rpms/icecream/F-10 icecream-0.9.3-fix-gcc44-ftbfs.patch, NONE, 1.1 icecream-rename-scheduler.patch, 1.1, 1.2 icecream.fc, 1.1, 1.2 icecream.spec, 1.10, 1.11 icecream.te, 1.4, 1.5 sources, 1.3, 1.4 icecream-compile-fix.patch, 1.1, NONE

Mon Feb 16 21:16:57 UTC 2009

Author: michich

Update of /cvs/pkgs/rpms/icecream/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13705

Modified Files:
	icecream-rename-scheduler.patch icecream.fc icecream.spec 
	icecream.te sources 
Added Files:
	icecream-0.9.3-fix-gcc44-ftbfs.patch 
Removed Files:
	icecream-compile-fix.patch 
Log Message:
bring icecream 0.9.3 from Rawhide
the only difference is in a few SELinux policy rules


icecream-0.9.3-fix-gcc44-ftbfs.patch:

--- NEW FILE icecream-0.9.3-fix-gcc44-ftbfs.patch ---
With gcc 4.4 this fixes not just a warning, but an error. -- Michal


commit f1ed14e4062869f583472f74a1b51b9c5ad42cde
Author: coolo <coolo at 283d02a7-25f6-0310-bc7c-ecb5cbfe19da>
Date:   Mon Feb 16 11:09:03 2009 +0000

    fix compilation warnings
    
    
    git-svn-id: svn://anonsvn.kde.org/home/kde/trunk/icecream@926812 283d02a7-25f6-0310-bc7c-ecb5cbfe19da

diff --git a/daemon/load.cpp b/daemon/load.cpp
index 5cb1685..08e6f70 100644
--- a/daemon/load.cpp
+++ b/daemon/load.cpp
@@ -203,7 +203,7 @@ static void updateCPULoad( CPULoadInfo* load )
 #ifndef USE_SYSCTL
 static unsigned long int scan_one( const char* buff, const char *key )
 {
-  char *b = strstr( buff, key );
+  const char *b = strstr( buff, key );
   if ( !b )
       return 0;
   unsigned long int val = 0;
diff --git a/daemon/main.cpp b/daemon/main.cpp
index f7be369..ee9c0f3 100644
--- a/daemon/main.cpp
+++ b/daemon/main.cpp
@@ -619,7 +619,7 @@ bool Daemon::maybe_stats(bool send_ping)
 #ifdef HAVE_SYS_VFS_H
         struct statfs buf;
         int ret = statfs(envbasedir.c_str(), &buf);
-        if (!ret && buf.f_bavail < (max_kids + 1 - current_kids) * 4 * 1024 * 1024 / buf.f_bsize)
+        if (!ret && long(buf.f_bavail) < long(max_kids + 1 - current_kids) * 4 * 1024 * 1024 / buf.f_bsize)
             msg.load = 1000;
 #endif
 

icecream-rename-scheduler.patch:

Index: icecream-rename-scheduler.patch
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/F-10/icecream-rename-scheduler.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- icecream-rename-scheduler.patch	8 Nov 2007 21:37:00 -0000	1.1
+++ icecream-rename-scheduler.patch	16 Feb 2009 21:16:26 -0000	1.2
@@ -1,20 +1,6 @@
---- services/Makefile.am.orig	2007-05-08 21:09:41.000000000 +0200
-+++ services/Makefile.am	2007-07-15 19:18:41.000000000 +0200
-@@ -11,9 +11,9 @@ ice_HEADERS = job.h comm.h
- noinst_HEADERS = bench.h exitcode.h getifaddrs.h logging.h tempfile.h platform.h
- icedir = $(includedir)/icecc
- 
--sbin_PROGRAMS = scheduler
--scheduler_SOURCES = scheduler.cpp
--scheduler_LDADD = libicecc.la
-+sbin_PROGRAMS = icecc-scheduler
-+icecc_scheduler_SOURCES = scheduler.cpp
-+icecc_scheduler_LDADD = libicecc.la
- 
- pkgconfigdir = $(libdir)/pkgconfig
- pkgconfig_DATA = icecc.pc
---- doc/man-scheduler.1.docbook.orig	2005-04-25 15:21:14.000000000 +0200
-+++ doc/man-scheduler.1.docbook	2007-07-16 13:53:44.000000000 +0200
+diff -Nurp icecc-0.9.2.orig/doc/man-scheduler.1.docbook icecc-0.9.2/doc/man-scheduler.1.docbook
+--- icecc-0.9.2.orig/doc/man-scheduler.1.docbook	2009-02-07 19:07:02.000000000 +0100
++++ icecc-0.9.2/doc/man-scheduler.1.docbook	2009-02-07 19:07:30.000000000 +0100
 @@ -23,13 +23,13 @@
  </refmeta>
  
@@ -40,3 +26,79 @@
  </refsect1>
  
  <refsect1>
+diff -Nurp icecc-0.9.2.orig/services/Makefile.am icecc-0.9.2/services/Makefile.am
+--- icecc-0.9.2.orig/services/Makefile.am	2009-02-07 19:07:02.000000000 +0100
++++ icecc-0.9.2/services/Makefile.am	2009-02-07 19:07:30.000000000 +0100
+@@ -11,9 +11,9 @@ ice_HEADERS = job.h comm.h
+ noinst_HEADERS = bench.h exitcode.h getifaddrs.h logging.h tempfile.h platform.h
+ icedir = $(includedir)/icecc
+ 
+-sbin_PROGRAMS = scheduler
+-scheduler_SOURCES = scheduler.cpp
+-scheduler_LDADD = libicecc.la
++sbin_PROGRAMS = icecc-scheduler
++icecc_scheduler_SOURCES = scheduler.cpp
++icecc_scheduler_LDADD = libicecc.la
+ 
+ pkgconfigdir = $(libdir)/pkgconfig
+ pkgconfig_DATA = icecc.pc
+diff -Nurp icecc-0.9.2.orig/services/Makefile.in icecc-0.9.2/services/Makefile.in
+--- icecc-0.9.2.orig/services/Makefile.in	2008-11-02 14:14:47.000000000 +0100
++++ icecc-0.9.2/services/Makefile.in	2009-02-07 19:07:36.000000000 +0100
+@@ -35,7 +35,7 @@ PRE_UNINSTALL = :
+ POST_UNINSTALL = :
+ build_triplet = @build@
+ host_triplet = @host@
+-sbin_PROGRAMS = scheduler$(EXEEXT)
++sbin_PROGRAMS = icecc-scheduler$(EXEEXT)
+ subdir = services
+ DIST_COMMON = $(ice_HEADERS) $(noinst_HEADERS) $(srcdir)/Makefile.am \
+ 	$(srcdir)/Makefile.in $(srcdir)/icecc.pc.in
+@@ -66,9 +66,9 @@ libicecc_la_LINK = $(LIBTOOL) --tag=CXX 
+ 	$(CXXFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+ sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+ PROGRAMS = $(sbin_PROGRAMS)
+-am_scheduler_OBJECTS = scheduler.$(OBJEXT)
+-scheduler_OBJECTS = $(am_scheduler_OBJECTS)
+-scheduler_DEPENDENCIES = libicecc.la
++am_icecc_scheduler_OBJECTS = scheduler.$(OBJEXT)
++icecc_scheduler_OBJECTS = $(am_icecc_scheduler_OBJECTS)
++icecc_scheduler_DEPENDENCIES = libicecc.la
+ DEFAULT_INCLUDES = -I. at am__isrc@ -I$(top_builddir)
+ depcomp = $(SHELL) $(top_srcdir)/depcomp
+ am__depfiles_maybe = depfiles
+@@ -90,8 +90,8 @@ CXXLD = $(CXX)
+ CXXLINK = $(LIBTOOL) --tag=CXX $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ 	--mode=link $(CXXLD) $(AM_CXXFLAGS) $(CXXFLAGS) $(AM_LDFLAGS) \
+ 	$(LDFLAGS) -o $@
+-SOURCES = $(libicecc_la_SOURCES) $(scheduler_SOURCES)
+-DIST_SOURCES = $(libicecc_la_SOURCES) $(scheduler_SOURCES)
++SOURCES = $(libicecc_la_SOURCES) $(icecc_scheduler_SOURCES)
++DIST_SOURCES = $(libicecc_la_SOURCES) $(icecc_scheduler_SOURCES)
+ pkgconfigDATA_INSTALL = $(INSTALL_DATA)
+ DATA = $(pkgconfig_DATA)
+ iceHEADERS_INSTALL = $(INSTALL_HEADER)
+@@ -226,8 +226,8 @@ libicecc_la_CXXFLAGS = -fPIC -DPIC
+ ice_HEADERS = job.h comm.h
+ noinst_HEADERS = bench.h exitcode.h getifaddrs.h logging.h tempfile.h platform.h
+ icedir = $(includedir)/icecc
+-scheduler_SOURCES = scheduler.cpp
+-scheduler_LDADD = libicecc.la
++icecc_scheduler_SOURCES = scheduler.cpp
++icecc_scheduler_LDADD = libicecc.la
+ pkgconfigdir = $(libdir)/pkgconfig
+ pkgconfig_DATA = icecc.pc
+ all: all-am
+@@ -322,9 +322,9 @@ clean-sbinPROGRAMS:
+ 	  echo " rm -f $$p $$f"; \
+ 	  rm -f $$p $$f ; \
+ 	done
+-scheduler$(EXEEXT): $(scheduler_OBJECTS) $(scheduler_DEPENDENCIES) 
+-	@rm -f scheduler$(EXEEXT)
+-	$(CXXLINK) $(scheduler_OBJECTS) $(scheduler_LDADD) $(LIBS)
++icecc-scheduler$(EXEEXT): $(icecc_scheduler_OBJECTS) $(icecc_scheduler_DEPENDENCIES) 
++	@rm -f icecc-scheduler$(EXEEXT)
++	$(CXXLINK) $(icecc_scheduler_OBJECTS) $(icecc_scheduler_LDADD) $(LIBS)
+ 
+ mostlyclean-compile:
+ 	-rm -f *.$(OBJEXT)


Index: icecream.fc
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/F-10/icecream.fc,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- icecream.fc	21 Nov 2007 00:32:33 -0000	1.1
+++ icecream.fc	16 Feb 2009 21:16:26 -0000	1.2
@@ -1,10 +1,5 @@
-# myapp executable will have:
-# label: system_u:object_r:myapp_exec_t
-# MLS sensitivity: s0
-# MCS categories: <none>
-
 /usr/sbin/iceccd			--	gen_context(system_u:object_r:iceccd_exec_t,s0)
-/usr/lib(64)?/icecc/icecc-create-env	--	gen_context(system_u:object_r:iceccd_helper_exec_t,s0)
+/usr/lib(64)?/icecc/icecc-create-env	--	gen_context(system_u:object_r:iceccd_createenv_exec_t,s0)
 /var/cache/icecream(/.*)?			gen_context(system_u:object_r:iceccd_cache_t,s0)
 /var/log/iceccd				--	gen_context(system_u:object_r:iceccd_log_t,s0)
-#/var/log/icecc-scheduler		--	gen_context(system_u:object_r:icecc_scheduler_log_t,s0)
+/usr/sbin/icecc-scheduler		--	gen_context(system_u:object_r:icecc_scheduler_exec_t,s0)


Index: icecream.spec
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/F-10/icecream.spec,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- icecream.spec	2 Sep 2008 12:29:29 -0000	1.10
+++ icecream.spec	16 Feb 2009 21:16:26 -0000	1.11
@@ -1,5 +1,3 @@
-%bcond_without	doc
-
 %if 0%{?fedora}
 %bcond_without  fedora
 %bcond_without	selinux
@@ -12,17 +10,14 @@
 
 
 Name:		icecream
-Version:	0.8.0
-Release:	12.20080117svn%{?dist}
+Version:	0.9.3
+Release:	3%{?dist}
 Summary:	Distributed compiler
 
 Group:		Development/Tools
-License:	GPLv2
+License:	GPLv2+
 URL:		http://en.opensuse.org/Icecream
-# The source was pulled from SVN repository:
-# svn export -r 657903 svn://anonsvn.kde.org/home/kde/trunk/icecream icecream-0.8.0
-# tar -cjvf icecream-0.8.0.tar.bz2 icecream-0.8.0/
-Source0:	icecream-0.8.0.tar.bz2
+Source0:	ftp://ftp.suse.com/pub/projects/icecream/icecc-%{version}.tar.bz2
 Source1:	icecream.sh.in
 Source2:	icecream.csh.in
 Source3:	icecream.fc
@@ -30,20 +25,15 @@
 Source5:	icecream.if
 Source6:	initscript-iceccd
 Source7:	initscript-scheduler
-# This patch was generated with:
-# svn export -r 761849 svn://anonsvn.kde.org/home/kde/branches/work/icecream-make-it-cool icecream-mic
-# diff -Nurp icecream-0.8.0 icecream-mic > icecream-make-it-cool.patch
-# bzip2 icecream-make-it-cool.patch
-Patch0:		icecream-make-it-cool.patch.bz2
-Patch1:		icecream-rename-scheduler.patch
-Patch2:		icecream-cleanup-conffile.patch
-Patch3:		icecream-compile-fix.patch
+# manpages from http://ftp5.gwdg.de/pub/opensuse/repositories/home:/coolo/openSUSE_11.0/src/icecream-0.9.2-2.1.src.rpm
+Source8:	%{name}-manpages.tar.bz2
+Patch0:		%{name}-rename-scheduler.patch
+Patch1:		%{name}-cleanup-conffile.patch
+Patch2:		%{name}-0.9.3-fix-gcc44-ftbfs.patch
 
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
-BuildRequires:	automake autoconf libtool symlinks
-# To build manpages from KDE-style Docbook sources:
-%{?with_doc:BuildRequires:	%{!?el5:kdelibs3 kdelibs3-devel} %{?el5:kdelibs kdelibs-devel}}
+BuildRequires:	symlinks
 
 %if %{with selinux}
 # For SELinux protection:
@@ -84,12 +74,10 @@
 This package contains development files for %{name}.
 
 %prep
-%setup -q
+%setup -q -a 8 -n icecc-%{version}
 %patch0 -p1
 %patch1 -p0
-%patch2 -p0
-%patch3 -p1
-make -f Makefile.cvs
+%patch2 -p1
 sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE1} > icecream.sh
 sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE2} > icecream.csh
 mkdir SELinux
@@ -99,18 +87,11 @@
 
 %build
 %configure --disable-static --enable-shared
-make %{?_smp_mflags}
+# Remove rpath from local libtool copy
+sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
+sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
 
-%if %{with doc}
-pushd doc
-for i in man-*.docbook; do
-	meinproc --stylesheet %{_datadir}/apps/ksgmltools2/customization/kde-man.xsl $i
-	manfile=${i#man-}
-	manfile=${manfile%.docbook}
-	mv manpage.troff $manfile
-done
-popd
-%endif
+make %{?_smp_mflags}
 
 %if %{with selinux}
 pushd SELinux
@@ -137,14 +118,12 @@
 # relativize the symlinks
 symlinks -cs %{buildroot}/%{_libdir}/icecc/bin
 
-%if %{with doc}
 # install manpages
 mkdir -p %{buildroot}/%{_mandir}/man{1,7,8}
-mv doc/scheduler.1 doc/icecc-scheduler.1
-for i in doc/*.1 doc/*.7; do
+mv mans/scheduler.1 mans/icecc-scheduler.1
+for i in mans/*.1 mans/*.7; do
 	install -m 644 $i %{buildroot}/%{_mandir}/man${i##*.}
 done
-%endif
 
 # install config file and initscripts
 install -D -m 644 suse/sysconfig.icecream %{buildroot}/%{_sysconfdir}/sysconfig/icecream
@@ -186,6 +165,7 @@
 restorecon %{_localstatedir}/log/iceccd 2>/dev/null ||:
 semanage port -a -t iceccd_port_t -p tcp 10245 2>/dev/null ||:
 semanage port -a -t icecc_scheduler_port_t -p tcp 8765 2>/dev/null ||:
+semanage port -a -t icecc_scheduler_port_t -p tcp 8766 2>/dev/null ||:
 semanage port -a -t icecc_scheduler_port_t -p udp 8765 2>/dev/null ||:
 %endif
 # fi
@@ -204,6 +184,7 @@
 %if %{with selinux}
 	semanage port -d -t iceccd_port_t -p tcp 10245 2>/dev/null ||:
 	semanage port -d -t icecc_scheduler_port_t -p tcp 8765 2>/dev/null ||:
+	semanage port -d -t icecc_scheduler_port_t -p tcp 8766 2>/dev/null ||:
 	semanage port -d -t icecc_scheduler_port_t -p udp 8765 2>/dev/null ||:
 	for selinuxvariant in %{selinux_variants}; do
 		semodule -s ${selinuxvariant} -r icecream 2>/dev/null ||:
@@ -226,7 +207,7 @@
 
 %files
 %defattr(-,root,root,-)
-%doc COPYING ChangeLog README BENCH NEWS TODO
+%doc COPYING README NEWS TODO
 %{_bindir}/icecc
 %dir %{_libdir}/icecc/
 %dir %{_libdir}/icecc/bin/
@@ -243,7 +224,7 @@
 %{_sysconfdir}/rc.d/init.d/iceccd
 %{_sysconfdir}/rc.d/init.d/icecc-scheduler
 %{_localstatedir}/cache/icecream
-%{?with_doc:%{_mandir}/man*/*}
+%{_mandir}/man*/*
 %{?with_selinux:%{_datadir}/selinux/*/icecream.pp}
 
 %files devel
@@ -254,6 +235,37 @@
 %{_libdir}/pkgconfig/icecc.pc
 
 %changelog
+* Mon Feb 16 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.3-3
+- Do not use --disable-rpath, icecream's configure script does not understand
+  it and warns about it. We still remove rpath using the sed tricks.
+- One more SELinux policy tweak.
+
+* Mon Feb 16 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.3-2
+- Updated and re-enabled the SELinux policy. The scheduler is now confined too.
+
+* Mon Feb 16 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.3-1
+- new upstream release
+- Dropped merged patches.
+- Added an upstream patch to fix compilation with gcc 4.4.
+
+* Sat Feb 07 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.2-4
+- one more fix for gcc 4.4.
+- updated the scheduler renaming patch.
+
+* Sat Feb 07 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.2-3
+- add an upstream patch to fix FTBFS with gcc 4.4
+
+* Wed Jan 28 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.2-2
+- Fix the create-env script not to crash on relative paths in ld.so.conf.
+- No need to build the native environment as root anymore.
+- Disable the SELinux policy for now, it needs more work.
+
+* Thu Nov 13 2008 Michal Schmidt <mschmidt at redhat.com> - 0.9.2-1
+- Update to upstream release 0.9.2.
+- The license is GPLv2+.
+- Add manpages from SUSE src package.
+- Add patch to run icecc --build-native as root.
+
 * Tue Sep  2 2008 Michael Schwendt <mschwendt at fedoraproject.org> - 0.8.0-12.20080117svn
 - Include unowned icecc directories.
 - Add defattr in devel pkg.


Index: icecream.te
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/F-10/icecream.te,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- icecream.te	13 Mar 2008 00:09:06 -0000	1.4
+++ icecream.te	16 Feb 2009 21:16:26 -0000	1.5
@@ -1,46 +1,47 @@
 
-policy_module(icecream,0.0.36)
+policy_module(icecream,0.0.42)
 
 ########################################
 #
 # Declarations
 #
 
+# the compiler node daemon
 type iceccd_t;
 type iceccd_exec_t;
 init_daemon_domain(iceccd_t, iceccd_exec_t)
 
-type iceccd_var_run_t;
-files_pid_file(iceccd_var_run_t)
-
 type iceccd_log_t;
 logging_log_file(iceccd_log_t)
 
-type iceccd_cache_t;
-files_type(iceccd_cache_t)
-
 type iceccd_tmp_t;
 files_tmp_file(iceccd_tmp_t)
 
-type iceccd_helper_t;
-type iceccd_helper_exec_t;
-domain_type(iceccd_helper_t)
-domain_entry_file(iceccd_helper_t, iceccd_helper_exec_t)
-role system_r types iceccd_helper_t;
+type iceccd_var_run_t;
+files_pid_file(iceccd_var_run_t)
+
+# the working area
+type iceccd_cache_t;
+files_type(iceccd_cache_t)
 
-# the cache contains foreign compilers and libraries
-# the whole point of icecream is to run them...
+# icecc-create-env script makes a tarball of the local compiler and its
+# dependencies for other nodes to use
+type iceccd_createenv_t;
+type iceccd_createenv_exec_t;
+domain_type(iceccd_createenv_t)
+domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t)
+role system_r types iceccd_createenv_t;
+
+# foreign compilers
 type iceccd_untrusted_t;
 domain_type(iceccd_untrusted_t);
 domain_entry_file(iceccd_untrusted_t, iceccd_cache_t)
 role system_r types iceccd_untrusted_t;
 
-# XXX: something like this:
-# network_port(iceccd, tcp,10245,s0)
-#type iceccd_client_packet_t;
-#type iceccd_server_packet_t;
-# XXX: portcon only works in base policy module
-#portcon tcp 10245 gen_context(system_u:object_r:iceccd_port_t, s0)
+# the scheduler
+type icecc_scheduler_t;
+type icecc_scheduler_exec_t;
+init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t)
 
 type iceccd_port_t;
 type icecc_scheduler_port_t;
@@ -49,39 +50,31 @@
 
 ########################################
 #
-# Icecream local policy
+# Icecream policy
 #
 
 allow iceccd_t self:process { signal_perms setsched setrlimit };
 allow iceccd_t self:netlink_route_socket r_netlink_socket_perms;
 allow iceccd_t self:tcp_socket create_stream_socket_perms;
 allow iceccd_t self:udp_socket create_socket_perms;
-allow iceccd_t iceccd_port_t:tcp_socket name_bind;
-allow iceccd_t icecc_scheduler_port_t:tcp_socket { send_msg recv_msg name_connect };
-allow iceccd_t icecc_scheduler_port_t:udp_socket { send_msg recv_msg };
-allow iceccd_t self:fifo_file { read write ioctl getattr };
-# why exactly?:
-allow iceccd_t self:capability { chown dac_override fsetid kill };
-allow iceccd_t self:capability { setgid setuid };
-allow iceccd_t self:capability { sys_chroot };
-
+allow iceccd_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot };
 allow iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure signal };
 
-allow iceccd_helper_t iceccd_t:process { sigchld };
-allow iceccd_helper_t iceccd_log_t:file { append };
-allow iceccd_helper_t self:fifo_file { read write ioctl getattr };
-# needs investigating:
-allow iceccd_helper_t iceccd_tmp_t:file { execute };
-# rly needed?
-allow iceccd_helper_t iceccd_t:udp_socket { read write };
-
-allow iceccd_untrusted_t self:fifo_file { read write getattr };
-allow iceccd_untrusted_t self:process { signal };
-allow iceccd_untrusted_t iceccd_t:process { sigchld };
-allow iceccd_untrusted_t iceccd_t:fifo_file { write };
-allow iceccd_untrusted_t iceccd_t:unix_stream_socket { read write getattr };
-allow iceccd_untrusted_t iceccd_cache_t:dir { search getattr write add_name remove_name };
-allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans write unlink create };
+files_read_etc_files(iceccd_t)
+libs_use_ld_so(iceccd_t)
+libs_use_shared_libs(iceccd_t)
+miscfiles_read_localization(iceccd_t)
+
+fs_getattr_all_fs(iceccd_t)
+kernel_read_system_state(iceccd_t)
+sysnet_read_config(iceccd_t)
+
+corecmd_exec_bin(iceccd_t)
+corecmd_read_bin_symlinks(iceccd_t)
+
+files_getattr_tmp_dirs(iceccd_t)
+files_search_tmp(iceccd_t)
 
 corenet_all_recvfrom_unlabeled(iceccd_t)
 corenet_all_recvfrom_netlabel(iceccd_t)
@@ -89,79 +82,99 @@
 corenet_udp_sendrecv_all_if(iceccd_t)
 corenet_tcp_sendrecv_all_nodes(iceccd_t)
 corenet_udp_sendrecv_all_nodes(iceccd_t)
-# corenet_tcp_sendrecv_all_ports(iceccd_t)
-# corenet_udp_sendrecv_all_ports(iceccd_t)
+corenet_tcp_sendrecv_all_ports(iceccd_t)
+corenet_udp_sendrecv_all_ports(iceccd_t)
 corenet_tcp_bind_all_nodes(iceccd_t)
+allow iceccd_t iceccd_port_t:tcp_socket { name_bind };
+allow iceccd_t icecc_scheduler_port_t:tcp_socket { name_connect };
 
-manage_files_pattern(iceccd_t,iceccd_log_t,iceccd_log_t)
+domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t)
+domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
+
+manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t)
 logging_log_filetrans(iceccd_t, iceccd_log_t, file)
 
-manage_files_pattern(iceccd_t,iceccd_var_run_t,iceccd_var_run_t)
+manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t)
 files_pid_filetrans(iceccd_t, iceccd_var_run_t, file)
 
 manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
 manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t)
 
-manage_dirs_pattern(iceccd_helper_t, iceccd_cache_t, iceccd_cache_t)
-manage_files_pattern(iceccd_helper_t, iceccd_cache_t, iceccd_cache_t)
-
-libs_use_ld_so(iceccd_t)
-libs_use_shared_libs(iceccd_t)
-
-# for ldd
-libs_exec_ld_so(iceccd_t)
-
-files_read_etc_files(iceccd_t)
-miscfiles_read_localization(iceccd_t)
-kernel_read_system_state(iceccd_t)
-sysnet_read_config(iceccd_t)
-#files_read_usr_files(iceccd_t)
-
-files_read_etc_files(iceccd_helper_t)
-libs_use_ld_so(iceccd_helper_t)
-libs_use_shared_libs(iceccd_helper_t)
-miscfiles_read_localization(iceccd_helper_t)
-corecmd_exec_bin(iceccd_helper_t)
-corecmd_exec_shell(iceccd_helper_t)
-dev_read_urand(iceccd_helper_t)
-kernel_read_system_state(iceccd_helper_t)
-files_read_usr_files(iceccd_helper_t)
-libs_exec_ld_so(iceccd_helper_t)
-libs_exec_lib_files(iceccd_helper_t)
-nscd_socket_use(iceccd_helper_t)
-
-# XXX: iceccd wants this every second. why?
-fs_getattr_all_fs(iceccd_t)
-
-corecmd_exec_bin(iceccd_t)
-corecmd_read_bin_symlinks(iceccd_t)
-
-# XXX: could iceccd be modified to not need this?
-corecmd_exec_shell(iceccd_t)
-
-# for mktemp
-#dev_read_urand(iceccd_t)
-files_getattr_tmp_dirs(iceccd_t)
-files_search_tmp(iceccd_t)
-
 manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
 manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t)
 files_tmp_filetrans(iceccd_t, iceccd_tmp_t, file)
 
-manage_dirs_pattern(iceccd_helper_t, iceccd_tmp_t, iceccd_tmp_t)
-manage_files_pattern(iceccd_helper_t, iceccd_tmp_t, iceccd_tmp_t)
-files_tmp_filetrans(iceccd_helper_t, iceccd_tmp_t, file)
-files_tmp_filetrans(iceccd_helper_t, iceccd_tmp_t, dir)
 
-# to re-create /var/cache/icecream
+allow iceccd_createenv_t iceccd_log_t:file { append };
+allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms;
+# icecc-create-env looks for executable files to strip them. It does not
+# really execute them, but the -x check would trigger a denial. Do not allow
+# this, typically the binaries are already stripped anyway. Just silence it.
+dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute };
+
+allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms;
+allow iceccd_untrusted_t self:process signal_perms;
+allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms;
+manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t)
+allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans };
+
+files_read_etc_files(iceccd_createenv_t)
+libs_use_ld_so(iceccd_createenv_t)
+libs_use_shared_libs(iceccd_createenv_t)
+miscfiles_read_localization(iceccd_createenv_t)
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t)
+
+files_read_usr_files(iceccd_createenv_t)
+libs_exec_ld_so(iceccd_createenv_t)
+libs_exec_lib_files(iceccd_createenv_t)
+libs_domtrans_ldconfig(iceccd_createenv_t)
+corecmd_exec_bin(iceccd_createenv_t)
+corecmd_exec_shell(iceccd_createenv_t)
+dev_read_urand(iceccd_createenv_t)
+kernel_read_system_state(iceccd_createenv_t)
+# silence file(1) looking for /root/.magic
+userdom_dontaudit_list_admin_dir(iceccd_createenv_t)
+
+manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, file)
+files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, dir)
+
+optional_policy(`
+	nscd_socket_use(iceccd_createenv_t)
+')
+
+# Some rules that can probably go away when iceccd is fixed properly:
+#
+# XXX: icecc-create-env does not really need to talk to the open UDP socket
+# leaked from its parent.
+dontaudit iceccd_createenv_t iceccd_t:udp_socket { read write };
+# XXX: iceccd could be modified to avoid the shell completely
+corecmd_exec_shell(iceccd_t)
+# XXX: fix iceccd to only nuke the contents of /var/cache/icecream,
+# not the directory itself.
 files_var_filetrans(iceccd_t, iceccd_cache_t, dir)
 
-# aka domain_auto_trans
-domain_auto_transition_pattern(iceccd_t, iceccd_helper_exec_t, iceccd_helper_t)
-domain_auto_transition_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t)
-
-userdom_dontaudit_getattr_sysadm_home_dirs(iceccd_t)
-#userdom_dontaudit_getattr_sysadm_home_dirs(iceccd_helper_t)
-userdom_dontaudit_search_sysadm_home_dirs(iceccd_helper_t)
-#userdom_getattr_sysadm_home_dirs(iceccd_t)
 
+allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms;
+allow icecc_scheduler_t self:udp_socket create_socket_perms;
+
+files_read_etc_files(icecc_scheduler_t)
+libs_use_ld_so(icecc_scheduler_t)
+libs_use_shared_libs(icecc_scheduler_t)
+miscfiles_read_localization(icecc_scheduler_t)
+
+corenet_all_recvfrom_unlabeled(icecc_scheduler_t)
+corenet_all_recvfrom_netlabel(icecc_scheduler_t)
+corenet_tcp_sendrecv_all_if(icecc_scheduler_t)
+corenet_udp_sendrecv_all_if(icecc_scheduler_t)
+corenet_tcp_sendrecv_all_nodes(icecc_scheduler_t)
+corenet_udp_sendrecv_all_nodes(icecc_scheduler_t)
+corenet_tcp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_udp_sendrecv_all_ports(icecc_scheduler_t)
+corenet_tcp_bind_all_nodes(icecc_scheduler_t)
+corenet_udp_bind_all_nodes(icecc_scheduler_t)
+allow icecc_scheduler_t icecc_scheduler_port_t:tcp_socket { name_bind };
+allow icecc_scheduler_t icecc_scheduler_port_t:udp_socket { name_bind };


Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/F-10/sources,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- sources	17 Jan 2008 12:45:44 -0000	1.3
+++ sources	16 Feb 2009 21:16:26 -0000	1.4
@@ -1,2 +1,2 @@
-5dd4718f52626924a665c1f56b90d403  icecream-0.8.0.tar.bz2
-209f885bd595fc9a203ce4115872250e  icecream-make-it-cool.patch.bz2
+34bb950331ef5256299a2de4cf402ea6  icecc-0.9.3.tar.bz2
+a3829775870d5b2b60b750a88ee835b7  icecream-manpages.tar.bz2


--- icecream-compile-fix.patch DELETED ---


