From: mschmidt@redhat.com (Michal Schmidt)
Date: Tue, 3 Mar 2009 00:40:52 +0100
Subject: [refpolicy] [PATCH v1.0.2] add policy for Icecream
In-Reply-To: <1236011701.19155.39.camel@notebook1.grift.internal>
References: <20090302130427.0befcb52@leela>
	<1236011701.19155.39.camel@notebook1.grift.internal>
Message-ID: <20090303004052.18311ded@leela>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello,

This patch adds the policy for Icecream, a distributed compiler.

Notable changes since the first version:
 - as suggested by Dominick Grift:
   - reordered lots of the lines
   - removed the comments
   - dontaudit siginh, rlimitinh, noatsecure
   - use application_domain() for iceccd_createenv_t
   - use can_exec()
I did not add any interfaces, I like it better without them.

Michal

Index: policy/modules/kernel/corenetwork.te.in
===================================================================
--- policy/modules/kernel/corenetwork.te.in	(revision 2912)
+++ policy/modules/kernel/corenetwork.te.in	(working copy)
@@ -103,6 +103,8 @@
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
 network_port(i18n_input, tcp,9010,s0)
+network_port(iceccd, tcp,10245,s0)
+network_port(icecc_scheduler, tcp,8765,s0, tcp,8766,s0, udp,8765,s0)
 network_port(imaze, tcp,5323,s0, udp,5323,s0)
 network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
 network_port(innd, tcp,119,s0)
Index: policy/modules/services/icecream.te
===================================================================
--- policy/modules/services/icecream.te	(revision 0)
+++ policy/modules/services/icecream.te	(revision 0)
@@ -0,0 +1,204 @@
+
+policy_module(icecream,1.0.2)
+
+########################################
+#
+# iceccd declarations
+#
+
+type iceccd_t;
+type iceccd_exec_t;
+init_daemon_domain(iceccd_t, iceccd_exec_t)
+
+type iceccd_log_t;
+logging_log_file(iceccd_log_t)
+
+type iceccd_tmp_t;
+files_tmp_file(iceccd_tmp_t)
+
+type iceccd_var_run_t;
+files_pid_file(iceccd_var_run_t)
+
+type iceccd_cache_t;
+files_type(iceccd_cache_t)
+
+########################################
+#
+# iceccd_createenv declarations
+#
+
+type iceccd_createenv_t;
+type iceccd_createenv_exec_t;
+application_domain(iceccd_createenv_t, iceccd_createenv_exec_t)
+role system_r types iceccd_createenv_t;
+
+########################################
+#
+# icecc_scheduler declarations
+#
+
+type icecc_scheduler_t;
+type icecc_scheduler_exec_t;
+init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
+
+########################################
+#
+# iceccd_untrusted declarations
+#
+
+type iceccd_untrusted_t;
+domain_type(iceccd_untrusted_t);
+domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
+role system_r types iceccd_untrusted_t;
+
+########################################
+#
+# iceccd policy
+#
+
+allow iceccd_t self:capability { chown dac_override fowner fsetid kill
+	setgid setuid sys_chroot };
+allow iceccd_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iceccd_t self:process { signal_perms setsched setrlimit };
+allow iceccd_t self:tcp_socket create_stream_socket_perms;
+allow iceccd_t self:udp_socket create_socket_perms;
+
+dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh
+	noatsecure };
+
+allow iceccd_t iceccd_untrusted_t:process signal;
+
+domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
+domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
+
+manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
+logging_log_filetrans(iceccd_t, iceccd_log_t, file)
+
+manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
+files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
+
+manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file })
+
+files_search_tmp(iceccd_t)
+manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file })
+
+corenet_all_recvfrom_unlabeled(iceccd_t)
+corenet_all_recvfrom_netlabel(iceccd_t)
+corenet_tcp_sendrecv_generic_if(iceccd_t)
+corenet_udp_sendrecv_generic_if(iceccd_t)
+corenet_tcp_sendrecv_generic_node(iceccd_t)
+corenet_udp_sendrecv_generic_node(iceccd_t)
+corenet_tcp_sendrecv_all_ports(iceccd_t)
+corenet_udp_sendrecv_all_ports(iceccd_t)
+corenet_tcp_bind_generic_node(iceccd_t)
+corenet_tcp_bind_iceccd_port(iceccd_t)
+corenet_tcp_connect_icecc_scheduler_port(iceccd_t)
+corenet_sendrecv_iceccd_server_packets(iceccd_t)
+
+corecmd_exec_bin(iceccd_t)
+corecmd_read_bin_symlinks(iceccd_t)
+
+files_read_etc_files(iceccd_t)
+
+fs_getattr_all_fs(iceccd_t)
+
+kernel_read_system_state(iceccd_t)
+
+sysnet_read_config(iceccd_t)
+
+libs_use_ld_so(iceccd_t)
+libs_use_shared_libs(iceccd_t)
+
+miscfiles_read_localization(iceccd_t)
+
+########################################
+#
+# iceccd_createenv policy
+#
+
+allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
+
+dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
+
+allow iceccd_createenv_t iceccd_log_t:file { append };
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+# no files_var_filetrans, createenv does not create the cache dir itself
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file })
+
+corecmd_exec_bin(iceccd_createenv_t)
+corecmd_exec_shell(iceccd_createenv_t)
+
+dev_read_urand(iceccd_createenv_t)
+
+files_read_etc_files(iceccd_createenv_t)
+files_read_usr_files(iceccd_createenv_t)
+
+kernel_read_system_state(iceccd_createenv_t)
+
+libs_exec_ld_so(iceccd_createenv_t)
+libs_exec_lib_files(iceccd_createenv_t)
+
+libs_domtrans_ldconfig(iceccd_createenv_t)
+
+libs_use_ld_so(iceccd_createenv_t)
+libs_use_shared_libs(iceccd_createenv_t)
+
+miscfiles_read_localization(iceccd_createenv_t)
+
+userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t)
+
+optional_policy(`
+	nscd_socket_use(iceccd_createenv_t)
+')
+
+########################################
+#
+# iceccd_untrusted policy
+#
+
+allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_untrusted_t self:process signal_perms;
+allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
+
+manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
+
+can_exec(iceccd_untrusted_t, iceccd_cache_t)
+
+########################################
+#
+# icecc_scheduler policy
+#
+
+allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
+allow icecc_scheduler_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
+corenet_all_recvfrom_netlabel(icecc_scheduler_t)
+corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
+corenet_udp_sendrecv_generic_if(icecc_scheduler_t)
+corenet_tcp_sendrecv_generic_node(icecc_scheduler_t)
+corenet_udp_sendrecv_generic_node(icecc_scheduler_t)
+corenet_tcp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_udp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_tcp_bind_generic_node(icecc_scheduler_t)
+corenet_udp_bind_generic_node(icecc_scheduler_t)
+corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t)
+corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t)
+corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t)
+
+files_read_etc_files(icecc_scheduler_t)
+
+libs_use_ld_so(icecc_scheduler_t)
+libs_use_shared_libs(icecc_scheduler_t)
+
+miscfiles_read_localization(icecc_scheduler_t)
Index: policy/modules/services/icecream.fc
===================================================================
--- policy/modules/services/icecream.fc	(revision 0)
+++ policy/modules/services/icecream.fc	(revision 0)
@@ -0,0 +1,5 @@
+/usr/sbin/iceccd			--	gen_context(system_u:object_r:iceccd_exec_t,s0)
+/usr/lib(64)?/icecc/icecc-create-env	--	gen_context(system_u:object_r:iceccd_createenv_exec_t,s0)
+/var/cache/icecream(/.*)?			gen_context(system_u:object_r:iceccd_cache_t,s0)
+/var/log/iceccd				--	gen_context(system_u:object_r:iceccd_log_t,s0)
+/usr/sbin/icecc-scheduler		--	gen_context(system_u:object_r:icecc_scheduler_exec_t,s0)
Index: policy/modules/services/icecream.if
===================================================================
--- policy/modules/services/icecream.if	(revision 0)
+++ policy/modules/services/icecream.if	(revision 0)
@@ -0,0 +1 @@
+## <summary>Icecream distributed compiler daemon</summary>