Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1576739pxb;
        Mon, 8 Mar 2021 00:36:15 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwL9AmevdUNi+ZeBR4BQ1d+xe7QCrj/tc/FLDpg8yo8HAQw8uYcMpEDZfa8IA9mkfWqxlpE
X-Received: by 2002:aa7:cd8c:: with SMTP id x12mr21478876edv.355.1615192575348;
        Mon, 08 Mar 2021 00:36:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1615192575; cv=none;
        d=google.com; s=arc-20160816;
        b=Wl68/5kyBw63WNg9kb5sQ3Eu2C8SX78jnwcB3NikJbhEeXVJOZiVW4ZIzTK+QMP4qQ
         n0CmlZR9IhTEdkywhpBHVq/pnjHbOSlCbJEiQmH1sZDfQvc1JINCROAzGDY4qyS5c3Wb
         ioITWp5bEggJB+0L0UCqVjNc3CIzW6YoBzjxE+KL3gmSevq1IzJRO44U7cPpdBd6gtlU
         LVewM8iyjb0VguvlrKPDxLRlhQ+hIWwGjFZh3/Ne91N9CfsdMBltca3fMEmYewYawXSc
         B4afDfzQna0EvoZkMD8CVYlHeZzYFCinQO7FSy+WrywlMapoYQriQ6brxaTPFk7P9daY
         hA3w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-disposition:mime-version:message-id
         :subject:to:from:date:dkim-signature;
        bh=UN5xFQHky0D2M5xb+k6ZtepiMc70q9UgEwRfRt5yY98=;
        b=F46YhrSLjbf+YJS4u4g8mv3FgSLbA70PLxIf97IvVmv4VkSGJZSYdG2sdR6kS4z/oz
         RFjX/TSUfd2GKcO3/6M+HRX3u0IX+mzU7VfKlBxCK8f7UZuxYsnlTKSyuCeWE/j2B/No
         KdPvZZaKoLeB2/7xGmhhGVxt7iAOptkfjDgFoaOfEVHYnyFbJjE6IHuOWMC2jcMNER7y
         sN3/Pxdk2MTLhcPFN/36cuXZelT4ascxIpBnkcYg+knZFrk/3cvU8ZeVx2hJUiOZX+91
         oKpSz5Y/UUviXZ61RKtSR7dxuDuEQSpJw7zhdSaMgdOm1G4Aq7hpNaRGewo+Q5V1RMDX
         7egQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=2bEHJaQw;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id j7si6418122ejx.732.2021.03.08.00.36.08;
        Mon, 08 Mar 2021 00:36:15 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=2bEHJaQw;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232230AbhCHChn (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 16 others); Sun, 7 Mar 2021 21:37:43 -0500
Received: from smtp.sws.net.au ([46.4.88.250]:50702 "EHLO smtp.sws.net.au"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S232167AbhCHChE (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sun, 7 Mar 2021 21:37:04 -0500
Received: from xev.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id 9339FF9B5
        for <selinux-refpolicy@vger.kernel.org>; Mon,  8 Mar 2021 13:37:00 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1615171020;
        bh=UN5xFQHky0D2M5xb+k6ZtepiMc70q9UgEwRfRt5yY98=; l=3714;
        h=Date:From:To:Subject:From;
        b=2bEHJaQwmqtTgh+0/Lo9hrClkkjMV0djC63GJg2Pzxvy8154GQ8Ym1rpIhkukJfAw
         R/xesj0HiQAyFzl6iHe0glkC2BkiSADNyf0FBchNNh2X4ir0LaXz/NRNqLE9PUemJy
         z8w6O1S73xcA80fIN1r/TlGr/sleIsdCo0MDUwkY=
Received: by xev.coker.com.au (Postfix, from userid 1001)
        id 1105413A2C3C; Mon,  8 Mar 2021 13:36:56 +1100 (AEDT)
Date:   Mon, 8 Mar 2021 13:36:56 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] rasdaemon (replacement for mcelog)
Message-ID: <YEWNyIsSThUoVAsc@xev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

This is policy for rasdaemon, the new replacement for mcelog.  The
/dev/mcelog device is now an obsolete kernel feature that can be enabled
for backward compatibility and rasdaeon with tracefs is the new way.

I've tested this and it seems to work OK, but all my servers are working
well so I haven't been able to test the case of actually detecting an
error.  It would be good if someone with a known damaged server could give
it a go.

I think this is ready for merging.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210203/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20210203/policy/modules/kernel/filesystem.if
@@ -5302,6 +5302,25 @@ interface(`fs_getattr_tracefs_files',`
 
 ########################################
 ## <summary>
+##	Read/write trace filesystem files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`fs_write_tracefs_files',`
+	gen_require(`
+		type tracefs_t;
+	')
+
+	allow $1 tracefs_t:dir list_dir_perms;
+	allow $1 tracefs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
 ##	Mount a XENFS filesystem.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.fc
===================================================================
--- /dev/null
+++ refpolicy-2.20210203/policy/modules/services/rasdaemon.fc
@@ -0,0 +1,3 @@
+/usr/sbin/rasdaemon			--	gen_context(system_u:object_r:rasdaemon_exec_t,s0)
+/var/lib/rasdaemon(/.*)?			gen_context(system_u:object_r:rasdaemon_var_t,s0)
+
Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.if
===================================================================
--- /dev/null
+++ refpolicy-2.20210203/policy/modules/services/rasdaemon.if
@@ -0,0 +1 @@
+## <summary></summary>
Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.te
===================================================================
--- /dev/null
+++ refpolicy-2.20210203/policy/modules/services/rasdaemon.te
@@ -0,0 +1,49 @@
+policy_module(rasdaemon, 1.0.0)
+
+# rasdaemon is a RAS (Reliability, Availability and Serviceability) logging
+# tool.  It currently records memory errors, using the EDAC tracing events.
+# EDAC are drivers in the Linux kernel that handle detection of ECC errors
+# from memory controllers for most chipsets on x86 and ARM architectures.
+#
+# https://git.infradead.org/users/mchehab/rasdaemon.git
+
+########################################
+#
+# Declarations
+#
+
+type rasdaemon_t;
+type rasdaemon_exec_t;
+init_daemon_domain(rasdaemon_t, rasdaemon_exec_t)
+
+type rasdaemon_var_t;
+files_type(rasdaemon_var_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rasdaemon_t self:unix_dgram_socket create_socket_perms;
+
+# confidentiality for tracefs and integrity for debugfs
+allow rasdaemon_t self:lockdown { confidentiality integrity };
+
+allow rasdaemon_t rasdaemon_var_t:dir manage_dir_perms;
+allow rasdaemon_t rasdaemon_var_t:file manage_file_perms;
+
+kernel_read_debugfs(rasdaemon_t)
+kernel_read_system_state(rasdaemon_t)
+kernel_read_vm_overcommit_sysctl(rasdaemon_t)
+kernel_search_fs_sysctls(rasdaemon_t)
+
+dev_list_sysfs(rasdaemon_t)
+dev_read_urand(rasdaemon_t)
+
+files_read_etc_symlinks(rasdaemon_t)
+files_search_var_lib(rasdaemon_t)
+fs_write_tracefs_files(rasdaemon_t)
+
+logging_send_syslog_msg(rasdaemon_t)
+miscfiles_read_localization(rasdaemon_t)
+