.6
+++ icecream.te 4 May 2009 11:58:03 -0000 1.7
@@ -1,12 +1,11 @@
-policy_module(icecream,0.0.42)
+policy_module(icecream,0.1.3)
########################################
#
-# Declarations
+# iceccd declarations
#
-# the compiler node daemon
type iceccd_t;
type iceccd_exec_t;
init_daemon_domain(iceccd_t, iceccd_exec_t)
@@ -20,29 +19,39 @@ files_tmp_file(iceccd_tmp_t)
type iceccd_var_run_t;
files_pid_file(iceccd_var_run_t)
-# the working area
type iceccd_cache_t;
files_type(iceccd_cache_t)
-# icecc-create-env script makes a tarball of the local compiler and its
-# dependencies for other nodes to use
+########################################
+#
+# iceccd_createenv declarations
+#
+
type iceccd_createenv_t;
type iceccd_createenv_exec_t;
-domain_type(iceccd_createenv_t)
-domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t)
+application_domain(iceccd_createenv_t, iceccd_createenv_exec_t)
role system_r types iceccd_createenv_t;
-# foreign compilers
-type iceccd_untrusted_t;
-domain_type(iceccd_untrusted_t);
-domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
-role system_r types iceccd_untrusted_t;
+########################################
+#
+# icecc_scheduler declarations
+#
-# the scheduler
type icecc_scheduler_t;
type icecc_scheduler_exec_t;
init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
+########################################
+#
+# iceccd_untrusted declarations
+#
+
+type iceccd_untrusted_t;
+domain_type(iceccd_untrusted_t);
+domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
+role system_r types iceccd_untrusted_t;
+
+# port declarations. for separate module only.
type iceccd_port_t;
type icecc_scheduler_port_t;
corenet_port(iceccd_port_t);
@@ -50,31 +59,39 @@ corenet_port(icecc_scheduler_port_t);
########################################
#
-# Icecream policy
+# iceccd policy
#
-allow iceccd_t self:process { signal_perms setsched setrlimit };
+allow iceccd_t self:capability { chown dac_override fowner fsetid kill
+ setgid setuid sys_chroot };
+allow iceccd_t self:fifo_file rw_fifo_file_perms;
allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iceccd_t self:process { signal_perms setsched setrlimit };
allow iceccd_t self:tcp_socket create_stream_socket_perms;
allow iceccd_t self:udp_socket create_socket_perms;
-allow iceccd_t self:fifo_file rw_fifo_file_perms;
-allow iceccd_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot };
-allow iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure signal };
-files_read_etc_files(iceccd_t)
-libs_use_ld_so(iceccd_t)
-libs_use_shared_libs(iceccd_t)
-miscfiles_read_localization(iceccd_t)
+dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh
+ noatsecure };
-fs_getattr_all_fs(iceccd_t)
-kernel_read_system_state(iceccd_t)
-sysnet_read_config(iceccd_t)
+allow iceccd_t iceccd_untrusted_t:process signal;
-corecmd_exec_bin(iceccd_t)
-corecmd_read_bin_symlinks(iceccd_t)
+domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
+domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
+
+manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
+logging_log_filetrans(iceccd_t, iceccd_log_t, file)
+
+manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
+files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
+
+manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file })
-files_getattr_tmp_dirs(iceccd_t)
files_search_tmp(iceccd_t)
+manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file })
corenet_all_recvfrom_unlabeled(iceccd_t)
corenet_all_recvfrom_netlabel(iceccd_t)
@@ -88,84 +105,89 @@ corenet_tcp_bind_generic_node(iceccd_t)
allow iceccd_t iceccd_port_t:tcp_socket { name_bind };
allow iceccd_t icecc_scheduler_port_t:tcp_socket { name_connect };
-domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
-domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
+corecmd_exec_bin(iceccd_t)
+corecmd_read_bin_symlinks(iceccd_t)
-manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
-logging_log_filetrans(iceccd_t, iceccd_log_t, file)
+#files_getattr_tmp_dirs(iceccd_t)
+files_read_etc_files(iceccd_t)
-manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
-files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
+fs_getattr_all_fs(iceccd_t)
-manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
-manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+kernel_read_system_state(iceccd_t)
-manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
-manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
-files_tmp_filetrans(iceccd_t, iceccd_tmp_t, file)
+sysnet_read_config(iceccd_t)
+
+libs_use_ld_so(iceccd_t)
+libs_use_shared_libs(iceccd_t)
+miscfiles_read_localization(iceccd_t)
+
+########################################
+#
+# iceccd_createenv policy
+#
-allow iceccd_createenv_t iceccd_log_t:file { append };
allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
-# icecc-create-env looks for executable files to strip them. It does not
-# really execute them, but the -x check would trigger a denial. Do not allow
-# this, typically the binaries are already stripped anyway. Just silence it.
-dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
-allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
-allow iceccd_untrusted_t self:process signal_perms;
-allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
-manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
-allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans };
+dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
-files_read_etc_files(iceccd_createenv_t)
-libs_use_ld_so(iceccd_createenv_t)
-libs_use_shared_libs(iceccd_createenv_t)
-miscfiles_read_localization(iceccd_createenv_t)
+allow iceccd_createenv_t iceccd_log_t:file { append };
manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+# no files_var_filetrans, createenv does not create the cache dir itself
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file })
-files_read_usr_files(iceccd_createenv_t)
-libs_exec_ld_so(iceccd_createenv_t)
-libs_exec_lib_files(iceccd_createenv_t)
-libs_domtrans_ldconfig(iceccd_createenv_t)
corecmd_exec_bin(iceccd_createenv_t)
corecmd_exec_shell(iceccd_createenv_t)
+
dev_read_urand(iceccd_createenv_t)
+
+files_read_etc_files(iceccd_createenv_t)
+files_read_usr_files(iceccd_createenv_t)
+
kernel_read_system_state(iceccd_createenv_t)
-# silence file(1) looking for /root/.magic
-userdom_dontaudit_search_admin_dir(iceccd_createenv_t)
-manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
-manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
-files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, file)
-files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, dir)
+libs_exec_ld_so(iceccd_createenv_t)
+libs_exec_lib_files(iceccd_createenv_t)
+
+libs_domtrans_ldconfig(iceccd_createenv_t)
+
+libs_use_ld_so(iceccd_createenv_t)
+libs_use_shared_libs(iceccd_createenv_t)
+
+miscfiles_read_localization(iceccd_createenv_t)
+
+userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t)
optional_policy(`
nscd_socket_use(iceccd_createenv_t)
')
-# Some rules that can probably go away when iceccd is fixed properly:
+########################################
#
-# XXX: icecc-create-env does not really need to talk to the open UDP socket
-# leaked from its parent.
-dontaudit iceccd_createenv_t iceccd_t:udp_socket { read write };
-# XXX: iceccd could be modified to avoid the shell completely
-corecmd_exec_shell(iceccd_t)
-# XXX: fix iceccd to only nuke the contents of /var/cache/icecream,
-# not the directory itself.
-files_var_filetrans(iceccd_t, iceccd_cache_t, dir)
+# iceccd_untrusted policy
+#
+
+allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_untrusted_t self:process signal_perms;
+allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_stream_socket_perms;
+
+manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
+can_exec(iceccd_untrusted_t, iceccd_cache_t)
+
+########################################
+#
+# icecc_scheduler policy
+#
allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
allow icecc_scheduler_t self:udp_socket create_socket_perms;
-files_read_etc_files(icecc_scheduler_t)
-libs_use_ld_so(icecc_scheduler_t)
-libs_use_shared_libs(icecc_scheduler_t)
-miscfiles_read_localization(icecc_scheduler_t)
-
corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
corenet_all_recvfrom_netlabel(icecc_scheduler_t)
corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
@@ -178,3 +200,10 @@ corenet_tcp_bind_generic_node(icecc_sche
corenet_udp_bind_generic_node(icecc_scheduler_t)
allow icecc_scheduler_t icecc_scheduler_port_t:tcp_socket { name_bind };
allow icecc_scheduler_t icecc_scheduler_port_t:udp_socket { name_bind };
+
+files_read_etc_files(icecc_scheduler_t)
+
+libs_use_ld_so(icecc_scheduler_t)
+libs_use_shared_libs(icecc_scheduler_t)
+
+miscfiles_read_localization(icecc_scheduler_t)
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/EL-5/sources,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -p -r1.5 -r1.6
--- sources 16 Feb 2009 12:22:04 -0000 1.5
+++ sources 4 May 2009 11:58:03 -0000 1.6
@@ -1,2 +1,2 @@
-34bb950331ef5256299a2de4cf402ea6 icecc-0.9.3.tar.bz2
+b52192df5aa3713910fdf481dda4119e icecc-0.9.4.tar.bz2
a3829775870d5b2b60b750a88ee835b7 icecream-manpages.tar.bz2
--- icecream-0.9.3-fix-gcc44-ftbfs.patch DELETED ---
- Previous message: rpms/fcoe-utils/devel fcoe-utils-1.0.7-free.patch, NONE, 1.1 fcoe-utils.spec, 1.2, 1.3 fcoe-utils-1.0.7-make.patch, 1.1, NONE
- Next message: rpms/perl-DBD-Pg/devel .cvsignore, 1.21, 1.22 perl-DBD-Pg.spec, 1.49, 1.50 sources, 1.22, 1.23
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list