[icecream/f20] Drop the permissions to log to the old files from the SELinux policy
Michal Schmidt
michich at fedoraproject.org
Mon Sep 2 16:57:52 UTC 2013
commit 147f2f1aa47e584623279cc3397e6794e332e251
Author: Michal Schmidt <mschmidt at redhat.com>
Date: Mon Sep 2 18:55:29 2013 +0200
Drop the permissions to log to the old files from the SELinux policy
icecream.fc | 1 -
icecream.spec | 5 ++++-
icecream.te | 11 -----------
3 files changed, 4 insertions(+), 13 deletions(-)
---
diff --git a/icecream.fc b/icecream.fc
index d9d3613..dd7340d 100644
--- a/icecream.fc
+++ b/icecream.fc
@@ -2,5 +2,4 @@
/usr/sbin/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_exec_t,s0)
/usr/libexec/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0)
/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0)
-/var/log/icecc(/.*)? gen_context(system_u:object_r:icecc_log_t,s0)
/var/run/icecc(/.*)? gen_context(system_u:object_r:iceccd_var_run_t,s0)
diff --git a/icecream.spec b/icecream.spec
index b3d0a24..75ae020 100644
--- a/icecream.spec
+++ b/icecream.spec
@@ -4,7 +4,7 @@
Name: icecream
Version: 1.0.1
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: Distributed compiler
Group: Development/Tools
@@ -257,6 +257,9 @@ exit 0
%{_libdir}/pkgconfig/icecc.pc
%changelog
+* Mon Sep 02 2013 Michal Schmidt <mschmidt at redhat.com> - 1.0.1-5
+- Drop the permissions to log to the old files from the SELinux policy.
+
* Mon Sep 02 2013 Michal Schmidt <mschmidt at redhat.com> - 1.0.1-4
- Fix dropping of capabilities.
- Log everything to journal/syslog, not the custom log files.
diff --git a/icecream.te b/icecream.te
index b4681b3..e6e5487 100644
--- a/icecream.te
+++ b/icecream.te
@@ -10,9 +10,6 @@ type iceccd_t;
type iceccd_exec_t;
init_daemon_domain(iceccd_t, iceccd_exec_t)
-type icecc_log_t;
-logging_log_file(icecc_log_t)
-
type iceccd_tmp_t;
files_tmp_file(iceccd_tmp_t)
@@ -80,9 +77,6 @@ allow iceccd_t iceccd_var_run_t:sock_file { create unlink };
domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
-manage_files_pattern(iceccd_t, icecc_log_t, icecc_log_t)
-logging_log_filetrans(iceccd_t, icecc_log_t, file)
-
manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
@@ -137,8 +131,6 @@ allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
-allow iceccd_createenv_t icecc_log_t:file { append };
-
manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
# no files_var_filetrans, createenv does not create the cache dir itself
@@ -196,9 +188,6 @@ fs_getattr_all_fs(iceccd_untrusted_t)
allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
allow icecc_scheduler_t self:udp_socket create_socket_perms;
-manage_files_pattern(icecc_scheduler_t, icecc_log_t, icecc_log_t)
-logging_log_filetrans(icecc_scheduler_t, icecc_log_t, file)
-
corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
corenet_all_recvfrom_netlabel(icecc_scheduler_t)
corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
More information about the scm-commits
mailing list