[icecream] revive the SELinux module
Michal Schmidt
michich at fedoraproject.org
Fri Aug 30 14:24:00 UTC 2013
commit 48d39d8a2c5de13323da3945336f5baf75016d30
Author: Michal Schmidt <mschmidt at redhat.com>
Date: Tue Aug 27 14:55:05 2013 +0200
revive the SELinux module
- Update the SELinux policy module and build it.
- Use tmpfiles.d to create /run/icecc instead of letting the daemon write to
var_run_t directly.
- Add a patch to stop icecc-create-env from reading /etc/passwd.
- Batch semenage calls in scriptlets.
...reate-env-avoid-tar-looking-at-etc-passwd.patch | 28 ++++++++
...main-do-not-create-run-icecc-by-ourselves.patch | 30 +++++++++
iceccd.service | 3 +
icecream-tmpfiles.conf | 1 +
icecream.fc | 8 +-
icecream.spec | 68 ++++++++++++++------
icecream.te | 30 +++++----
7 files changed, 130 insertions(+), 38 deletions(-)
---
diff --git a/0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch b/0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch
new file mode 100644
index 0000000..e142b90
--- /dev/null
+++ b/0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch
@@ -0,0 +1,28 @@
+From 26461a88508f277c33d95f5c5eb52cdd8d7c7737 Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt at redhat.com>
+Date: Thu, 29 Aug 2013 15:54:19 +0200
+Subject: [PATCH 6/6] icecc-create-env: avoid tar looking at /etc/passwd
+
+If we invoke tar with --numeric-owner, it won't try to read /etc/passwd.
+This has the minor benefit of not having to worry about this access in
+the SELinux policy.
+---
+ client/icecc-create-env | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/client/icecc-create-env b/client/icecc-create-env
+index 029e351..1379ce1 100755
+--- a/client/icecc-create-env
++++ b/client/icecc-create-env
+@@ -337,7 +337,7 @@ md5=`for i in $target_files; do $md5sum $tempdir/$i; done | sed -e 's/ .*$//' |
+ echo "creating $md5.tar.gz"
+ mydir=`pwd`
+ cd $tempdir
+-tar -czhf "$mydir/$md5".tar.gz $target_files || {
++tar -czh --numeric-owner -f "$mydir/$md5".tar.gz $target_files || {
+ echo "Couldn't create archive"
+ exit 3
+ }
+--
+1.8.3.1
+
diff --git a/0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch b/0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch
new file mode 100644
index 0000000..8619deb
--- /dev/null
+++ b/0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch
@@ -0,0 +1,30 @@
+From b67c1d823282b062c9804772756487f78a599ade Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt at redhat.com>
+Date: Thu, 29 Aug 2013 18:12:02 +0200
+Subject: [PATCH 7/7] daemon/main: do not create /run/icecc by ourselves
+
+In order to be able to restrict the daemon's SELinux policy even more,
+let's rely on tmpfiles.d to create the /run/icecc directory for us
+instead of creating it from the daemon.
+---
+ daemon/main.cpp | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/daemon/main.cpp b/daemon/main.cpp
+index e08b1e1..387d4e2 100644
+--- a/daemon/main.cpp
++++ b/daemon/main.cpp
+@@ -1801,10 +1801,6 @@ int main( int argc, char ** argv )
+ logfile = "/var/log/icecc/iceccd.log";
+ }
+
+- mkdir("/var/run/icecc", S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+- chmod("/var/run/icecc", S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+- chown("/var/run/icecc", d.user_uid, d.user_gid);
+-
+ #ifdef HAVE_LIBCAP_NG
+ capng_clear(CAPNG_SELECT_BOTH);
+ capng_update(CAPNG_ADD, (capng_type_t)(CAPNG_EFFECTIVE|CAPNG_PERMITTED), CAP_SYS_CHROOT);
+--
+1.8.3.1
+
diff --git a/iceccd.service b/iceccd.service
index 6a61dda..2e8743f 100644
--- a/iceccd.service
+++ b/iceccd.service
@@ -4,6 +4,9 @@ After=network.target nss-lookup.target
[Service]
Type=simple
+# Set SHELL so that icecc-create-env does not have to attempt to detect its
+# value by reading /etc/passwd. The SELinux policy does not need to allow it.
+Environment=SHELL=/bin/bash
ExecStart=/usr/libexec/icecc/iceccd-wrapper -u icecream -b /var/cache/icecream -l /var/log/icecc/iceccd.log
Nice=5
diff --git a/icecream-tmpfiles.conf b/icecream-tmpfiles.conf
new file mode 100644
index 0000000..5367dac
--- /dev/null
+++ b/icecream-tmpfiles.conf
@@ -0,0 +1 @@
+d /run/icecc 0775 root icecream -
diff --git a/icecream.fc b/icecream.fc
index 808cfcc..d9d3613 100644
--- a/icecream.fc
+++ b/icecream.fc
@@ -1,6 +1,6 @@
/usr/sbin/iceccd -- gen_context(system_u:object_r:iceccd_exec_t,s0)
-/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0)
-/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0)
-/var/log/iceccd -- gen_context(system_u:object_r:iceccd_log_t,s0)
/usr/sbin/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_exec_t,s0)
-/var/log/icecc[-_]scheduler -- gen_context(system_u:object_r:icecc_scheduler_log_t,s0)
+/usr/libexec/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0)
+/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0)
+/var/log/icecc(/.*)? gen_context(system_u:object_r:icecc_log_t,s0)
+/var/run/icecc(/.*)? gen_context(system_u:object_r:iceccd_var_run_t,s0)
diff --git a/icecream.spec b/icecream.spec
index ba78ad0..6facd94 100644
--- a/icecream.spec
+++ b/icecream.spec
@@ -1,11 +1,10 @@
%global _hardened_build 1
-# TODO: Reenable SELinux by default. It needs updating first.
-%bcond_with selinux
+%bcond_without selinux
Name: icecream
Version: 1.0.1
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Distributed compiler
Group: Development/Tools
@@ -21,12 +20,15 @@ Source6: iceccd.service
Source7: icecc-scheduler.service
Source9: iceccd-wrapper
Source10: icecc-scheduler-wrapper
+Source11: icecream-tmpfiles.conf
Patch0001: 0001-make-dist-hook-work-also-with-srcdir-builddir.patch
Patch0002: 0002-handle-HOME-not-being-set.patch
Patch0003: 0003-Debian-and-Ubuntu-uses-docbook2x-man-instead-of-docb.patch
Patch0004: 0004-Mac-brew-has-docbook2man-instead-of-docbook-to-man.patch
-PAtch0005: 0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch
+Patch0005: 0005-Revert-chmod-chown-envs-dir-when-preparing-this.patch
+Patch0006: 0006-icecc-create-env-avoid-tar-looking-at-etc-passwd.patch
+Patch0007: 0007-daemon-main-do-not-create-run-icecc-by-ourselves.patch
Patch10000: %{name}-cleanup-conffile.patch
@@ -81,13 +83,15 @@ This package contains development files for %{name}.
%patch0003 -p1
%patch0004 -p1
%patch0005 -p1
+%patch0006 -p1
+%patch0007 -p1
%patch10000 -p0
sed -e 's|@LIBDIR@|%{_libdir}|g;s|@LIBEXECDIR@|%{_libexecdir}|g' %{SOURCE1} > icecream.sh
sed -e 's|@LIBDIR@|%{_libdir}|g;s|@LIBEXECDIR@|%{_libexecdir}|g' %{SOURCE2} > icecream.csh
mkdir SELinux
cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} SELinux
mkdir fedora
-cp -p %{SOURCE6} %{SOURCE7} %{SOURCE9} %{SOURCE10} fedora
+cp -p %{SOURCE6} %{SOURCE7} %{SOURCE9} %{SOURCE10} %{SOURCE11} fedora
%build
autoreconf -fi
@@ -113,16 +117,20 @@ make install DESTDIR=%{buildroot}
rm -f %{buildroot}/%{_libdir}/libicecc.la
# install config file and initscripts
-install -D -m 644 suse/sysconfig.icecream %{buildroot}/%{_sysconfdir}/sysconfig/icecream
+install -D -m 644 suse/sysconfig.icecream %{buildroot}/%{_sysconfdir}/sysconfig/icecream
install -d -m 755 %{buildroot}/%{_unitdir}
-install -p -m 644 fedora/*.service %{buildroot}/%{_unitdir}
-install -p -m 755 fedora/*-wrapper %{buildroot}/%{_libexecdir}/icecc
+install -p -m 644 fedora/*.service %{buildroot}/%{_unitdir}
+install -p -m 755 fedora/*-wrapper %{buildroot}/%{_libexecdir}/icecc
+mkdir -p %{buildroot}%{_tmpfilesdir}
+install -p -m 644 fedora/icecream-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/icecream.conf
install -d -m 755 %{buildroot}/%{_sysconfdir}/profile.d
install -p -m 644 icecream.sh icecream.csh %{buildroot}/%{_sysconfdir}/profile.d
# create default working dir
mkdir -p %{buildroot}/%{_localstatedir}/cache/icecream
+mkdir -p %{buildroot}/run/icecc/
+
%if %{with selinux}
for selinuxvariant in %{selinux_variants}; do
install -d %{buildroot}/%{_datadir}/selinux/${selinuxvariant}
@@ -170,16 +178,24 @@ exit 0
%if %{with selinux}
for selinuxvariant in %{selinux_variants}; do
semodule -s ${selinuxvariant} -i \
- %{_datadir}/selinux/${selinuxvariant}/icecream.pp 2>/dev/null ||:
- semanage port -a -S ${selinuxvariant} -t iceccd_port_t -p tcp 10245 2>/dev/null ||:
- semanage port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8766 2>/dev/null ||:
+ %{_datadir}/selinux/${selinuxvariant}/icecream.pp 2>/dev/null
+done
+
+for selinuxvariant in %{selinux_variants}; do
+ {
+ echo "port -a -S ${selinuxvariant} -t iceccd_port_t -p tcp 10245"
+ echo "port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8766"
+ echo "port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p udp 8765"
# tcp 8765 is taken by LIRC. icecream.te knows it.
- #semanage port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8765 2>/dev/null ||:
- semanage port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p udp 8765 2>/dev/null ||:
+ # echo "port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8765"
+ } | semanage -i - 2>/dev/null
+done
+
+for selinuxvariant in %{selinux_variants}; do
%relabel ${selinuxvariant}
done
-restorecon -R %{_localstatedir}/cache/icecream 2>/dev/null ||:
-restorecon %{_localstatedir}/log/iceccd 2>/dev/null ||:
+
+restorecon -R %{_localstatedir}/cache/icecream %{_localstatedir}/log/icecc /run/icecc 2>/dev/null
%endif
%systemd_post iceccd.service icecc-scheduler.service
@@ -191,10 +207,13 @@ exit 0
if [ $1 -eq 0 ]; then # Final removal
for selinuxvariant in %{selinux_variants}; do
%saveFileContext ${selinuxvariant}
- semanage port -d -S ${selinuxvariant} -t iceccd_port_t -p tcp 10245 2>/dev/null ||:
- semanage port -d -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8765 2>/dev/null ||:
- semanage port -d -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8766 2>/dev/null ||:
- semanage port -d -S ${selinuxvariant} -t icecc_scheduler_port_t -p udp 8765 2>/dev/null ||:
+ done
+ for selinuxvariant in %{selinux_variants}; do
+ {
+ echo "port -d -S ${selinuxvariant} -t iceccd_port_t -p tcp 10245"
+ echo "port -d -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8766"
+ echo "port -d -S ${selinuxvariant} -t icecc_scheduler_port_t -p udp 8765"
+ } | semanage -i - 2>/dev/null
done
fi
%endif
@@ -206,7 +225,7 @@ exit 0
%if %{with selinux}
if [ $1 -eq 0 ]; then # Final removal
for selinuxvariant in %{selinux_variants}; do
- semodule -s ${selinuxvariant} -r icecream 2>/dev/null ||:
+ semodule -s ${selinuxvariant} -r icecream 2>/dev/null
%relabel ${selinuxvariant}
done
fi
@@ -225,7 +244,9 @@ exit 0
%config(noreplace) %{_sysconfdir}/profile.d/icecream.*sh
%{_unitdir}/icecc*.service
%attr(0775, root, icecream) %{_localstatedir}/cache/icecream
+%attr(0775, root, icecream) /run/icecc
%{_mandir}/man*/*
+%{_tmpfilesdir}/icecream.conf
%{?with_selinux:%{_datadir}/selinux/*/icecream.pp}
%files devel
@@ -235,6 +256,13 @@ exit 0
%{_libdir}/pkgconfig/icecc.pc
%changelog
+* Fri Aug 30 2013 Michal Schmidt <mschmidt at redhat.com> - 1.0.1-2
+- Update the SELinux policy module and build it.
+- Use tmpfiles.d to create /run/icecc instead of letting the daemon write to
+ var_run_t directly.
+- Add a patch to stop icecc-create-env from reading /etc/passwd.
+- Batch semenage calls in scriptlets.
+
* Mon Aug 26 2013 Michal Schmidt <mschmidt at redhat.com> - 1.0.1-1
- Rebase to current upstream release. (#888183, #914087, #925572, #992557)
- Build with librsync and libcap-ng support.
diff --git a/icecream.te b/icecream.te
index 137eaa8..b4681b3 100644
--- a/icecream.te
+++ b/icecream.te
@@ -1,5 +1,5 @@
-policy_module(icecream,0.1.5)
+policy_module(icecream,0.1.6)
########################################
#
@@ -10,8 +10,8 @@ type iceccd_t;
type iceccd_exec_t;
init_daemon_domain(iceccd_t, iceccd_exec_t)
-type iceccd_log_t;
-logging_log_file(iceccd_log_t)
+type icecc_log_t;
+logging_log_file(icecc_log_t)
type iceccd_tmp_t;
files_tmp_file(iceccd_tmp_t)
@@ -41,9 +41,6 @@ type icecc_scheduler_t;
type icecc_scheduler_exec_t;
init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
-type icecc_scheduler_log_t;
-logging_log_file(icecc_scheduler_log_t)
-
########################################
#
# iceccd_untrusted declarations
@@ -66,10 +63,10 @@ corenet_port(icecc_scheduler_port_t);
#
allow iceccd_t self:capability { chown dac_override fowner fsetid kill
- setgid setuid sys_chroot };
+ setgid setuid sys_chroot setpcap };
allow iceccd_t self:fifo_file rw_fifo_file_perms;
allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
-allow iceccd_t self:process { signal_perms setsched setrlimit };
+allow iceccd_t self:process { signal_perms setsched setrlimit setcap };
allow iceccd_t self:tcp_socket create_stream_socket_perms;
allow iceccd_t self:udp_socket create_socket_perms;
@@ -78,11 +75,13 @@ dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh
allow iceccd_t iceccd_untrusted_t:process signal;
+allow iceccd_t iceccd_var_run_t:sock_file { create unlink };
+
domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
-manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
-logging_log_filetrans(iceccd_t, iceccd_log_t, file)
+manage_files_pattern(iceccd_t, icecc_log_t, icecc_log_t)
+logging_log_filetrans(iceccd_t, icecc_log_t, file)
manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
@@ -107,6 +106,7 @@ corenet_udp_sendrecv_all_ports(iceccd_t)
corenet_tcp_bind_generic_node(iceccd_t)
allow iceccd_t iceccd_port_t:tcp_socket { name_bind };
allow iceccd_t icecc_scheduler_port_t:tcp_socket { name_connect };
+# tcp port 8765 is lirc_port_t
corenet_tcp_connect_lirc_port(iceccd_t)
corecmd_exec_bin(iceccd_t)
@@ -126,6 +126,8 @@ libs_use_shared_libs(iceccd_t)
miscfiles_read_localization(iceccd_t)
+auth_use_nsswitch(iceccd_t)
+
########################################
#
# iceccd_createenv policy
@@ -135,7 +137,7 @@ allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
-allow iceccd_createenv_t iceccd_log_t:file { append };
+allow iceccd_createenv_t icecc_log_t:file { append };
manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
@@ -158,7 +160,7 @@ kernel_read_system_state(iceccd_createenv_t)
libs_exec_ld_so(iceccd_createenv_t)
libs_exec_lib_files(iceccd_createenv_t)
-libs_domtrans_ldconfig(iceccd_createenv_t)
+libs_exec_ldconfig(iceccd_createenv_t)
libs_use_ld_so(iceccd_createenv_t)
libs_use_shared_libs(iceccd_createenv_t)
@@ -194,8 +196,8 @@ fs_getattr_all_fs(iceccd_untrusted_t)
allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
allow icecc_scheduler_t self:udp_socket create_socket_perms;
-manage_files_pattern(icecc_scheduler_t, icecc_scheduler_log_t, icecc_scheduler_log_t)
-logging_log_filetrans(icecc_scheduler_t, icecc_scheduler_log_t, file)
+manage_files_pattern(icecc_scheduler_t, icecc_log_t, icecc_log_t)
+logging_log_filetrans(icecc_scheduler_t, icecc_log_t, file)
corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
corenet_all_recvfrom_netlabel(icecc_scheduler_t)
More information about the scm-commits
mailing list