Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1586483pxb; Mon, 8 Mar 2021 00:58:55 -0800 (PST) X-Google-Smtp-Source: ABdhPJyklO7rJEG9nicChmEh/nmaEoKgerUXPhfnrtjKVRTiEf9PqttsXwVCK1ptmycwOBKpllLm X-Received: by 2002:a17:907:2bf6:: with SMTP id gv54mr14318407ejc.514.1615193935389; Mon, 08 Mar 2021 00:58:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615193935; cv=none; d=google.com; s=arc-20160816; b=ya7urFlGpJbWq2A4oquKDT5fEFdBrouefV3UmYJ7hWwcgl2fIqWFfFRGg2kYisdP/A CLeEucP/i3ONKc9Qy2RtLRsnSCIw8YQvm5uiBn+uJ7ibgauwm56p0Tp98vxqtR4zOXiN PIv9WwICWzDifrwwmVsRydT0tmO8usvOJ/s2ouA7KT0iJUI4CKUN6Tx/lhkL+GvLTNEV 7R+t9LUpmRFdrMXvSB/VWjqw/1eA0dW6hK7AA2wo98D9zQi8ckKRq3gL42rZsiOQEUNr Bk76cui3jT7cTAciMlE8XFWXm4YVUsathrUWWNULLM+8WgEj7JtlILK3Pxvt88t9NBEA V1KA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to :date:references:subject:cc:to:from:dkim-signature:dkim-filter; bh=aUbc0HA9isJ3DLVV37Iz4w9NTx9GkWM9kMyXaVxJoD4=; b=wJ4t3vIgtCbY7qPjBEBqItBTJIs6SqYU/MHNjw+W4/vEhNyh/RWIc+i2yCYkzhHBB/ ZRZ+FaGVqwBdywSXrilFevepfL8rrv4nupbnCyuUIAPSXMztNcR7X+dnqoG1K5AX6l1W z5VvA7aoVT1F8yzrN6UGvo0OG2eFk+fTYdUdqzeEehC4K1Tgg0Dw9iR6GFfHz+4p369X 0QapN2i6jzbyq0IiLaLfzZ228HcUJTX1PY/kE+fcPqdeX2NQgcueRTq4rjyahfJc9+ZS +uPeB+o39TLOGH45ciEzZV/U5wU5JTXkYrONwRRj6N8lLKp+G/0SuW1baK4VZzOi8YPQ JRmQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=T2zn9A4E; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a3si5252118ejd.122.2021.03.08.00.58.50; Mon, 08 Mar 2021 00:58:55 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=T2zn9A4E; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229523AbhCHI4J (ORCPT + 16 others); Mon, 8 Mar 2021 03:56:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40960 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229971AbhCHIz5 (ORCPT ); Mon, 8 Mar 2021 03:55:57 -0500 Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 14826C06174A for ; Mon, 8 Mar 2021 00:55:55 -0800 (PST) Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id E17F72A0D7E; Mon, 8 Mar 2021 09:55:51 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl E17F72A0D7E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1615193753; bh=aUbc0HA9isJ3DLVV37Iz4w9NTx9GkWM9kMyXaVxJoD4=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=T2zn9A4EQOhE4Derfel1GhfVeXXMHeM0RhTd2VanuS7iqxzn7pUUoQEEcl82Lc2ed w8Dut1aBmwgmstb9WW38ze4nmLRVC5tcnXK0CNsGeTQ1Hcz25tiXraIgTViF28Kl2W Do8fgqQRJApBK1YaotCdioMHPuKRzuh3YiRlozxg= From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] rasdaemon (replacement for mcelog) References: Date: Mon, 08 Mar 2021 09:55:49 +0100 In-Reply-To: (Russell Coker's message of "Mon, 8 Mar 2021 13:36:56 +1100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: > This is policy for rasdaemon, the new replacement for mcelog. The > /dev/mcelog device is now an obsolete kernel feature that can be enabled > for backward compatibility and rasdaeon with tracefs is the new way. > > I've tested this and it seems to work OK, but all my servers are working > well so I haven't been able to test the case of actually detecting an > error. It would be good if someone with a known damaged server could give > it a go. > > I think this is ready for merging. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20210203/policy/modules/kernel/filesystem.if > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/kernel/filesystem.if > +++ refpolicy-2.20210203/policy/modules/kernel/filesystem.if > @@ -5302,6 +5302,25 @@ interface(`fs_getattr_tracefs_files',` > > ######################################## > ## > +## Read/write trace filesystem files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`fs_write_tracefs_files',` > + gen_require(` > + type tracefs_t; > + ') > + > + allow $1 tracefs_t:dir list_dir_perms; > + allow $1 tracefs_t:file rw_file_perms; > +') > + > +######################################## > +## > ## Mount a XENFS filesystem. > ## > ## > Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.fc > =================================================================== > --- /dev/null > +++ refpolicy-2.20210203/policy/modules/services/rasdaemon.fc > @@ -0,0 +1,3 @@ > +/usr/sbin/rasdaemon -- gen_context(system_u:object_r:rasdaemon_exec_t,s0) > +/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_t,s0) > + > Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.if > =================================================================== > --- /dev/null > +++ refpolicy-2.20210203/policy/modules/services/rasdaemon.if > @@ -0,0 +1 @@ > +## > Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.te > =================================================================== > --- /dev/null > +++ refpolicy-2.20210203/policy/modules/services/rasdaemon.te > @@ -0,0 +1,49 @@ > +policy_module(rasdaemon, 1.0.0) > + > +# rasdaemon is a RAS (Reliability, Availability and Serviceability) logging > +# tool. It currently records memory errors, using the EDAC tracing events. > +# EDAC are drivers in the Linux kernel that handle detection of ECC errors > +# from memory controllers for most chipsets on x86 and ARM architectures. > +# > +# https://git.infradead.org/users/mchehab/rasdaemon.git Please use the for description. We have an api browser (make doc) and the description should end up there as well. Reliability, Availability and Serviceability (RAS) logging tool. I would omit the url because those are often subject to change anyway. > + > +######################################## > +# > +# Declarations > +# > + > +type rasdaemon_t; > +type rasdaemon_exec_t; > +init_daemon_domain(rasdaemon_t, rasdaemon_exec_t) > + > +type rasdaemon_var_t; > +files_type(rasdaemon_var_t) Someone should at some point maybe consider creating a files_state_file() for /var/lib so that we can differentiate there > + > +######################################## > +# > +# Local policy > +# > + > +allow rasdaemon_t self:unix_dgram_socket create_socket_perms; redundant: implied with logging_send_syslog_msg() > + > +# confidentiality for tracefs and integrity for debugfs > +allow rasdaemon_t self:lockdown { confidentiality integrity }; > + > +allow rasdaemon_t rasdaemon_var_t:dir manage_dir_perms; > +allow rasdaemon_t rasdaemon_var_t:file manage_file_perms; > + > +kernel_read_debugfs(rasdaemon_t) > +kernel_read_system_state(rasdaemon_t) > +kernel_read_vm_overcommit_sysctl(rasdaemon_t) > +kernel_search_fs_sysctls(rasdaemon_t) > + > +dev_list_sysfs(rasdaemon_t) > +dev_read_urand(rasdaemon_t) > + > +files_read_etc_symlinks(rasdaemon_t) > +files_search_var_lib(rasdaemon_t) > +fs_write_tracefs_files(rasdaemon_t) > + > +logging_send_syslog_msg(rasdaemon_t) > +miscfiles_read_localization(rasdaemon_t) > + > -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift