[icecream/f20] Drop the permissions to log to the old files from the SELinux policy

Michal Schmidt michich at fedoraproject.org
Mon Sep 2 16:57:52 UTC 2013 

commit 147f2f1aa47e584623279cc3397e6794e332e251
Author: Michal Schmidt <mschmidt at redhat.com>
Date:   Mon Sep 2 18:55:29 2013 +0200

    Drop the permissions to log to the old files from the SELinux policy

 icecream.fc   |    1 -
 icecream.spec |    5 ++++-
 icecream.te   |   11 -----------
 3 files changed, 4 insertions(+), 13 deletions(-)
---
diff --git a/icecream.fc b/icecream.fc
index d9d3613..dd7340d 100644
--- a/icecream.fc
+++ b/icecream.fc
@@ -2,5 +2,4 @@
 /usr/sbin/icecc-scheduler		--	gen_context(system_u:object_r:icecc_scheduler_exec_t,s0)
 /usr/libexec/icecc/icecc-create-env	--	gen_context(system_u:object_r:iceccd_createenv_exec_t,s0)
 /var/cache/icecream(/.*)?			gen_context(system_u:object_r:iceccd_cache_t,s0)
-/var/log/icecc(/.*)?				gen_context(system_u:object_r:icecc_log_t,s0)
 /var/run/icecc(/.*)?				gen_context(system_u:object_r:iceccd_var_run_t,s0)
diff --git a/icecream.spec b/icecream.spec
index b3d0a24..75ae020 100644
--- a/icecream.spec
+++ b/icecream.spec
@@ -4,7 +4,7 @@
 
 Name:		icecream
 Version:	1.0.1
-Release:	4%{?dist}
+Release:	5%{?dist}
 Summary:	Distributed compiler
 
 Group:		Development/Tools
@@ -257,6 +257,9 @@ exit 0
 %{_libdir}/pkgconfig/icecc.pc
 
 %changelog
+* Mon Sep 02 2013 Michal Schmidt <mschmidt at redhat.com> - 1.0.1-5
+- Drop the permissions to log to the old files from the SELinux policy.
+
 * Mon Sep 02 2013 Michal Schmidt <mschmidt at redhat.com> - 1.0.1-4
 - Fix dropping of capabilities.
 - Log everything to journal/syslog, not the custom log files.
diff --git a/icecream.te b/icecream.te
index b4681b3..e6e5487 100644
--- a/icecream.te
+++ b/icecream.te
@@ -10,9 +10,6 @@ type iceccd_t;
 type iceccd_exec_t;
 init_daemon_domain(iceccd_t, iceccd_exec_t)
 
-type icecc_log_t;
-logging_log_file(icecc_log_t)
-
 type iceccd_tmp_t;
 files_tmp_file(iceccd_tmp_t)
 
@@ -80,9 +77,6 @@ allow iceccd_t iceccd_var_run_t:sock_file { create unlink };
 domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
 domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
 
-manage_files_pattern(iceccd_t, icecc_log_t, icecc_log_t)
-logging_log_filetrans(iceccd_t, icecc_log_t, file)
-
 manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
 files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
 
@@ -137,8 +131,6 @@ allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
 
 dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
 
-allow iceccd_createenv_t icecc_log_t:file { append };
-
 manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
 manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
 # no files_var_filetrans, createenv does not create the cache dir itself
@@ -196,9 +188,6 @@ fs_getattr_all_fs(iceccd_untrusted_t)
 allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
 allow icecc_scheduler_t self:udp_socket create_socket_perms;
 
-manage_files_pattern(icecc_scheduler_t, icecc_log_t, icecc_log_t)
-logging_log_filetrans(icecc_scheduler_t, icecc_log_t, file)
-
 corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
 corenet_all_recvfrom_netlabel(icecc_scheduler_t)
 corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)

More information about the scm-commits mailing list