[refpolicy] [PATCH v1.0.3] add policy for Icecream

Michal Schmidt mschmidt at redhat.com
Tue Mar 3 09:22:56 CST 2009


On Tue, 03 Mar 2009 01:08:46 +0100
Dominick Grift wrote:

> On Tue, 2009-03-03 at 00:40 +0100, Michal Schmidt wrote:
> > +domtrans_pattern(iceccd_t, iceccd_createenv_exec_t,
> > iceccd_createenv_t) +domtrans_pattern(iceccd_t, iceccd_cache_t,
> > iceccd_untrusted_t) +
> > +manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
> > +logging_log_filetrans(iceccd_t, iceccd_log_t, file)
> > +
> > +manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
> > +files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
> > +
> > +manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
> > +manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
> > +files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file })
> 
> Does iceccd_t not need: files_search_var(iceccd_t)?
> I expect that it needs to search /var to be able to find files/dirs
> with type iceccd_cache_t/iceccd_log_t/iceccd_var_run_t and i do not
> see where it is allowed to search /var
> 
> It might also need permission to search var_run_t, var_log_t? 
> 
> It can be that the search perm is included in one of the interfaces
> below.

Permission to search /var is already implied:
files_var_filetrans(iceccd_t, ..., ...) =>
  filetrans_pattern(iceccd_t, var_t, ..., ...) =>
    allow iceccd_t var_t:dir rw_dir_perms;
    (and rw_dir_perms contain the search permission.)

Similarly,
files_pid_filetrans implies the permission to search var_run_t and
logging_log_filetrans implies the permission to search var_log_t.

> > +files_search_tmp(iceccd_t)
> > +manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
> > +manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
> > +files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file })

I see that by the same logic I can remove the explicit
files_search_tmp, because it's already given by files_tmp_filetrans.

> > +manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t,
> > iceccd_cache_t) +manage_files_pattern(iceccd_createenv_t,
> > iceccd_cache_t, iceccd_cache_t) +# no files_var_filetrans,
> > createenv does not create the cache dir itself
> 
> Does iceccd_createenv_t not need:
> files_search_var(iceccd_createenv_t)? I expect that it needs to
> search /var to be able to find files/dirs with type iceccd_cache_t
> and i do not see where it is allowed to search /var
> 
> It can be that the search perm is included in one of the interfaces
> below.

Ah, it gets included via nscd_socket_use. And since this is only in an
optional_policy block, it's a bug. I must explicitly add
files_search_var(iceccd_createenv_t)

> > +
> > +manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
> > +manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t,
> > iceccd_tmp_t) +files_tmp_filetrans(iceccd_createenv_t,
> > iceccd_tmp_t, { dir file })
> 
> Does iceccd_createenv_t not need:
> files_search_tmp(iceccd_createenv_t)? I expect that it needs to
> search /tmp to be able to find files/dirs with type iceccd_tmp_t and
> i do not see where it is allowed to search /tmp.

This is included via files_tmp_filetrans.

> > +allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
> > +allow iceccd_untrusted_t self:process signal_perms;
> > +allow iceccd_untrusted_t iceccd_t:unix_stream_socket
> > rw_sock_file_perms; +
> > +manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t,
> > iceccd_cache_t) +
> Does iceccd_untrusted_t not need:
> files_search_var(iceccd_untrusted_t)? I expect that it needs to
> search /var to be able to find files/dirs with type iceccd_cache_t
> and i do not see where it is allowed to search /var

iceccd_untrusted_t runs in a chroot, with iceccd_cache_t
files and directories only. It never sees the leading components of the
path (/var/cache/).

Updated patch below.

Michal



This adds the policy for Icecream, a distributed compiler.

Index: policy/modules/kernel/corenetwork.te.in
===================================================================
--- policy/modules/kernel/corenetwork.te.in	(revision 2913)
+++ policy/modules/kernel/corenetwork.te.in	(working copy)
@@ -103,6 +103,8 @@
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
 network_port(i18n_input, tcp,9010,s0)
+network_port(iceccd, tcp,10245,s0)
+network_port(icecc_scheduler, tcp,8765,s0, tcp,8766,s0, udp,8765,s0)
 network_port(imaze, tcp,5323,s0, udp,5323,s0)
 network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
 network_port(innd, tcp,119,s0)
Index: policy/modules/services/icecream.te
===================================================================
--- policy/modules/services/icecream.te	(revision 0)
+++ policy/modules/services/icecream.te	(revision 0)
@@ -0,0 +1,204 @@
+
+policy_module(icecream,1.0.3)
+
+########################################
+#
+# iceccd declarations
+#
+
+type iceccd_t;
+type iceccd_exec_t;
+init_daemon_domain(iceccd_t, iceccd_exec_t)
+
+type iceccd_log_t;
+logging_log_file(iceccd_log_t)
+
+type iceccd_tmp_t;
+files_tmp_file(iceccd_tmp_t)
+
+type iceccd_var_run_t;
+files_pid_file(iceccd_var_run_t)
+
+type iceccd_cache_t;
+files_type(iceccd_cache_t)
+
+########################################
+#
+# iceccd_createenv declarations
+#
+
+type iceccd_createenv_t;
+type iceccd_createenv_exec_t;
+application_domain(iceccd_createenv_t, iceccd_createenv_exec_t)
+role system_r types iceccd_createenv_t;
+
+########################################
+#
+# icecc_scheduler declarations
+#
+
+type icecc_scheduler_t;
+type icecc_scheduler_exec_t;
+init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
+
+########################################
+#
+# iceccd_untrusted declarations
+#
+
+type iceccd_untrusted_t;
+domain_type(iceccd_untrusted_t);
+domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
+role system_r types iceccd_untrusted_t;
+
+########################################
+#
+# iceccd policy
+#
+
+allow iceccd_t self:capability { chown dac_override fowner fsetid kill
+	setgid setuid sys_chroot };
+allow iceccd_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
+allow iceccd_t self:process { signal_perms setsched setrlimit };
+allow iceccd_t self:tcp_socket create_stream_socket_perms;
+allow iceccd_t self:udp_socket create_socket_perms;
+
+dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh
+	noatsecure };
+
+allow iceccd_t iceccd_untrusted_t:process signal;
+
+domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
+domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
+
+manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
+logging_log_filetrans(iceccd_t, iceccd_log_t, file)
+
+manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
+files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
+
+manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
+files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file })
+
+manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file })
+
+corenet_all_recvfrom_unlabeled(iceccd_t)
+corenet_all_recvfrom_netlabel(iceccd_t)
+corenet_tcp_sendrecv_generic_if(iceccd_t)
+corenet_udp_sendrecv_generic_if(iceccd_t)
+corenet_tcp_sendrecv_generic_node(iceccd_t)
+corenet_udp_sendrecv_generic_node(iceccd_t)
+corenet_tcp_sendrecv_all_ports(iceccd_t)
+corenet_udp_sendrecv_all_ports(iceccd_t)
+corenet_tcp_bind_generic_node(iceccd_t)
+corenet_tcp_bind_iceccd_port(iceccd_t)
+corenet_tcp_connect_icecc_scheduler_port(iceccd_t)
+corenet_sendrecv_iceccd_server_packets(iceccd_t)
+
+corecmd_exec_bin(iceccd_t)
+corecmd_read_bin_symlinks(iceccd_t)
+
+files_read_etc_files(iceccd_t)
+
+fs_getattr_all_fs(iceccd_t)
+
+kernel_read_system_state(iceccd_t)
+
+sysnet_read_config(iceccd_t)
+
+libs_use_ld_so(iceccd_t)
+libs_use_shared_libs(iceccd_t)
+
+miscfiles_read_localization(iceccd_t)
+
+########################################
+#
+# iceccd_createenv policy
+#
+
+allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
+
+dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
+
+allow iceccd_createenv_t iceccd_log_t:file { append };
+
+files_search_var(iceccd_createenv_t)
+manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+# no files_var_filetrans, createenv does not create the cache dir itself
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file })
+
+corecmd_exec_bin(iceccd_createenv_t)
+corecmd_exec_shell(iceccd_createenv_t)
+
+dev_read_urand(iceccd_createenv_t)
+
+files_read_etc_files(iceccd_createenv_t)
+files_read_usr_files(iceccd_createenv_t)
+
+kernel_read_system_state(iceccd_createenv_t)
+
+libs_exec_ld_so(iceccd_createenv_t)
+libs_exec_lib_files(iceccd_createenv_t)
+
+libs_domtrans_ldconfig(iceccd_createenv_t)
+
+libs_use_ld_so(iceccd_createenv_t)
+libs_use_shared_libs(iceccd_createenv_t)
+
+miscfiles_read_localization(iceccd_createenv_t)
+
+userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t)
+
+optional_policy(`
+	nscd_socket_use(iceccd_createenv_t)
+')
+
+########################################
+#
+# iceccd_untrusted policy
+#
+
+allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_untrusted_t self:process signal_perms;
+allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
+
+manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
+
+can_exec(iceccd_untrusted_t, iceccd_cache_t)
+
+########################################
+#
+# icecc_scheduler policy
+#
+
+allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
+allow icecc_scheduler_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
+corenet_all_recvfrom_netlabel(icecc_scheduler_t)
+corenet_tcp_sendrecv_generic_if(icecc_scheduler_t)
+corenet_udp_sendrecv_generic_if(icecc_scheduler_t)
+corenet_tcp_sendrecv_generic_node(icecc_scheduler_t)
+corenet_udp_sendrecv_generic_node(icecc_scheduler_t)
+corenet_tcp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_udp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_tcp_bind_generic_node(icecc_scheduler_t)
+corenet_udp_bind_generic_node(icecc_scheduler_t)
+corenet_tcp_bind_icecc_scheduler_port(icecc_scheduler_t)
+corenet_udp_bind_icecc_scheduler_port(icecc_scheduler_t)
+corenet_sendrecv_icecc_scheduler_server_packets(icecc_scheduler_t)
+
+files_read_etc_files(icecc_scheduler_t)
+
+libs_use_ld_so(icecc_scheduler_t)
+libs_use_shared_libs(icecc_scheduler_t)
+
+miscfiles_read_localization(icecc_scheduler_t)
Index: policy/modules/services/icecream.fc
===================================================================
--- policy/modules/services/icecream.fc	(revision 0)
+++ policy/modules/services/icecream.fc	(revision 0)
@@ -0,0 +1,5 @@
+/usr/sbin/iceccd			--	gen_context(system_u:object_r:iceccd_exec_t,s0)
+/usr/lib(64)?/icecc/icecc-create-env	--	gen_context(system_u:object_r:iceccd_createenv_exec_t,s0)
+/var/cache/icecream(/.*)?			gen_context(system_u:object_r:iceccd_cache_t,s0)
+/var/log/iceccd				--	gen_context(system_u:object_r:iceccd_log_t,s0)
+/usr/sbin/icecc-scheduler		--	gen_context(system_u:object_r:icecc_scheduler_exec_t,s0)
Index: policy/modules/services/icecream.if
===================================================================
--- policy/modules/services/icecream.if	(revision 0)
+++ policy/modules/services/icecream.if	(revision 0)
@@ -0,0 +1 @@
+## <summary>Icecream distributed compiler daemon</summary>


More information about the refpolicy mailing list