Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1576739pxb; Mon, 8 Mar 2021 00:36:15 -0800 (PST) X-Google-Smtp-Source: ABdhPJwL9AmevdUNi+ZeBR4BQ1d+xe7QCrj/tc/FLDpg8yo8HAQw8uYcMpEDZfa8IA9mkfWqxlpE X-Received: by 2002:aa7:cd8c:: with SMTP id x12mr21478876edv.355.1615192575348; Mon, 08 Mar 2021 00:36:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615192575; cv=none; d=google.com; s=arc-20160816; b=Wl68/5kyBw63WNg9kb5sQ3Eu2C8SX78jnwcB3NikJbhEeXVJOZiVW4ZIzTK+QMP4qQ n0CmlZR9IhTEdkywhpBHVq/pnjHbOSlCbJEiQmH1sZDfQvc1JINCROAzGDY4qyS5c3Wb ioITWp5bEggJB+0L0UCqVjNc3CIzW6YoBzjxE+KL3gmSevq1IzJRO44U7cPpdBd6gtlU LVewM8iyjb0VguvlrKPDxLRlhQ+hIWwGjFZh3/Ne91N9CfsdMBltca3fMEmYewYawXSc B4afDfzQna0EvoZkMD8CVYlHeZzYFCinQO7FSy+WrywlMapoYQriQ6brxaTPFk7P9daY hA3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=UN5xFQHky0D2M5xb+k6ZtepiMc70q9UgEwRfRt5yY98=; b=F46YhrSLjbf+YJS4u4g8mv3FgSLbA70PLxIf97IvVmv4VkSGJZSYdG2sdR6kS4z/oz RFjX/TSUfd2GKcO3/6M+HRX3u0IX+mzU7VfKlBxCK8f7UZuxYsnlTKSyuCeWE/j2B/No KdPvZZaKoLeB2/7xGmhhGVxt7iAOptkfjDgFoaOfEVHYnyFbJjE6IHuOWMC2jcMNER7y sN3/Pxdk2MTLhcPFN/36cuXZelT4ascxIpBnkcYg+knZFrk/3cvU8ZeVx2hJUiOZX+91 oKpSz5Y/UUviXZ61RKtSR7dxuDuEQSpJw7zhdSaMgdOm1G4Aq7hpNaRGewo+Q5V1RMDX 7egQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=2bEHJaQw; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j7si6418122ejx.732.2021.03.08.00.36.08; Mon, 08 Mar 2021 00:36:15 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=2bEHJaQw; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232230AbhCHChn (ORCPT + 16 others); Sun, 7 Mar 2021 21:37:43 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:50702 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232167AbhCHChE (ORCPT ); Sun, 7 Mar 2021 21:37:04 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 9339FF9B5 for ; Mon, 8 Mar 2021 13:37:00 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1615171020; bh=UN5xFQHky0D2M5xb+k6ZtepiMc70q9UgEwRfRt5yY98=; l=3714; h=Date:From:To:Subject:From; b=2bEHJaQwmqtTgh+0/Lo9hrClkkjMV0djC63GJg2Pzxvy8154GQ8Ym1rpIhkukJfAw R/xesj0HiQAyFzl6iHe0glkC2BkiSADNyf0FBchNNh2X4ir0LaXz/NRNqLE9PUemJy z8w6O1S73xcA80fIN1r/TlGr/sleIsdCo0MDUwkY= Received: by xev.coker.com.au (Postfix, from userid 1001) id 1105413A2C3C; Mon, 8 Mar 2021 13:36:56 +1100 (AEDT) Date: Mon, 8 Mar 2021 13:36:56 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] rasdaemon (replacement for mcelog) Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This is policy for rasdaemon, the new replacement for mcelog. The /dev/mcelog device is now an obsolete kernel feature that can be enabled for backward compatibility and rasdaeon with tracefs is the new way. I've tested this and it seems to work OK, but all my servers are working well so I haven't been able to test the case of actually detecting an error. It would be good if someone with a known damaged server could give it a go. I think this is ready for merging. Signed-off-by: Russell Coker Index: refpolicy-2.20210203/policy/modules/kernel/filesystem.if =================================================================== --- refpolicy-2.20210203.orig/policy/modules/kernel/filesystem.if +++ refpolicy-2.20210203/policy/modules/kernel/filesystem.if @@ -5302,6 +5302,25 @@ interface(`fs_getattr_tracefs_files',` ######################################## ## +## Read/write trace filesystem files +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_write_tracefs_files',` + gen_require(` + type tracefs_t; + ') + + allow $1 tracefs_t:dir list_dir_perms; + allow $1 tracefs_t:file rw_file_perms; +') + +######################################## +## ## Mount a XENFS filesystem. ## ## Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.fc =================================================================== --- /dev/null +++ refpolicy-2.20210203/policy/modules/services/rasdaemon.fc @@ -0,0 +1,3 @@ +/usr/sbin/rasdaemon -- gen_context(system_u:object_r:rasdaemon_exec_t,s0) +/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_t,s0) + Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.if =================================================================== --- /dev/null +++ refpolicy-2.20210203/policy/modules/services/rasdaemon.if @@ -0,0 +1 @@ +## Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.te =================================================================== --- /dev/null +++ refpolicy-2.20210203/policy/modules/services/rasdaemon.te @@ -0,0 +1,49 @@ +policy_module(rasdaemon, 1.0.0) + +# rasdaemon is a RAS (Reliability, Availability and Serviceability) logging +# tool. It currently records memory errors, using the EDAC tracing events. +# EDAC are drivers in the Linux kernel that handle detection of ECC errors +# from memory controllers for most chipsets on x86 and ARM architectures. +# +# https://git.infradead.org/users/mchehab/rasdaemon.git + +######################################## +# +# Declarations +# + +type rasdaemon_t; +type rasdaemon_exec_t; +init_daemon_domain(rasdaemon_t, rasdaemon_exec_t) + +type rasdaemon_var_t; +files_type(rasdaemon_var_t) + +######################################## +# +# Local policy +# + +allow rasdaemon_t self:unix_dgram_socket create_socket_perms; + +# confidentiality for tracefs and integrity for debugfs +allow rasdaemon_t self:lockdown { confidentiality integrity }; + +allow rasdaemon_t rasdaemon_var_t:dir manage_dir_perms; +allow rasdaemon_t rasdaemon_var_t:file manage_file_perms; + +kernel_read_debugfs(rasdaemon_t) +kernel_read_system_state(rasdaemon_t) +kernel_read_vm_overcommit_sysctl(rasdaemon_t) +kernel_search_fs_sysctls(rasdaemon_t) + +dev_list_sysfs(rasdaemon_t) +dev_read_urand(rasdaemon_t) + +files_read_etc_symlinks(rasdaemon_t) +files_search_var_lib(rasdaemon_t) +fs_write_tracefs_files(rasdaemon_t) + +logging_send_syslog_msg(rasdaemon_t) +miscfiles_read_localization(rasdaemon_t) +