rpms/icecream/F-8 icecream.csh.in, NONE, 1.1 icecream.fc, NONE, 1.1 icecream.if, NONE, 1.1 icecream.sh.in, NONE, 1.1 icecream.te, NONE, 1.1 initscript-iceccd, NONE, 1.1 initscript-scheduler, NONE, 1.1 icecream.spec, 1.1, 1.2 icecream-add-initscripts.patch, 1.1, NONE
Michal Schmidt (michich)
fedora-extras-commits at redhat.com
Tue Nov 27 23:52:14 UTC 2007
Author: michich
Update of /cvs/pkgs/rpms/icecream/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20245
Modified Files:
icecream.spec
Added Files:
icecream.csh.in icecream.fc icecream.if icecream.sh.in
icecream.te initscript-iceccd initscript-scheduler
Removed Files:
icecream-add-initscripts.patch
Log Message:
* Tue Nov 27 2007 Michal Schmidt <mschmidt at redhat.com> - 0.8.0-5.20071101svn
- SELinux: Allow iceccd to contact the scheduler via UDP.
- Don't add icecream to PATH in the profile scripts if ccache is installed
to avoid recursive invocations (bz #377761).
* Tue Nov 20 2007 Michal Schmidt <mschmidt at redhat.com> - 0.8.0-4.20071101svn
- Add a SELinux policy for iceccd
- Initscripts as sources instead of patches in the .spec file
- Don't touch /var/log/iceccd in the initscript. Let iceccd create it.
* Mon Nov 12 2007 Michal Schmidt <mschmidt at redhat.com> - 0.8.0-3.20071101svn
- Add icecc to $PATH using scripts in profile.d
--- NEW FILE icecream.csh.in ---
# If icecream and ccache are installed, we must not put both in PATH
# to prevent recursive invocations.
# Note: ccache.csh (if present) will be sourced before icecream.csh
if ( "$path" !~ *@LIBDIR@/icecc/bin* && "$path" !~ *@LIBDIR@/ccache* ) then
set path = ( @LIBDIR@/icecc/bin "$path" )
endif
--- NEW FILE icecream.fc ---
# myapp executable will have:
# label: system_u:object_r:myapp_exec_t
# MLS sensitivity: s0
# MCS categories: <none>
/usr/sbin/iceccd -- gen_context(system_u:object_r:iceccd_exec_t,s0)
/usr/lib(64)?/icecc/icecc-create-env -- gen_context(system_u:object_r:iceccd_helper_exec_t,s0)
/var/cache/icecream(/.*)? gen_context(system_u:object_r:iceccd_cache_t,s0)
/var/log/iceccd -- gen_context(system_u:object_r:iceccd_log_t,s0)
#/var/log/icecc-scheduler -- gen_context(system_u:object_r:icecc_scheduler_log_t,s0)
--- NEW FILE icecream.if ---
## <summary>Icecream distributed compiler daemon</summary>
--- NEW FILE icecream.sh.in ---
# If icecream and ccache are installed, we must not put both in PATH
# to prevent recursive invocations.
# Note: ccache.sh (if present) will be sourced before icecream.sh
if ! echo "$PATH" | /bin/grep -q "@LIBDIR@/icecc/bin\|@LIBDIR@/ccache"
then
PATH="@LIBDIR@/icecc/bin:$PATH"
fi
--- NEW FILE icecream.te ---
policy_module(icecream,0.0.35)
########################################
#
# Declarations
#
type iceccd_t;
type iceccd_exec_t;
init_daemon_domain(iceccd_t, iceccd_exec_t)
type iceccd_var_run_t;
files_pid_file(iceccd_var_run_t)
type iceccd_log_t;
logging_log_file(iceccd_log_t)
type iceccd_cache_t;
files_type(iceccd_cache_t)
type iceccd_tmp_t;
files_tmp_file(iceccd_tmp_t)
type iceccd_helper_t;
type iceccd_helper_exec_t;
domain_type(iceccd_helper_t)
domain_entry_file(iceccd_helper_t, iceccd_helper_exec_t)
role system_r types iceccd_helper_t;
# the cache contains foreign compilers and libraries
# the whole point of icecream is to run them...
type iceccd_untrusted_t;
domain_type(iceccd_untrusted_t);
domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
role system_r types iceccd_untrusted_t;
# XXX: something like this:
# network_port(iceccd, tcp,10245,s0)
#type iceccd_client_packet_t;
#type iceccd_server_packet_t;
# XXX: portcon only works in base policy module
#portcon tcp 10245 gen_context(system_u:object_r:iceccd_port_t, s0)
type iceccd_port_t;
type icecc_scheduler_port_t;
corenet_port(iceccd_port_t);
corenet_port(icecc_scheduler_port_t);
########################################
#
# Icecream local policy
#
allow iceccd_t self:process { signal_perms setsched setrlimit };
allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
allow iceccd_t self:tcp_socket create_stream_socket_perms;
allow iceccd_t self:udp_socket create_socket_perms;
allow iceccd_t iceccd_port_t:tcp_socket name_bind;
allow iceccd_t icecc_scheduler_port_t:tcp_socket { send_msg recv_msg name_connect };
allow iceccd_t icecc_scheduler_port_t:udp_socket { send_msg recv_msg };
allow iceccd_t self:fifo_file { read write ioctl getattr };
# why exactly?:
allow iceccd_t self:capability { chown dac_override fsetid kill };
allow iceccd_t self:capability { setgid setuid };
allow iceccd_t self:capability { sys_chroot };
allow iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure };
allow iceccd_helper_t iceccd_t:process { sigchld };
allow iceccd_helper_t iceccd_log_t:file { append };
allow iceccd_helper_t self:fifo_file { read write ioctl getattr };
# needs investigating:
allow iceccd_helper_t iceccd_tmp_t:file { execute };
allow iceccd_untrusted_t iceccd_t:process { sigchld };
allow iceccd_untrusted_t iceccd_t:fifo_file { write };
allow iceccd_untrusted_t iceccd_t:unix_stream_socket { read write getattr };
allow iceccd_untrusted_t self:fifo_file { read write getattr };
allow iceccd_untrusted_t iceccd_cache_t:dir { search getattr write add_name remove_name };
allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans write unlink create };
corenet_all_recvfrom_unlabeled(iceccd_t)
corenet_all_recvfrom_netlabel(iceccd_t)
corenet_tcp_sendrecv_all_if(iceccd_t)
corenet_udp_sendrecv_all_if(iceccd_t)
corenet_tcp_sendrecv_all_nodes(iceccd_t)
corenet_udp_sendrecv_all_nodes(iceccd_t)
# corenet_tcp_sendrecv_all_ports(iceccd_t)
# corenet_udp_sendrecv_all_ports(iceccd_t)
corenet_tcp_bind_all_nodes(iceccd_t)
manage_files_pattern(iceccd_t,iceccd_log_t,iceccd_log_t)
logging_log_filetrans(iceccd_t, iceccd_log_t, file)
manage_files_pattern(iceccd_t,iceccd_var_run_t,iceccd_var_run_t)
files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
# iceccd attempt to rmdir & mkdir /var/cache/icecream
# XXX: I should fix it instead.
files_dontaudit_write_var_dirs(iceccd_t)
manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
manage_dirs_pattern(iceccd_helper_t, iceccd_cache_t, iceccd_cache_t)
manage_files_pattern(iceccd_helper_t, iceccd_cache_t, iceccd_cache_t)
libs_use_ld_so(iceccd_t)
libs_use_shared_libs(iceccd_t)
# for ldd
libs_exec_ld_so(iceccd_t)
files_read_etc_files(iceccd_t)
miscfiles_read_localization(iceccd_t)
kernel_read_system_state(iceccd_t)
sysnet_read_config(iceccd_t)
#files_read_usr_files(iceccd_t)
files_read_etc_files(iceccd_helper_t)
libs_use_ld_so(iceccd_helper_t)
libs_use_shared_libs(iceccd_helper_t)
miscfiles_read_localization(iceccd_helper_t)
corecmd_exec_bin(iceccd_helper_t)
corecmd_exec_shell(iceccd_helper_t)
dev_read_urand(iceccd_helper_t)
kernel_read_system_state(iceccd_helper_t)
files_read_usr_files(iceccd_helper_t)
libs_exec_ld_so(iceccd_helper_t)
libs_exec_lib_files(iceccd_helper_t)
nscd_socket_use(iceccd_helper_t)
# XXX: iceccd wants this every second. why?
fs_getattr_all_fs(iceccd_t)
corecmd_exec_bin(iceccd_t)
corecmd_read_bin_symlinks(iceccd_t)
# XXX: could iceccd be modified to not need this?
corecmd_exec_shell(iceccd_t)
# for mktemp
#dev_read_urand(iceccd_t)
files_getattr_tmp_dirs(iceccd_t)
files_search_tmp(iceccd_t)
manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
files_tmp_filetrans(iceccd_t, iceccd_tmp_t, file)
manage_dirs_pattern(iceccd_helper_t, iceccd_tmp_t, iceccd_tmp_t)
manage_files_pattern(iceccd_helper_t, iceccd_tmp_t, iceccd_tmp_t)
files_tmp_filetrans(iceccd_helper_t, iceccd_tmp_t, file)
files_tmp_filetrans(iceccd_helper_t, iceccd_tmp_t, dir)
domain_auto_transition_pattern(iceccd_t, iceccd_helper_exec_t, iceccd_helper_t)
domain_auto_transition_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
userdom_dontaudit_getattr_sysadm_home_dirs(iceccd_t)
#userdom_dontaudit_getattr_sysadm_home_dirs(iceccd_helper_t)
userdom_dontaudit_search_sysadm_home_dirs(iceccd_helper_t)
#userdom_getattr_sysadm_home_dirs(iceccd_t)
#allow myapp_t myapp_log_t:file ra_file_perms;
#allow myapp_t myapp_tmp_t:file manage_file_perms;
--- NEW FILE initscript-iceccd ---
#!/bin/sh
#
# iceccd: Distributed compiler daemon
#
# chkconfig: - 98 02
# description: This is a daemon for speeding up builds by \
# distributing compile jobs to several computers on a network.
#
### BEGIN INIT INFO
# Provides: iceccd
# Required-Start: $local_fs $remote_fs $network $named
# Required-Stop: $local_fs $remote_fs $network $named
# Short-Description: Start/stop Icecream distributed compiler
# Description: Start / stop the Icecream distributed compiler daemon
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
exec=/usr/sbin/iceccd
service=iceccd
config=/etc/sysconfig/icecream
[ -e $config ] && . $config
lockfile=/var/lock/subsys/iceccd
start() {
[ -x $exec ] || exit 5
[ -f $config ] || exit 6
echo -n $"Starting distributed compiler daemon: "
params=""
if [ -n "$ICECREAM_NETNAME" ] ; then
params="$params -n $ICECREAM_NETNAME"
fi
if [ -n "$ICECREAM_LOG_FILE" ] ; then
params="$params -l $ICECREAM_LOG_FILE"
fi
if [ -n "$ICECREAM_NICE_LEVEL" ] ; then
params="$params --nice $ICECREAM_NICE_LEVEL"
fi
if [ -n "$ICECREAM_SCHEDULER_HOST" ] ; then
params="$params -s $ICECREAM_SCHEDULER_HOST"
fi
if [ "$ICECREAM_ALLOW_REMOTE" = "no" 2> /dev/null ] ; then
params="$params --no-remote"
fi
if [ -n "$ICECREAM_MAX_JOBS" ] ; then
if [ "$ICECREAM_MAX_JOBS" -eq 0 2> /dev/null ] ; then
params="$params -m 1"
params="$params --no-remote"
else
params="$params -m $ICECREAM_MAX_JOBS"
fi
fi
params="$params -b \"$ICECREAM_BASEDIR\""
daemon --check $service $exec -d -u icecream $params
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $lockfile
return $RETVAL
}
stop() {
echo -n $"Stopping distributed compiler daemon: "
killproc $service
RETVAL=$?
echo
if [ $RETVAL -eq 0 ]; then
rm -f $lockfile
fi
return $RETVAL
}
restart() {
stop
start
}
reload() {
restart
}
force_reload() {
restart
}
rh_status() {
status $service
}
rh_status_q() {
rh_status > /dev/null 2>&1
}
# See how we were called.
case "$1" in
start)
rh_status_q && exit 0
start
;;
stop)
rh_status_q || exit 0
stop
;;
status)
rh_status
;;
restart)
restart
;;
reload)
rh_status_q || exit 7
reload
;;
force-reload)
force_reload
;;
condrestart|try-restart)
rh_status_q || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|try-restart|reload|force-reload}"
exit 2
esac
exit $?
--- NEW FILE initscript-scheduler ---
#!/bin/sh
#
# icecc-scheduler: Distributed compiler scheduler
#
# chkconfig: - 98 02
# description: This is a daemon which schedules compilation jobs to \
# networked machines running iceccd.
#
### BEGIN INIT INFO
# Provides: icecc-scheduler
# Required-Start: $local_fs $remote_fs $network
# Required-Stop: $local_fs $remote_fs $network
# Short-Description: Start/stop Icecream scheduler
# Description: Start / stop the scheduler for Icecream distributed compilers
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
exec=/usr/sbin/icecc-scheduler
service=icecc-scheduler
config=/etc/sysconfig/icecream
[ -e $config ] && . $config
lockfile=/var/lock/subsys/icecc-scheduler
start() {
[ -x $exec ] || exit 5
[ -f $config ] || exit 6
echo -n $"Starting distributed compiler scheduler: "
params=""
if [ -n "$ICECREAM_NETNAME" ] ; then
params="$params -n $ICECREAM_NETNAME"
fi
logfile=${ICECREAM_SCHEDULER_LOG_FILE:-/var/log/icecc-scheduler}
params="$params -l $logfile"
# touch "$logfile"
# chown icecream:icecream $logfile
daemon --user icecream --check $service $exec -d $params
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $lockfile
return $RETVAL
}
stop() {
echo -n $"Stopping distributed compiler scheduler: "
killproc $service
RETVAL=$?
echo
if [ $RETVAL -eq 0 ]; then
rm -f $lockfile
fi
return $RETVAL
}
restart() {
stop
start
}
reload() {
restart
}
force_reload() {
restart
}
rh_status() {
status $service
}
rh_status_q() {
rh_status > /dev/null 2>&1
}
# See how we were called.
case "$1" in
start)
rh_status_q && exit 0
start
;;
stop)
rh_status_q || exit 0
stop
;;
status)
rh_status
;;
restart)
restart
;;
reload)
rh_status_q || exit 7
reload
;;
force-reload)
force_reload
;;
condrestart|try-restart)
rh_status_q || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|try-restart|reload|force-reload}"
exit 2
esac
exit $?
Index: icecream.spec
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/F-8/icecream.spec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- icecream.spec 9 Nov 2007 07:08:05 -0000 1.1
+++ icecream.spec 27 Nov 2007 23:51:41 -0000 1.2
@@ -1,6 +1,6 @@
Name: icecream
Version: 0.8.0
-Release: 2.20071101svn%{?dist}
+Release: 5.20071101svn%{?dist}
Summary: Distributed compiler
Group: Development/Tools
@@ -10,26 +10,39 @@
# svn export -r 731514 svn://anonsvn.kde.org/home/kde/trunk/icecream icecream-0.8.0
# tar -czvf icecream-0.8.0.tar.gz icecream-0.8.0
Source0: icecream-0.8.0.tar.gz
+Source1: icecream.sh.in
+Source2: icecream.csh.in
+Source3: icecream.fc
+Source4: icecream.te
+Source5: icecream.if
+Source6: initscript-iceccd
+Source7: initscript-scheduler
Patch0: icecream-rename-scheduler.patch
-Patch1: icecream-add-initscripts.patch
-Patch2: icecream-cleanup-conffile.patch
+Patch1: icecream-cleanup-conffile.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: automake autoconf libtool symlinks
# To build manpages from KDE-style Docbook sources:
BuildRequires: kdelibs kdelibs-devel
+# For SELinux protection:
+BuildRequires: checkpolicy selinux-policy-devel hardlink
+%define selinux_policyver %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp)
+%if "%{selinux_policyver}" != ""
+Requires: selinux-policy >= %{selinux_policyver}
+%endif
+%define selinux_variants mls strict targeted
%bcond_without fedora
BuildRequires: fedora-usermgmt-devel
%{?FE_USERADD_REQ}
-Requires(post): chkconfig
-Requires(preun): chkconfig
-Requires(preun): initscripts
-Requires(postun): initscripts
+Requires(post): chkconfig policycoreutils
+Requires(preun): chkconfig initscripts policycoreutils
+Requires(postun): initscripts policycoreutils
Provides: group(icecream) = 44
Provides: user(icecream) = 44
+
# description copied from Debian icecc package
%description
Icecream is a distributed compile system. It allows parallel compiling by
@@ -52,8 +65,13 @@
%setup -q
%patch0 -p0
%patch1 -p0
-%patch2 -p0
make -f Makefile.cvs
+sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE1} > icecream.sh
+sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE2} > icecream.csh
+mkdir SELinux
+cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} SELinux
+mkdir fedora
+cp -p %{SOURCE6} %{SOURCE7} fedora
%build
%configure --disable-static --enable-shared
@@ -66,6 +84,13 @@
mv manpage.troff $manfile
done
popd
+pushd SELinux
+for selinuxvariant in %{selinux_variants}; do
+ make NAME=${selinuxvariant} -f %{_datadir}/selinux/devel/Makefile
+ mv icecream.pp icecream.pp.${selinuxvariant}
+ make NAME=${selinuxvariant} -f %{_datadir}/selinux/devel/Makefile clean
+done
+popd
%install
rm -rf %{buildroot}
@@ -94,33 +119,63 @@
install -D -m 755 fedora/initscript-iceccd %{buildroot}/%{_sysconfdir}/rc.d/init.d/iceccd
install -D -m 755 fedora/initscript-scheduler \
%{buildroot}/%{_sysconfdir}/rc.d/init.d/icecc-scheduler
+install -d -m 755 %{buildroot}/%{_sysconfdir}/profile.d
+install -p -m 644 icecream.sh icecream.csh %{buildroot}/%{_sysconfdir}/profile.d
# create default working dir
mkdir -p %{buildroot}/%{_localstatedir}/cache/icecream
+for selinuxvariant in %{selinux_variants}; do
+ install -d %{buildroot}/%{_datadir}/selinux/${selinuxvariant}
+ install -p -m 644 -D SELinux/icecream.pp.${selinuxvariant} \
+ %{buildroot}/%{_datadir}/selinux/${selinuxvariant}/icecream.pp
+done
+# Hardlink identical policy module packages together
+/usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux
+
%pre
# https://fedoraproject.org/wiki/PackageUserRegistry
%__fe_groupadd 44 -r icecream &>/dev/null || :
%__fe_useradd 44 -r -s /sbin/nologin -d %{_localstatedir}/cache/icecream -M \
- -c 'Icecream distributed compiler' -g icecream icecream &>/dev/null || :
+ -c 'Icecream distributed compiler' -g icecream icecream &>/dev/null ||:
%post
/sbin/ldconfig
+# if [ "$1" -le 1 ]; then # First install
+for selinuxvariant in %{selinux_variants}; do
+ semodule -s ${selinuxvariant} -i \
+ %{_datadir}/selinux/${selinuxvariant}/icecream.pp 2>/dev/null ||:
+done
+fixfiles -R %{name} restore ||:
+restorecon -R %{_localstatedir}/cache/icecream ||:
+restorecon %{_localstatedir}/log/iceccd ||:
+semanage port -a -t iceccd_port_t -p tcp 10245 2>/dev/null ||:
+semanage port -a -t icecc_scheduler_port_t -p tcp 8765 2>/dev/null ||:
+semanage port -a -t icecc_scheduler_port_t -p udp 8765 2>/dev/null ||:
+# fi
/sbin/chkconfig --add iceccd
/sbin/chkconfig --add icecc-scheduler
+exit 0
%preun
-if [ "$1" -eq 0 ] ; then
+if [ "$1" -eq 0 ]; then # Final removal
/sbin/service iceccd stop > /dev/null 2>&1
/sbin/service icecc-scheduler stop > /dev/null 2>&1
/sbin/chkconfig --del iceccd
/sbin/chkconfig --del icecc-scheduler
+# rm -rf %{_localstatedir}/cache/icecream
+ semanage port -d -t iceccd_port_t -p tcp 10245 2>/dev/null ||:
+ semanage port -d -t icecc_scheduler_port_t -p tcp 8765 2>/dev/null ||:
+ semanage port -d -t icecc_scheduler_port_t -p udp 8765 2>/dev/null ||:
+ for selinuxvariant in %{selinux_variants}; do
+ semodule -s ${selinuxvariant} -r icecream 2>/dev/null ||:
+ done
fi
exit 0
%postun
/sbin/ldconfig
-if [ "$1" -ge 1 ]; then
+if [ "$1" -ge 1 ]; then # Upgrade
/sbin/service iceccd condrestart > /dev/null 2>&1
/sbin/service icecc-scheduler condrestart > /dev/null 2>&1
fi
@@ -143,9 +198,11 @@
%{_sbindir}/icecc-scheduler
%{_mandir}/man*/*
%config(noreplace) %{_sysconfdir}/sysconfig/icecream
+%config(noreplace) %{_sysconfdir}/profile.d/icecream.*sh
%{_sysconfdir}/rc.d/init.d/iceccd
%{_sysconfdir}/rc.d/init.d/icecc-scheduler
%{_localstatedir}/cache/icecream
+%{_datadir}/selinux/*/icecream.pp
%files devel
%{_includedir}/icecc/*.h
@@ -153,6 +210,19 @@
%{_libdir}/pkgconfig/icecc.pc
%changelog
+* Tue Nov 27 2007 Michal Schmidt <mschmidt at redhat.com> - 0.8.0-5.20071101svn
+- SELinux: Allow iceccd to contact the scheduler via UDP.
+- Don't add icecream to PATH in the profile scripts if ccache is installed
+ to avoid recursive invocations (bz #377761).
+
+* Tue Nov 20 2007 Michal Schmidt <mschmidt at redhat.com> - 0.8.0-4.20071101svn
+- Add a SELinux policy for iceccd
+- Initscripts as sources instead of patches in the .spec file
+- Don't touch /var/log/iceccd in the initscript. Let iceccd create it.
+
+* Mon Nov 12 2007 Michal Schmidt <mschmidt at redhat.com> - 0.8.0-3.20071101svn
+- Add icecc to $PATH using scripts in profile.d
+
* Tue Nov 6 2007 Michal Schmidt <mschmidt at redhat.com> - 0.8.0-2.20071101svn
- Use the _datadir macro instead of hardcoded /usr/share
--- icecream-add-initscripts.patch DELETED ---
More information about the fedora-extras-commits
mailing list