Hello,
Icecream is a distributed compiler similar to distcc, but there are
important differences:
- It uses a central scheduler (icecc-scheduler) which decides on which
node each job will be compiled. Typically there are many nodes on the
local network, all running iceccd.
- It automatically copies the local compiler binary with its
dependencies to the other nodes to ensure they're all using the same
compiler. The nodes execute the compiler in a chroot.
As you can see, running iceccd implies running arbitrary code from
networked users. Confining Icecream with SELinux is a good idea.
This patch adds the policy for Icecream to refpolicy. It is based on
the latest icecream policy module from the icecream RPM in Fedora.
Michal
Index: policy/modules/kernel/corenetwork.te.in
===================================================================
--- policy/modules/kernel/corenetwork.te.in (revision 2912)
+++ policy/modules/kernel/corenetwork.te.in (working copy)
@@ -103,6 +103,8 @@
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(i18n_input, tcp,9010,s0)
+network_port(iceccd, tcp,10245,s0)
+network_port(icecc_scheduler, tcp,8765,s0, tcp,8766,s0, udp,8765,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
Index: policy/modules/services/icecream.te
===================================================================
--- policy/modules/services/icecream.te (revision 0)
+++ policy/modules/services/icecream.te (revision 0)
@@ -0,0 +1,170 @@
+
+policy_module(icecream,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# the compiler node daemon
+type iceccd_t;
+type iceccd_exec_t;
+init_daemon_domain(iceccd_t, iceccd_exec_t)
+
+type iceccd_log_t;
+logging_log_file(iceccd_log_t)
+
+type iceccd_tmp_t;
+files_tmp_file(iceccd_tmp_t)
+
+type iceccd_var_run_t;
+files_pid_file(iceccd_var_run_t)
+
+# the working area
+type iceccd_cache_t;
+files_type(iceccd_cache_t)
+
+# icecc-create-env script makes a tarball of the local compiler and its
+# dependencies for other nodes to use
+type iceccd_createenv_t;
+type iceccd_createenv_exec_t;
+domain_type(iceccd_createenv_t)
+domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t)
+role system_r types iceccd_createenv_t;
+
+# foreign compilers
+type iceccd_untrusted_t;
+domain_type(iceccd_untrusted_t);
+domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
+role system_r types iceccd_untrusted_t;
+
+# the scheduler
+type icecc_scheduler_t;
+type icecc_scheduler_exec_t;
+init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
+
+########################################
+#
+# Icecream policy
+#
+
+allow iceccd_t self:process { signal_perms setsched setrlimit };
+allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iceccd_t self:tcp_socket create_stream_socket_perms;
+allow iceccd_t self:udp_socket create_socket_perms;
+allow iceccd_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot };
+allow iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure signal };
+
+files_read_etc_files(iceccd_t)
+libs_use_ld_so(iceccd_t)
+libs_use_shared_libs(iceccd_t)
+miscfiles_read_localization(iceccd_t)
+
+fs_getattr_all_fs(iceccd_t)
+kernel_read_system_state(iceccd_t)
+sysnet_read_config(iceccd_t)
+
+corecmd_exec_bin(iceccd_t)
+corecmd_read_bin_symlinks(iceccd_t)
+
+files_getattr_tmp_dirs(iceccd_t)
+files_search_tmp(iceccd_t)
+
+corenet_all_recvfrom_unlabeled(iceccd_t)
+corenet_all_recvfrom_netlabel(iceccd_t)
+corenet_tcp_sendrecv_generic_if(iceccd_t)
+corenet_udp_sendrecv_generic_if(iceccd_t)
+corenet_tcp_sendrecv_generic_node(iceccd_t)
+corenet_udp_sendrecv_generic_node(iceccd_t)
+corenet_tcp_sendrecv_all_ports(iceccd_t)
+corenet_udp_sendrecv_all_ports(iceccd_t)
+corenet_tcp_bind_generic_node(iceccd_t)
+corenet_tcp_bind_iceccd_port(iceccd_t)
+corenet_sendrecv_iceccd_server_packets(iceccd_t)
+corenet_tcp_connect_icecc_scheduler_port(iceccd_t)
+
+domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
+domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
+
+manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
+logging_log_filetrans(iceccd_t, iceccd_log_t, file)
+
+manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
+files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
+
+manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+
+manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_t, iceccd_tmp_t, file)
+
+
+allow iceccd_createenv_t iceccd_log_t:file { append };
+allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
+# icecc-create-env looks for executable files to strip them. It does not
+# really execute them, but the -x check would trigger a denial. Do not allow
+# this, typically the binaries are already stripped anyway. Just silence it.
+dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
+
+allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_untrusted_t self:process signal_perms;
+allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
+manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
+allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans };
+
+files_read_etc_files(iceccd_createenv_t)
+libs_use_ld_so(iceccd_createenv_t)
+libs_use_shared_libs(iceccd_createenv_t)
+miscfiles_read_localization(iceccd_createenv_t)
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+
+files_read_usr_files(iceccd_createenv_t)
+libs_exec_ld_so(iceccd_createenv_t)
+libs_exec_lib_files(iceccd_createenv_t)
+libs_domtrans_ldconfig(iceccd_createenv_t)
+corecmd_exec_bin(iceccd_createenv_t)
+corecmd_exec_shell(iceccd_createenv_t)
+dev_read_urand(iceccd_createenv_t)
+kernel_read_system_state(iceccd_createenv_t)
+# silence file(1) looking for /root/.magic
+userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t)
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, file)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, dir)
+
+optional_policy(`
+ nscd_socket_use(iceccd_createenv_t)
+')
+
+# XXX: This could be avoided if iceccd only nuked the contents of
+# /var/cache/icecream, not the directory itself.
+files_var_filetrans(iceccd_t, iceccd_cache_t, dir)
+
+
+allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
+allow icecc_scheduler_t self:udp_socket create_socket_perms;
+
+files_read_etc_files(icecc_scheduler_t)
+libs_use_ld_so(icecc_scheduler_t)
+libs_use_shared_libs(icecc_scheduler_t)
+miscfiles_read_localization(icecc_scheduler_t)
+
+corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
+corenet_all_recvfrom_netlabel(icecc_scheduler_t)
+corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
+corenet_udp_sendrecv_generic_if(icecc_scheduler_t)
+corenet_tcp_sendrecv_generic_node(icecc_scheduler_t)
+corenet_udp_sendrecv_generic_node(icecc_scheduler_t)
+corenet_tcp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_udp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_tcp_bind_generic_node(icecc_scheduler_t)
+corenet_udp_bind_generic_node(icecc_scheduler_t)
+corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t)
+corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t)
+corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t)
Index: policy/modules/services/icecream.fc
===================================================================
--- policy/modules/services/icecream.fc (revision 0)
+++ policy/modules/services/icecream.fc (revision 0)
@@ -0,0 +1,5 @@
+/usr/sbin/iceccd -- gen_context(system_u:object_r:iceccd_exec_t,s0)
+/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0)
+/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0)
+/var/log/iceccd -- gen_context(system_u:object_r:iceccd_log_t,s0)
+/usr/sbin/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_exec_t,s0)
Index: policy/modules/services/icecream.if
===================================================================
--- policy/modules/services/icecream.if (revision 0)
+++ policy/modules/services/icecream.if (revision 0)
@@ -0,0 +1 @@
+## <summary>Icecream distributed compiler daemon</summary>
On Mon, 2009-03-02 at 13:04 +0100, Michal Schmidt wrote:
> Hello,
>
> Icecream is a distributed compiler similar to distcc, but there are
> important differences:
> - It uses a central scheduler (icecc-scheduler) which decides on which
> node each job will be compiled. Typically there are many nodes on the
> local network, all running iceccd.
> - It automatically copies the local compiler binary with its
> dependencies to the other nodes to ensure they're all using the same
> compiler. The nodes execute the compiler in a chroot.
>
> As you can see, running iceccd implies running arbitrary code from
> networked users. Confining Icecream with SELinux is a good idea.
>
> This patch adds the policy for Icecream to refpolicy. It is based on
> the latest icecream policy module from the icecream RPM in Fedora.
>
> Michal
>
> Index: policy/modules/kernel/corenetwork.te.in
> ===================================================================
> --- policy/modules/kernel/corenetwork.te.in (revision 2912)
> +++ policy/modules/kernel/corenetwork.te.in (working copy)
> @@ -103,6 +103,8 @@
> network_port(howl, tcp,5335,s0, udp,5353,s0)
> network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
> network_port(i18n_input, tcp,9010,s0)
> +network_port(iceccd, tcp,10245,s0)
> +network_port(icecc_scheduler, tcp,8765,s0, tcp,8766,s0, udp,8765,s0)
> network_port(imaze, tcp,5323,s0, udp,5323,s0)
> network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
> network_port(innd, tcp,119,s0)
> Index: policy/modules/services/icecream.te
> ===================================================================
> --- policy/modules/services/icecream.te (revision 0)
> +++ policy/modules/services/icecream.te (revision 0)
> @@ -0,0 +1,170 @@
> +
> +policy_module(icecream,1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +# the compiler node daemon
> +type iceccd_t;
> +type iceccd_exec_t;
> +init_daemon_domain(iceccd_t, iceccd_exec_t)
> +
> +type iceccd_log_t;
> +logging_log_file(iceccd_log_t)
> +
> +type iceccd_tmp_t;
> +files_tmp_file(iceccd_tmp_t)
> +
> +type iceccd_var_run_t;
> +files_pid_file(iceccd_var_run_t)
> +
> +# the working area
> +type iceccd_cache_t;
> +files_type(iceccd_cache_t)
> +
> +# icecc-create-env script makes a tarball of the local compiler and its
> +# dependencies for other nodes to use
> +type iceccd_createenv_t;
> +type iceccd_createenv_exec_t;
> +domain_type(iceccd_createenv_t)
> +domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t)
> +role system_r types iceccd_createenv_t;
> +
> +# foreign compilers
> +type iceccd_untrusted_t;
> +domain_type(iceccd_untrusted_t);
> +domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
> +role system_r types iceccd_untrusted_t;
> +
> +# the scheduler
> +type icecc_scheduler_t;
> +type icecc_scheduler_exec_t;
> +init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
> +
> +########################################
> +#
> +# Icecream policy
> +#
> +
> +allow iceccd_t self:process { signal_perms setsched setrlimit };
> +allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
> +allow iceccd_t self:tcp_socket create_stream_socket_perms;
> +allow iceccd_t self:udp_socket create_socket_perms;
> +allow iceccd_t self:fifo_file rw_fifo_file_perms;
> +allow iceccd_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot };
> +allow iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure signal };
> +
> +files_read_etc_files(iceccd_t)
> +libs_use_ld_so(iceccd_t)
> +libs_use_shared_libs(iceccd_t)
> +miscfiles_read_localization(iceccd_t)
> +
> +fs_getattr_all_fs(iceccd_t)
> +kernel_read_system_state(iceccd_t)
> +sysnet_read_config(iceccd_t)
> +
> +corecmd_exec_bin(iceccd_t)
> +corecmd_read_bin_symlinks(iceccd_t)
> +
> +files_getattr_tmp_dirs(iceccd_t)
> +files_search_tmp(iceccd_t)
> +
> +corenet_all_recvfrom_unlabeled(iceccd_t)
> +corenet_all_recvfrom_netlabel(iceccd_t)
> +corenet_tcp_sendrecv_generic_if(iceccd_t)
> +corenet_udp_sendrecv_generic_if(iceccd_t)
> +corenet_tcp_sendrecv_generic_node(iceccd_t)
> +corenet_udp_sendrecv_generic_node(iceccd_t)
> +corenet_tcp_sendrecv_all_ports(iceccd_t)
> +corenet_udp_sendrecv_all_ports(iceccd_t)
> +corenet_tcp_bind_generic_node(iceccd_t)
> +corenet_tcp_bind_iceccd_port(iceccd_t)
> +corenet_sendrecv_iceccd_server_packets(iceccd_t)
> +corenet_tcp_connect_icecc_scheduler_port(iceccd_t)
> +
> +domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
> +domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
> +
> +manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
> +logging_log_filetrans(iceccd_t, iceccd_log_t, file)
> +
> +manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
> +files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
> +
> +manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
> +manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
> +
> +manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
> +manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
> +files_tmp_filetrans(iceccd_t, iceccd_tmp_t, file)
> +
> +
> +allow iceccd_createenv_t iceccd_log_t:file { append };
> +allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
> +# icecc-create-env looks for executable files to strip them. It does not
> +# really execute them, but the -x check would trigger a denial. Do not allow
> +# this, typically the binaries are already stripped anyway. Just silence it.
> +dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
> +
> +allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
> +allow iceccd_untrusted_t self:process signal_perms;
> +allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
> +manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
> +allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans };
> +
> +files_read_etc_files(iceccd_createenv_t)
> +libs_use_ld_so(iceccd_createenv_t)
> +libs_use_shared_libs(iceccd_createenv_t)
> +miscfiles_read_localization(iceccd_createenv_t)
> +
> +manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
> +manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
> +
> +files_read_usr_files(iceccd_createenv_t)
> +libs_exec_ld_so(iceccd_createenv_t)
> +libs_exec_lib_files(iceccd_createenv_t)
> +libs_domtrans_ldconfig(iceccd_createenv_t)
> +corecmd_exec_bin(iceccd_createenv_t)
> +corecmd_exec_shell(iceccd_createenv_t)
> +dev_read_urand(iceccd_createenv_t)
> +kernel_read_system_state(iceccd_createenv_t)
> +# silence file(1) looking for /root/.magic
> +userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t)
> +
> +manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
> +manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
> +files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, file)
> +files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, dir)
> +
> +optional_policy(`
> + nscd_socket_use(iceccd_createenv_t)
> +')
> +
> +# XXX: This could be avoided if iceccd only nuked the contents of
> +# /var/cache/icecream, not the directory itself.
> +files_var_filetrans(iceccd_t, iceccd_cache_t, dir)
> +
> +
> +allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
> +allow icecc_scheduler_t self:udp_socket create_socket_perms;
> +
> +files_read_etc_files(icecc_scheduler_t)
> +libs_use_ld_so(icecc_scheduler_t)
> +libs_use_shared_libs(icecc_scheduler_t)
> +miscfiles_read_localization(icecc_scheduler_t)
> +
> +corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
> +corenet_all_recvfrom_netlabel(icecc_scheduler_t)
> +corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
> +corenet_udp_sendrecv_generic_if(icecc_scheduler_t)
> +corenet_tcp_sendrecv_generic_node(icecc_scheduler_t)
> +corenet_udp_sendrecv_generic_node(icecc_scheduler_t)
> +corenet_tcp_sendrecv_all_ports(icecc_scheduler_t)
> +corenet_udp_sendrecv_all_ports(icecc_scheduler_t)
> +corenet_tcp_bind_generic_node(icecc_scheduler_t)
> +corenet_udp_bind_generic_node(icecc_scheduler_t)
> +corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t)
> +corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t)
> +corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t)
> Index: policy/modules/services/icecream.fc
> ===================================================================
> --- policy/modules/services/icecream.fc (revision 0)
> +++ policy/modules/services/icecream.fc (revision 0)
> @@ -0,0 +1,5 @@
> +/usr/sbin/iceccd -- gen_context(system_u:object_r:iceccd_exec_t,s0)
> +/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0)
> +/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0)
> +/var/log/iceccd -- gen_context(system_u:object_r:iceccd_log_t,s0)
> +/usr/sbin/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_exec_t,s0)
> Index: policy/modules/services/icecream.if
> ===================================================================
> --- policy/modules/services/icecream.if (revision 0)
> +++ policy/modules/services/icecream.if (revision 0)
> @@ -0,0 +1 @@
> +## <summary>Icecream distributed compiler daemon</summary>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Here is my take on the policy. It may or may not work but it may give
you some ideas on how to clean it up a bit.
Use it at your own risk
policy_module(icecream, 1.0.1)
########################################
#
# iceccd declarations
#
type iceccd_t;
type iceccd_exec_t;
init_daemon_domain(iceccd_t, iceccd_exec_t)
type iceccd_log_t;
logging_log_file(iceccd_log_t)
type iceccd_tmp_t;
files_tmp_file(iceccd_tmp_t)
type iceccd_var_run_t;
files_pid_file(iceccd_var_run_t)
type iceccd_cache_t;
files_type(iceccd_cache_t)
########################################
#
# iceccd-createenv declarations
#
type iceccd_createenv_t;
type iceccd_createenv_exec_t;
application_executable_file(iceccd_createenv_exec_t)
application_domain(iceccd_createenv_t, iceccd_createenv_exec_t)
role system_r types iceccd_createenv_t;
########################################
#
# iceccd-scheduler declarations
#
type icecc_scheduler_t;
type icecc_scheduler_exec_t;
init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
########################################
#
# iceccd-untrusted declarations
#
type iceccd_untrusted_t;
application_executable_file(iceccd_cache_t);
application_domain(iceccd_untrusted_t, iceccd_cache_t)
role system_r types iceccd_untrusted_t;
########################################
#
# iceccd policy
#
# this block in alphabetical order
allow iceccd_t self:process { signal_perms setsched setrlimit };
allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
allow iceccd_t self:tcp_socket create_stream_socket_perms;
allow iceccd_t self:udp_socket create_socket_perms;
allow iceccd_t self:fifo_file rw_fifo_file_perms;
allow iceccd_t self:capability { chown dac_override fowner fsetid kill
setgid setuid sys_chroot };
# use interface: iceccd_untrusted_dontaudit...()
dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh
noatsecure };
# use interface: iceccd_untrusted_signal()
allow iceccd_t iceccd_untrusted_t:process signal;
# use interface: iceccd_createenv_domtrans()
domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
# use interface: iceccd_untrusted_domtrans()
domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
# can it search /var?
manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
logging_log_filetrans(iceccd_t, iceccd_log_t, file)
manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file })
files_search_tmp(iceccd_t)
manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file })
corenet_all_recvfrom_unlabeled(iceccd_t)
corenet_all_recvfrom_netlabel(iceccd_t)
corenet_tcp_sendrecv_generic_if(iceccd_t)
corenet_tcp_sendrecv_generic_node(iceccd_t)
corenet_tcp_sendrecv_all_ports(iceccd_t)
corenet_tcp_bind_generic_node(iceccd_t)
corenet_tcp_bind_iceccd_port(iceccd_t)
corenet_tcp_connect_icecc_scheduler_port(iceccd_t)
corenet_sendrecv_iceccd_server_packets(iceccd_t)
corecmd_exec_bin(iceccd_t)
corecmd_read_bin_symlinks(iceccd_t)
files_read_etc_files(iceccd_t)
fs_getattr_all_fs(iceccd_t)
kernel_read_system_state(iceccd_t)
sysnet_read_config(iceccd_t)
libs_use_ld_so(iceccd_t)
libs_use_shared_libs(iceccd_t)
miscfiles_read_localization(iceccd_t)
########################################
#
# iceccd-createenv policy
#
allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
# use interface: iceccd_dontaudit_exec_tmp()
dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
# use interface: iceccd_append_log()
allow iceccd_createenv_t iceccd_log_t:file { append };
# use interface: iceccd_manage_cache()
# can it search /var?
manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
files_var_filetrans(iceccd_createenv_t, iceccd_cache_t, { dir file })
# use interface: iceccd_manage_tmp()
# can it search /tmp?
manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file })
corecmd_exec_bin(iceccd_createenv_t)
corecmd_exec_shell(iceccd_createenv_t)
dev_read_urand(iceccd_createenv_t)
files_read_etc_files(iceccd_createenv_t)
files_read_usr_files(iceccd_createenv_t)
kernel_read_system_state(iceccd_createenv_t)
libs_exec_ld_so(iceccd_createenv_t)
libs_exec_lib_files(iceccd_createenv_t)
libs_domtrans_ldconfig(iceccd_createenv_t)
libs_use_ld_so(iceccd_createenv_t)
libs_use_shared_libs(iceccd_createenv_t)
miscfiles_read_localization(iceccd_createenv_t)
userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t)
optional_policy(`
nscd_socket_use(iceccd_createenv_t)
')
########################################
#
# iceccd-untrusted policy
#
allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
allow iceccd_untrusted_t self:process signal_perms;
allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
# use interface: iceccd_manage_cache()
manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
# use interface: iceccd_can_exec_cache()
allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans };
########################################
#
# icecc-scheduler policy
#
allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
allow icecc_scheduler_t self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
corenet_all_recvfrom_netlabel(icecc_scheduler_t)
corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
corenet_udp_sendrecv_generic_if(icecc_scheduler_t)
corenet_tcp_sendrecv_generic_node(icecc_scheduler_t)
corenet_udp_sendrecv_generic_node(icecc_scheduler_t)
corenet_tcp_sendrecv_all_ports(icecc_scheduler_t)
corenet_udp_sendrecv_all_ports(icecc_scheduler_t)
corenet_tcp_bind_generic_node(icecc_scheduler_t)
corenet_udp_bind_generic_node(icecc_scheduler_t)
corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t)
corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t)
corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t)
files_read_etc_files(icecc_scheduler_t)
libs_use_ld_so(icecc_scheduler_t)
libs_use_shared_libs(icecc_scheduler_t)
miscfiles_read_localization(icecc_scheduler_t)
Dne Mon, 02 Mar 2009 14:16:54 +0100
Dominick Grift <[email protected]> napsal:
> Here is my take on the policy. It may or may not work but it may give
> you some ideas on how to clean it up a bit.
Thank you for your suggestions! I'll redo the policy accordingly.
There are some bits, however, where I'd like some clarification.
It's these pieces of the diff between my and your version of
the .te file:
>
> -# the compiler node daemon
> type iceccd_t;
> type iceccd_exec_t;
> init_daemon_domain(iceccd_t, iceccd_exec_t)
> @@ -20,141 +311,182 @@
> type iceccd_var_run_t;
> files_pid_file(iceccd_var_run_t)
>
> -# the working area
> type iceccd_cache_t;
> files_type(iceccd_cache_t)
>
> -# icecc-create-env script makes a tarball of the local compiler and
> its -# dependencies for other nodes to use
You removed most of my comments which were meant to give the reader some idea
why the policy says what it says. Does it mean comments like these are really
not wanted?
> type iceccd_createenv_t;
> type iceccd_createenv_exec_t;
> -domain_type(iceccd_createenv_t)
> -domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t)
> +application_executable_file(iceccd_createenv_exec_t)
> +application_domain(iceccd_createenv_t, iceccd_createenv_exec_t)
> role system_r types iceccd_createenv_t;
The application_* interfaces mark programs which are expected to be run by
users from interactive shells? OK, it makes sense for icecc-create-env.
> -domain_type(iceccd_untrusted_t);
> -domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
> +application_executable_file(iceccd_cache_t);
> +application_domain(iceccd_untrusted_t, iceccd_cache_t)
... however, I do not think it's useful to mark the untrusted foreign compilers
as such. These should never be run by users.
> +dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh
> +noatsecure };
In the original version, these three permissions were 'allow'. I don't know
exactly what they mean, I got them by observing the AVC denials during normal
operation of Icecream. If you think 'dontaudit' should be enough, I believe
you. I'll test it.
> +# use interface: iceccd_untrusted_signal()
> +allow iceccd_t iceccd_untrusted_t:process signal;
You suggest "use interface: ..." several times. To make it absolutely clear -
are you asking me to create the named interfaces in icecream.if and use them in
icecream.te?
I thought interfaces were only useful for interaction with other policy
modules. And at the moment I can't imagine any other users of these interfaces.
> corenet_all_recvfrom_unlabeled(iceccd_t)
> corenet_all_recvfrom_netlabel(iceccd_t)
> corenet_tcp_sendrecv_generic_if(iceccd_t)
> -corenet_udp_sendrecv_generic_if(iceccd_t)
> corenet_tcp_sendrecv_generic_node(iceccd_t)
> -corenet_udp_sendrecv_generic_node(iceccd_t)
> corenet_tcp_sendrecv_all_ports(iceccd_t)
> -corenet_udp_sendrecv_all_ports(iceccd_t)
> corenet_tcp_bind_generic_node(iceccd_t)
> corenet_tcp_bind_iceccd_port(iceccd_t)
iceccd sends UDP broadcasts to find the scheduler on the LAN. Won't removing
these rules block it?
Michal
On Mon, 2009-03-02 at 16:37 +0100, Michal Schmidt wrote:
> Dne Mon, 02 Mar 2009 14:16:54 +0100
> Dominick Grift <[email protected]> napsal:
>
> > Here is my take on the policy. It may or may not work but it may give
> > you some ideas on how to clean it up a bit.
>
> Thank you for your suggestions! I'll redo the policy accordingly.
> There are some bits, however, where I'd like some clarification.
> It's these pieces of the diff between my and your version of
> the .te file:
[...]
> > type iceccd_createenv_t;
> > type iceccd_createenv_exec_t;
> > -domain_type(iceccd_createenv_t)
> > -domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t)
> > +application_executable_file(iceccd_createenv_exec_t)
> > +application_domain(iceccd_createenv_t, iceccd_createenv_exec_t)
> > role system_r types iceccd_createenv_t;
>
> The application_* interfaces mark programs which are expected to be run by
> users from interactive shells?
Yes.
> OK, it makes sense for icecc-create-env.
>
> > -domain_type(iceccd_untrusted_t);
> > -domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
> > +application_executable_file(iceccd_cache_t);
> > +application_domain(iceccd_untrusted_t, iceccd_cache_t)
>
> ... however, I do not think it's useful to mark the untrusted foreign compilers
> as such. These should never be run by users.
I agree in this case.
> > +dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh
> > +noatsecure };
>
> In the original version, these three permissions were 'allow'. I don't know
> exactly what they mean, I got them by observing the AVC denials during normal
> operation of Icecream. If you think 'dontaudit' should be enough, I believe
> you. I'll test it.
With dontaudit, the transition to icecd_untrusted_t, signals and
resource limits won't be inherited, and the environment variables will
be cleansed. Its rare that these permissions need to be allowed.
> > +# use interface: iceccd_untrusted_signal()
> > +allow iceccd_t iceccd_untrusted_t:process signal;
>
> You suggest "use interface: ..." several times. To make it absolutely clear -
> are you asking me to create the named interfaces in icecream.if and use them in
> icecream.te?
> I thought interfaces were only useful for interaction with other policy
> modules. And at the moment I can't imagine any other users of these interfaces.
I'd lean towards skipping the interface for now.
> > corenet_all_recvfrom_unlabeled(iceccd_t)
> > corenet_all_recvfrom_netlabel(iceccd_t)
> > corenet_tcp_sendrecv_generic_if(iceccd_t)
> > -corenet_udp_sendrecv_generic_if(iceccd_t)
> > corenet_tcp_sendrecv_generic_node(iceccd_t)
> > -corenet_udp_sendrecv_generic_node(iceccd_t)
> > corenet_tcp_sendrecv_all_ports(iceccd_t)
> > -corenet_udp_sendrecv_all_ports(iceccd_t)
> > corenet_tcp_bind_generic_node(iceccd_t)
> > corenet_tcp_bind_iceccd_port(iceccd_t)
>
> iceccd sends UDP broadcasts to find the scheduler on the LAN. Won't removing
> these rules block it?
Yes. Sounds like you need to keep those lines.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On Mon, 2009-03-02 at 16:37 +0100, Michal Schmidt wrote:
> Dne Mon, 02 Mar 2009 14:16:54 +0100
> Dominick Grift <[email protected]> napsal:
>
> > Here is my take on the policy. It may or may not work but it may give
> > you some ideas on how to clean it up a bit.
>
> Thank you for your suggestions! I'll redo the policy accordingly.
> There are some bits, however, where I'd like some clarification.
> It's these pieces of the diff between my and your version of
> the .te file:
> >
> > -# the compiler node daemon
> > type iceccd_t;
> > type iceccd_exec_t;
> > init_daemon_domain(iceccd_t, iceccd_exec_t)
> > @@ -20,141 +311,182 @@
> > type iceccd_var_run_t;
> > files_pid_file(iceccd_var_run_t)
> >
> > -# the working area
> > type iceccd_cache_t;
> > files_type(iceccd_cache_t)
> >
> > -# icecc-create-env script makes a tarball of the local compiler and
> > its -# dependencies for other nodes to use
>
> You removed most of my comments which were meant to give the reader some idea
> why the policy says what it says. Does it mean comments like these are really
> not wanted?
Comments are fine. If they are not too obvious. I removed them because
that is my personal taste.
> > type iceccd_createenv_t;
> > type iceccd_createenv_exec_t;
> > -domain_type(iceccd_createenv_t)
> > -domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t)
> > +application_executable_file(iceccd_createenv_exec_t)
> > +application_domain(iceccd_createenv_t, iceccd_createenv_exec_t)
> > role system_r types iceccd_createenv_t;
>
> The application_* interfaces mark programs which are expected to be run by
> users from interactive shells? OK, it makes sense for icecc-create-env.
If user have access to the executable type and have a transition set up.
> > -domain_type(iceccd_untrusted_t);
> > -domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
> > +application_executable_file(iceccd_cache_t);
> > +application_domain(iceccd_untrusted_t, iceccd_cache_t)
>
> ... however, I do not think it's useful to mark the untrusted foreign compilers
> as such. These should never be run by users.
Alright you could also use domain_entry_type, but users wont be able to
use application executables if they cannot access then or if no
transition is set up.
> > +dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh
> > +noatsecure };
>
> In the original version, these three permissions were 'allow'. I don't know
> exactly what they mean, I got them by observing the AVC denials during normal
> operation of Icecream. If you think 'dontaudit' should be enough, I believe
> you. I'll test it.
Try it, These permissions usually get silently denied.
> > +# use interface: iceccd_untrusted_signal()
> > +allow iceccd_t iceccd_untrusted_t:process signal;
>
> You suggest "use interface: ..." several times. To make it absolutely clear -
> are you asking me to create the named interfaces in icecream.if and use them in
> icecream.te?
> I thought interfaces were only useful for interaction with other policy
> modules. And at the moment I can't imagine any other users of these interfaces.
Interface make it easier for you to maintain policy, be it local to the
module or not. I suggested the use of interfaces but its a personal
taste.
> > corenet_all_recvfrom_unlabeled(iceccd_t)
> > corenet_all_recvfrom_netlabel(iceccd_t)
> > corenet_tcp_sendrecv_generic_if(iceccd_t)
> > -corenet_udp_sendrecv_generic_if(iceccd_t)
> > corenet_tcp_sendrecv_generic_node(iceccd_t)
> > -corenet_udp_sendrecv_generic_node(iceccd_t)
> > corenet_tcp_sendrecv_all_ports(iceccd_t)
> > -corenet_udp_sendrecv_all_ports(iceccd_t)
> > corenet_tcp_bind_generic_node(iceccd_t)
> > corenet_tcp_bind_iceccd_port(iceccd_t)
>
> iceccd sends UDP broadcasts to find the scheduler on the LAN. Won't removing
> these rules block it?
If you need them , add them.
>
> Michal
On Mon, 2009-03-02 at 13:04 +0100, Michal Schmidt wrote:
> +allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans };
This can be: can_exec(iceccd_untrusted_t, iceccd_cache_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Hello,
This patch adds the policy for Icecream, a distributed compiler.
Notable changes since the first version:
- as suggested by Dominick Grift:
- reordered lots of the lines
- removed the comments
- dontaudit siginh, rlimitinh, noatsecure
- use application_domain() for iceccd_createenv_t
- use can_exec()
I did not add any interfaces, I like it better without them.
Michal
Index: policy/modules/kernel/corenetwork.te.in
===================================================================
--- policy/modules/kernel/corenetwork.te.in (revision 2912)
+++ policy/modules/kernel/corenetwork.te.in (working copy)
@@ -103,6 +103,8 @@
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(i18n_input, tcp,9010,s0)
+network_port(iceccd, tcp,10245,s0)
+network_port(icecc_scheduler, tcp,8765,s0, tcp,8766,s0, udp,8765,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
Index: policy/modules/services/icecream.te
===================================================================
--- policy/modules/services/icecream.te (revision 0)
+++ policy/modules/services/icecream.te (revision 0)
@@ -0,0 +1,204 @@
+
+policy_module(icecream,1.0.2)
+
+########################################
+#
+# iceccd declarations
+#
+
+type iceccd_t;
+type iceccd_exec_t;
+init_daemon_domain(iceccd_t, iceccd_exec_t)
+
+type iceccd_log_t;
+logging_log_file(iceccd_log_t)
+
+type iceccd_tmp_t;
+files_tmp_file(iceccd_tmp_t)
+
+type iceccd_var_run_t;
+files_pid_file(iceccd_var_run_t)
+
+type iceccd_cache_t;
+files_type(iceccd_cache_t)
+
+########################################
+#
+# iceccd_createenv declarations
+#
+
+type iceccd_createenv_t;
+type iceccd_createenv_exec_t;
+application_domain(iceccd_createenv_t, iceccd_createenv_exec_t)
+role system_r types iceccd_createenv_t;
+
+########################################
+#
+# icecc_scheduler declarations
+#
+
+type icecc_scheduler_t;
+type icecc_scheduler_exec_t;
+init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
+
+########################################
+#
+# iceccd_untrusted declarations
+#
+
+type iceccd_untrusted_t;
+domain_type(iceccd_untrusted_t);
+domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
+role system_r types iceccd_untrusted_t;
+
+########################################
+#
+# iceccd policy
+#
+
+allow iceccd_t self:capability { chown dac_override fowner fsetid kill
+ setgid setuid sys_chroot };
+allow iceccd_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iceccd_t self:process { signal_perms setsched setrlimit };
+allow iceccd_t self:tcp_socket create_stream_socket_perms;
+allow iceccd_t self:udp_socket create_socket_perms;
+
+dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh
+ noatsecure };
+
+allow iceccd_t iceccd_untrusted_t:process signal;
+
+domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
+domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
+
+manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
+logging_log_filetrans(iceccd_t, iceccd_log_t, file)
+
+manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
+files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
+
+manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file })
+
+files_search_tmp(iceccd_t)
+manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file })
+
+corenet_all_recvfrom_unlabeled(iceccd_t)
+corenet_all_recvfrom_netlabel(iceccd_t)
+corenet_tcp_sendrecv_generic_if(iceccd_t)
+corenet_udp_sendrecv_generic_if(iceccd_t)
+corenet_tcp_sendrecv_generic_node(iceccd_t)
+corenet_udp_sendrecv_generic_node(iceccd_t)
+corenet_tcp_sendrecv_all_ports(iceccd_t)
+corenet_udp_sendrecv_all_ports(iceccd_t)
+corenet_tcp_bind_generic_node(iceccd_t)
+corenet_tcp_bind_iceccd_port(iceccd_t)
+corenet_tcp_connect_icecc_scheduler_port(iceccd_t)
+corenet_sendrecv_iceccd_server_packets(iceccd_t)
+
+corecmd_exec_bin(iceccd_t)
+corecmd_read_bin_symlinks(iceccd_t)
+
+files_read_etc_files(iceccd_t)
+
+fs_getattr_all_fs(iceccd_t)
+
+kernel_read_system_state(iceccd_t)
+
+sysnet_read_config(iceccd_t)
+
+libs_use_ld_so(iceccd_t)
+libs_use_shared_libs(iceccd_t)
+
+miscfiles_read_localization(iceccd_t)
+
+########################################
+#
+# iceccd_createenv policy
+#
+
+allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
+
+dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
+
+allow iceccd_createenv_t iceccd_log_t:file { append };
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+# no files_var_filetrans, createenv does not create the cache dir itself
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file })
+
+corecmd_exec_bin(iceccd_createenv_t)
+corecmd_exec_shell(iceccd_createenv_t)
+
+dev_read_urand(iceccd_createenv_t)
+
+files_read_etc_files(iceccd_createenv_t)
+files_read_usr_files(iceccd_createenv_t)
+
+kernel_read_system_state(iceccd_createenv_t)
+
+libs_exec_ld_so(iceccd_createenv_t)
+libs_exec_lib_files(iceccd_createenv_t)
+
+libs_domtrans_ldconfig(iceccd_createenv_t)
+
+libs_use_ld_so(iceccd_createenv_t)
+libs_use_shared_libs(iceccd_createenv_t)
+
+miscfiles_read_localization(iceccd_createenv_t)
+
+userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t)
+
+optional_policy(`
+ nscd_socket_use(iceccd_createenv_t)
+')
+
+########################################
+#
+# iceccd_untrusted policy
+#
+
+allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_untrusted_t self:process signal_perms;
+allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
+
+manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
+
+can_exec(iceccd_untrusted_t, iceccd_cache_t)
+
+########################################
+#
+# icecc_scheduler policy
+#
+
+allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
+allow icecc_scheduler_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
+corenet_all_recvfrom_netlabel(icecc_scheduler_t)
+corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
+corenet_udp_sendrecv_generic_if(icecc_scheduler_t)
+corenet_tcp_sendrecv_generic_node(icecc_scheduler_t)
+corenet_udp_sendrecv_generic_node(icecc_scheduler_t)
+corenet_tcp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_udp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_tcp_bind_generic_node(icecc_scheduler_t)
+corenet_udp_bind_generic_node(icecc_scheduler_t)
+corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t)
+corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t)
+corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t)
+
+files_read_etc_files(icecc_scheduler_t)
+
+libs_use_ld_so(icecc_scheduler_t)
+libs_use_shared_libs(icecc_scheduler_t)
+
+miscfiles_read_localization(icecc_scheduler_t)
Index: policy/modules/services/icecream.fc
===================================================================
--- policy/modules/services/icecream.fc (revision 0)
+++ policy/modules/services/icecream.fc (revision 0)
@@ -0,0 +1,5 @@
+/usr/sbin/iceccd -- gen_context(system_u:object_r:iceccd_exec_t,s0)
+/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0)
+/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0)
+/var/log/iceccd -- gen_context(system_u:object_r:iceccd_log_t,s0)
+/usr/sbin/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_exec_t,s0)
Index: policy/modules/services/icecream.if
===================================================================
--- policy/modules/services/icecream.if (revision 0)
+++ policy/modules/services/icecream.if (revision 0)
@@ -0,0 +1 @@
+## <summary>Icecream distributed compiler daemon</summary>
On Tue, 2009-03-03 at 00:40 +0100, Michal Schmidt wrote:
> Hello,
>
> This patch adds the policy for Icecream, a distributed compiler.
>
> Notable changes since the first version:
> - as suggested by Dominick Grift:
> - reordered lots of the lines
> - removed the comments
> - dontaudit siginh, rlimitinh, noatsecure
> - use application_domain() for iceccd_createenv_t
> - use can_exec()
> I did not add any interfaces, I like it better without them.
>
> Michal
>
> Index: policy/modules/kernel/corenetwork.te.in
> ===================================================================
> --- policy/modules/kernel/corenetwork.te.in (revision 2912)
> +++ policy/modules/kernel/corenetwork.te.in (working copy)
> @@ -103,6 +103,8 @@
> network_port(howl, tcp,5335,s0, udp,5353,s0)
> network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
> network_port(i18n_input, tcp,9010,s0)
> +network_port(iceccd, tcp,10245,s0)
> +network_port(icecc_scheduler, tcp,8765,s0, tcp,8766,s0, udp,8765,s0)
> network_port(imaze, tcp,5323,s0, udp,5323,s0)
> network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
> network_port(innd, tcp,119,s0)
> Index: policy/modules/services/icecream.te
> ===================================================================
> --- policy/modules/services/icecream.te (revision 0)
> +++ policy/modules/services/icecream.te (revision 0)
> @@ -0,0 +1,204 @@
> +
> +policy_module(icecream,1.0.2)
> +
> +########################################
> +#
> +# iceccd declarations
> +#
> +
> +type iceccd_t;
> +type iceccd_exec_t;
> +init_daemon_domain(iceccd_t, iceccd_exec_t)
> +
> +type iceccd_log_t;
> +logging_log_file(iceccd_log_t)
> +
> +type iceccd_tmp_t;
> +files_tmp_file(iceccd_tmp_t)
> +
> +type iceccd_var_run_t;
> +files_pid_file(iceccd_var_run_t)
> +
> +type iceccd_cache_t;
> +files_type(iceccd_cache_t)
> +
> +########################################
> +#
> +# iceccd_createenv declarations
> +#
> +
> +type iceccd_createenv_t;
> +type iceccd_createenv_exec_t;
> +application_domain(iceccd_createenv_t, iceccd_createenv_exec_t)
> +role system_r types iceccd_createenv_t;
> +
> +########################################
> +#
> +# icecc_scheduler declarations
> +#
> +
> +type icecc_scheduler_t;
> +type icecc_scheduler_exec_t;
> +init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
> +
> +########################################
> +#
> +# iceccd_untrusted declarations
> +#
> +
> +type iceccd_untrusted_t;
> +domain_type(iceccd_untrusted_t);
> +domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
> +role system_r types iceccd_untrusted_t;
> +
> +########################################
> +#
> +# iceccd policy
> +#
> +
> +allow iceccd_t self:capability { chown dac_override fowner fsetid kill
> + setgid setuid sys_chroot };
> +allow iceccd_t self:fifo_file rw_fifo_file_perms;
> +allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
> +allow iceccd_t self:process { signal_perms setsched setrlimit };
> +allow iceccd_t self:tcp_socket create_stream_socket_perms;
> +allow iceccd_t self:udp_socket create_socket_perms;
> +
> +dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh
> + noatsecure };
> +
> +allow iceccd_t iceccd_untrusted_t:process signal;
> +
> +domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
> +domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
> +
> +manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
> +logging_log_filetrans(iceccd_t, iceccd_log_t, file)
> +
> +manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
> +files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
> +
> +manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
> +manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
> +files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file })
Does iceccd_t not need: files_search_var(iceccd_t)?
I expect that it needs to search /var to be able to find files/dirs with
type iceccd_cache_t/iceccd_log_t/iceccd_var_run_t and i do not see where
it is allowed to search /var
It might also need permission to search var_run_t, var_log_t?
It can be that the search perm is included in one of the interfaces
below.
> +files_search_tmp(iceccd_t)
> +manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
> +manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
> +files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file })
> +
> +corenet_all_recvfrom_unlabeled(iceccd_t)
> +corenet_all_recvfrom_netlabel(iceccd_t)
> +corenet_tcp_sendrecv_generic_if(iceccd_t)
> +corenet_udp_sendrecv_generic_if(iceccd_t)
> +corenet_tcp_sendrecv_generic_node(iceccd_t)
> +corenet_udp_sendrecv_generic_node(iceccd_t)
> +corenet_tcp_sendrecv_all_ports(iceccd_t)
> +corenet_udp_sendrecv_all_ports(iceccd_t)
> +corenet_tcp_bind_generic_node(iceccd_t)
> +corenet_tcp_bind_iceccd_port(iceccd_t)
> +corenet_tcp_connect_icecc_scheduler_port(iceccd_t)
> +corenet_sendrecv_iceccd_server_packets(iceccd_t)
> +
> +corecmd_exec_bin(iceccd_t)
> +corecmd_read_bin_symlinks(iceccd_t)
> +
> +files_read_etc_files(iceccd_t)
> +
> +fs_getattr_all_fs(iceccd_t)
> +
> +kernel_read_system_state(iceccd_t)
> +
> +sysnet_read_config(iceccd_t)
> +
> +libs_use_ld_so(iceccd_t)
> +libs_use_shared_libs(iceccd_t)
> +
> +miscfiles_read_localization(iceccd_t)
> +
> +########################################
> +#
> +# iceccd_createenv policy
> +#
> +
> +allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
> +
> +dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
> +
> +allow iceccd_createenv_t iceccd_log_t:file { append };
> +
> +manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
> +manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
> +# no files_var_filetrans, createenv does not create the cache dir itself
Does iceccd_createenv_t not need: files_search_var(iceccd_createenv_t)?
I expect that it needs to search /var to be able to find files/dirs with
type iceccd_cache_t and i do not see where it is allowed to search /var
It can be that the search perm is included in one of the interfaces
below
.
> +
> +manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
> +manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
> +files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file })
Does iceccd_createenv_t not need: files_search_tmp(iceccd_createenv_t)?
I expect that it needs to search /tmp to be able to find files/dirs with
type iceccd_tmp_t and i do not see where it is allowed to search /tmp.
It can be that the search perm is included in one of the interfaces
below
> +
> +corecmd_exec_bin(iceccd_createenv_t)
> +corecmd_exec_shell(iceccd_createenv_t)
> +
> +dev_read_urand(iceccd_createenv_t)
> +
> +files_read_etc_files(iceccd_createenv_t)
> +files_read_usr_files(iceccd_createenv_t)
> +
> +kernel_read_system_state(iceccd_createenv_t)
> +
> +libs_exec_ld_so(iceccd_createenv_t)
> +libs_exec_lib_files(iceccd_createenv_t)
> +
> +libs_domtrans_ldconfig(iceccd_createenv_t)
> +
> +libs_use_ld_so(iceccd_createenv_t)
> +libs_use_shared_libs(iceccd_createenv_t)
> +
> +miscfiles_read_localization(iceccd_createenv_t)
> +
> +userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t)
> +
> +optional_policy(`
> + nscd_socket_use(iceccd_createenv_t)
> +')
> +
> +########################################
> +#
> +# iceccd_untrusted policy
> +#
> +
> +allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
> +allow iceccd_untrusted_t self:process signal_perms;
> +allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
> +
> +manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
> +
Does iceccd_untrusted_t not need: files_search_var(iceccd_untrusted_t)?
I expect that it needs to search /var to be able to find files/dirs with
type iceccd_cache_t and i do not see where it is allowed to search /var
> +can_exec(iceccd_untrusted_t, iceccd_cache_t)
> +
> +########################################
> +#
> +# icecc_scheduler policy
> +#
> +
> +allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
> +allow icecc_scheduler_t self:udp_socket create_socket_perms;
> +
> +corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
> +corenet_all_recvfrom_netlabel(icecc_scheduler_t)
> +corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
> +corenet_udp_sendrecv_generic_if(icecc_scheduler_t)
> +corenet_tcp_sendrecv_generic_node(icecc_scheduler_t)
> +corenet_udp_sendrecv_generic_node(icecc_scheduler_t)
> +corenet_tcp_sendrecv_all_ports(icecc_scheduler_t)
> +corenet_udp_sendrecv_all_ports(icecc_scheduler_t)
> +corenet_tcp_bind_generic_node(icecc_scheduler_t)
> +corenet_udp_bind_generic_node(icecc_scheduler_t)
> +corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t)
> +corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t)
> +corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t)
> +
> +files_read_etc_files(icecc_scheduler_t)
> +
> +libs_use_ld_so(icecc_scheduler_t)
> +libs_use_shared_libs(icecc_scheduler_t)
> +
> +miscfiles_read_localization(icecc_scheduler_t)
> Index: policy/modules/services/icecream.fc
> ===================================================================
> --- policy/modules/services/icecream.fc (revision 0)
> +++ policy/modules/services/icecream.fc (revision 0)
> @@ -0,0 +1,5 @@
> +/usr/sbin/iceccd -- gen_context(system_u:object_r:iceccd_exec_t,s0)
> +/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0)
> +/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0)
> +/var/log/iceccd -- gen_context(system_u:object_r:iceccd_log_t,s0)
> +/usr/sbin/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_exec_t,s0)
> Index: policy/modules/services/icecream.if
> ===================================================================
> --- policy/modules/services/icecream.if (revision 0)
> +++ policy/modules/services/icecream.if (revision 0)
> @@ -0,0 +1 @@
> +## <summary>Icecream distributed compiler daemon</summary>
On Tue, 03 Mar 2009 01:08:46 +0100
Dominick Grift wrote:
> On Tue, 2009-03-03 at 00:40 +0100, Michal Schmidt wrote:
> > +domtrans_pattern(iceccd_t, iceccd_createenv_exec_t,
> > iceccd_createenv_t) +domtrans_pattern(iceccd_t, iceccd_cache_t,
> > iceccd_untrusted_t) +
> > +manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
> > +logging_log_filetrans(iceccd_t, iceccd_log_t, file)
> > +
> > +manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
> > +files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
> > +
> > +manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
> > +manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
> > +files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file })
>
> Does iceccd_t not need: files_search_var(iceccd_t)?
> I expect that it needs to search /var to be able to find files/dirs
> with type iceccd_cache_t/iceccd_log_t/iceccd_var_run_t and i do not
> see where it is allowed to search /var
>
> It might also need permission to search var_run_t, var_log_t?
>
> It can be that the search perm is included in one of the interfaces
> below.
Permission to search /var is already implied:
files_var_filetrans(iceccd_t, ..., ...) =>
filetrans_pattern(iceccd_t, var_t, ..., ...) =>
allow iceccd_t var_t:dir rw_dir_perms;
(and rw_dir_perms contain the search permission.)
Similarly,
files_pid_filetrans implies the permission to search var_run_t and
logging_log_filetrans implies the permission to search var_log_t.
> > +files_search_tmp(iceccd_t)
> > +manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
> > +manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
> > +files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file })
I see that by the same logic I can remove the explicit
files_search_tmp, because it's already given by files_tmp_filetrans.
> > +manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t,
> > iceccd_cache_t) +manage_files_pattern(iceccd_createenv_t,
> > iceccd_cache_t, iceccd_cache_t) +# no files_var_filetrans,
> > createenv does not create the cache dir itself
>
> Does iceccd_createenv_t not need:
> files_search_var(iceccd_createenv_t)? I expect that it needs to
> search /var to be able to find files/dirs with type iceccd_cache_t
> and i do not see where it is allowed to search /var
>
> It can be that the search perm is included in one of the interfaces
> below.
Ah, it gets included via nscd_socket_use. And since this is only in an
optional_policy block, it's a bug. I must explicitly add
files_search_var(iceccd_createenv_t)
> > +
> > +manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
> > +manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t,
> > iceccd_tmp_t) +files_tmp_filetrans(iceccd_createenv_t,
> > iceccd_tmp_t, { dir file })
>
> Does iceccd_createenv_t not need:
> files_search_tmp(iceccd_createenv_t)? I expect that it needs to
> search /tmp to be able to find files/dirs with type iceccd_tmp_t and
> i do not see where it is allowed to search /tmp.
This is included via files_tmp_filetrans.
> > +allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
> > +allow iceccd_untrusted_t self:process signal_perms;
> > +allow iceccd_untrusted_t iceccd_t:unix_stream_socket
> > rw_sock_file_perms; +
> > +manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t,
> > iceccd_cache_t) +
> Does iceccd_untrusted_t not need:
> files_search_var(iceccd_untrusted_t)? I expect that it needs to
> search /var to be able to find files/dirs with type iceccd_cache_t
> and i do not see where it is allowed to search /var
iceccd_untrusted_t runs in a chroot, with iceccd_cache_t
files and directories only. It never sees the leading components of the
path (/var/cache/).
Updated patch below.
Michal
This adds the policy for Icecream, a distributed compiler.
Index: policy/modules/kernel/corenetwork.te.in
===================================================================
--- policy/modules/kernel/corenetwork.te.in (revision 2913)
+++ policy/modules/kernel/corenetwork.te.in (working copy)
@@ -103,6 +103,8 @@
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(i18n_input, tcp,9010,s0)
+network_port(iceccd, tcp,10245,s0)
+network_port(icecc_scheduler, tcp,8765,s0, tcp,8766,s0, udp,8765,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
Index: policy/modules/services/icecream.te
===================================================================
--- policy/modules/services/icecream.te (revision 0)
+++ policy/modules/services/icecream.te (revision 0)
@@ -0,0 +1,204 @@
+
+policy_module(icecream,1.0.3)
+
+########################################
+#
+# iceccd declarations
+#
+
+type iceccd_t;
+type iceccd_exec_t;
+init_daemon_domain(iceccd_t, iceccd_exec_t)
+
+type iceccd_log_t;
+logging_log_file(iceccd_log_t)
+
+type iceccd_tmp_t;
+files_tmp_file(iceccd_tmp_t)
+
+type iceccd_var_run_t;
+files_pid_file(iceccd_var_run_t)
+
+type iceccd_cache_t;
+files_type(iceccd_cache_t)
+
+########################################
+#
+# iceccd_createenv declarations
+#
+
+type iceccd_createenv_t;
+type iceccd_createenv_exec_t;
+application_domain(iceccd_createenv_t, iceccd_createenv_exec_t)
+role system_r types iceccd_createenv_t;
+
+########################################
+#
+# icecc_scheduler declarations
+#
+
+type icecc_scheduler_t;
+type icecc_scheduler_exec_t;
+init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
+
+########################################
+#
+# iceccd_untrusted declarations
+#
+
+type iceccd_untrusted_t;
+domain_type(iceccd_untrusted_t);
+domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
+role system_r types iceccd_untrusted_t;
+
+########################################
+#
+# iceccd policy
+#
+
+allow iceccd_t self:capability { chown dac_override fowner fsetid kill
+ setgid setuid sys_chroot };
+allow iceccd_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iceccd_t self:process { signal_perms setsched setrlimit };
+allow iceccd_t self:tcp_socket create_stream_socket_perms;
+allow iceccd_t self:udp_socket create_socket_perms;
+
+dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh
+ noatsecure };
+
+allow iceccd_t iceccd_untrusted_t:process signal;
+
+domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
+domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
+
+manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
+logging_log_filetrans(iceccd_t, iceccd_log_t, file)
+
+manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
+files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
+
+manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file })
+
+manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file })
+
+corenet_all_recvfrom_unlabeled(iceccd_t)
+corenet_all_recvfrom_netlabel(iceccd_t)
+corenet_tcp_sendrecv_generic_if(iceccd_t)
+corenet_udp_sendrecv_generic_if(iceccd_t)
+corenet_tcp_sendrecv_generic_node(iceccd_t)
+corenet_udp_sendrecv_generic_node(iceccd_t)
+corenet_tcp_sendrecv_all_ports(iceccd_t)
+corenet_udp_sendrecv_all_ports(iceccd_t)
+corenet_tcp_bind_generic_node(iceccd_t)
+corenet_tcp_bind_iceccd_port(iceccd_t)
+corenet_tcp_connect_icecc_scheduler_port(iceccd_t)
+corenet_sendrecv_iceccd_server_packets(iceccd_t)
+
+corecmd_exec_bin(iceccd_t)
+corecmd_read_bin_symlinks(iceccd_t)
+
+files_read_etc_files(iceccd_t)
+
+fs_getattr_all_fs(iceccd_t)
+
+kernel_read_system_state(iceccd_t)
+
+sysnet_read_config(iceccd_t)
+
+libs_use_ld_so(iceccd_t)
+libs_use_shared_libs(iceccd_t)
+
+miscfiles_read_localization(iceccd_t)
+
+########################################
+#
+# iceccd_createenv policy
+#
+
+allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
+
+dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
+
+allow iceccd_createenv_t iceccd_log_t:file { append };
+
+files_search_var(iceccd_createenv_t)
+manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+# no files_var_filetrans, createenv does not create the cache dir itself
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file })
+
+corecmd_exec_bin(iceccd_createenv_t)
+corecmd_exec_shell(iceccd_createenv_t)
+
+dev_read_urand(iceccd_createenv_t)
+
+files_read_etc_files(iceccd_createenv_t)
+files_read_usr_files(iceccd_createenv_t)
+
+kernel_read_system_state(iceccd_createenv_t)
+
+libs_exec_ld_so(iceccd_createenv_t)
+libs_exec_lib_files(iceccd_createenv_t)
+
+libs_domtrans_ldconfig(iceccd_createenv_t)
+
+libs_use_ld_so(iceccd_createenv_t)
+libs_use_shared_libs(iceccd_createenv_t)
+
+miscfiles_read_localization(iceccd_createenv_t)
+
+userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t)
+
+optional_policy(`
+ nscd_socket_use(iceccd_createenv_t)
+')
+
+########################################
+#
+# iceccd_untrusted policy
+#
+
+allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_untrusted_t self:process signal_perms;
+allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
+
+manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
+
+can_exec(iceccd_untrusted_t, iceccd_cache_t)
+
+########################################
+#
+# icecc_scheduler policy
+#
+
+allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
+allow icecc_scheduler_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
+corenet_all_recvfrom_netlabel(icecc_scheduler_t)
+corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
+corenet_udp_sendrecv_generic_if(icecc_scheduler_t)
+corenet_tcp_sendrecv_generic_node(icecc_scheduler_t)
+corenet_udp_sendrecv_generic_node(icecc_scheduler_t)
+corenet_tcp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_udp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_tcp_bind_generic_node(icecc_scheduler_t)
+corenet_udp_bind_generic_node(icecc_scheduler_t)
+corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t)
+corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t)
+corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t)
+
+files_read_etc_files(icecc_scheduler_t)
+
+libs_use_ld_so(icecc_scheduler_t)
+libs_use_shared_libs(icecc_scheduler_t)
+
+miscfiles_read_localization(icecc_scheduler_t)
Index: policy/modules/services/icecream.fc
===================================================================
--- policy/modules/services/icecream.fc (revision 0)
+++ policy/modules/services/icecream.fc (revision 0)
@@ -0,0 +1,5 @@
+/usr/sbin/iceccd -- gen_context(system_u:object_r:iceccd_exec_t,s0)
+/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_createenv_exec_t,s0)
+/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0)
+/var/log/iceccd -- gen_context(system_u:object_r:iceccd_log_t,s0)
+/usr/sbin/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_exec_t,s0)
Index: policy/modules/services/icecream.if
===================================================================
--- policy/modules/services/icecream.if (revision 0)
+++ policy/modules/services/icecream.if (revision 0)
@@ -0,0 +1 @@
+## <summary>Icecream distributed compiler daemon</summary>