Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1587472pxb; Mon, 8 Mar 2021 01:00:42 -0800 (PST) X-Google-Smtp-Source: ABdhPJwkHdaYv2b5J2OLRh/gwwe97TV2MX+aT2SY89funaHdbG0YgEd3zn5xRZrWB4Qx/4liC7jx X-Received: by 2002:a05:6402:51d0:: with SMTP id r16mr2089958edd.48.1615194042047; Mon, 08 Mar 2021 01:00:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615194042; cv=none; d=google.com; s=arc-20160816; b=nDB1UwEVIFIskJ746bL/bVSZ7XtT1lGnWYtNJKFJMvASxuIjZXYrdJpcNzivJUW4fU n7+FtRVLKu7NeS2wgicekxcYsKo0S+uGkD4B0AEzAgiMZJwmsHo7QuI6G7JFZNwcm5py H/R31E5NHY/gioGqOGa3Jr7QU7Bg6qpaZoEyvM8Z7uFRyJsrKdrdy+k1JwEMahdnGUMu N6ySGYgj07oLShnTlUuGpnCImlZ2e2pkeyPhaECxspzXFv/zNbimwdri4RheiSfxGckg rUptf8a1xNUfWBHi9LRT5Au+LDAc4EDtyzuNEhE5PQnX2qBjIJ0pfw0vgkRQUJbaqrWz 9Ivg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to :date:references:subject:cc:to:from:dkim-signature:dkim-filter; bh=M5mHKb/Ly4hKhVhzi8CqBRn4d9pbsgIu5zinwpNoj0c=; b=N108XNGZtT3Xd/L8BOKXQPcmhW57DjhLTE/e4xsMJdCEPuQV4r/ty52kFJ/5B+/OO/ JyeZxT6TjzeaNt0p4BG8DWsd06oLZNvs+0z/x41MMzxorzGio2faM6Tgq26Jlmow1Fdv OAHyEKMo4vT+YeWGyojhKSYxgoRIOA8YIo7XJtqxc6gc1Weboht/T4e5PCh/PzGXZUGE Iv1inOdnqyFvE+m34cabDN+TN7zUJ8JNQA8QCk1QxLM87ZVrrxX1W8guFfUHQaaT7K4O 25dRMheJSuv0/NKXj7aVQvo/4qW81Z7dOUbql6RGsqLuKWd5ePvYvAyktr0L7zjnJMtS o+YA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=gGQ9lHI4; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p14si6823429edq.556.2021.03.08.01.00.38; Mon, 08 Mar 2021 01:00:42 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=gGQ9lHI4; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229465AbhCHI76 (ORCPT + 16 others); Mon, 8 Mar 2021 03:59:58 -0500 Received: from agnus.defensec.nl ([80.100.19.56]:39516 "EHLO agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229446AbhCHI7j (ORCPT ); Mon, 8 Mar 2021 03:59:39 -0500 Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 1B8942A0D7E; Mon, 8 Mar 2021 09:59:38 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 1B8942A0D7E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1615193978; bh=M5mHKb/Ly4hKhVhzi8CqBRn4d9pbsgIu5zinwpNoj0c=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=gGQ9lHI4cPs7VgfbNn5n/1UUfXJnafPw9rMLkSuEnsjYr/fPqhlNNpve2TudX64Hi yWhAD/iLcMK3jzePiZGrxqlBA2IVkKph2ghf0Jkni7opiVqxaiB2aXMeBD2o6uzfan QVGLGUo3nBbRUF8TV4uhZJLl52YJwdeW/Qyd+ic0= From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] rasdaemon (replacement for mcelog) References: Date: Mon, 08 Mar 2021 09:59:35 +0100 In-Reply-To: (Dominick Grift's message of "Mon, 08 Mar 2021 09:55:49 +0100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Dominick Grift writes: > Russell Coker writes: > >> This is policy for rasdaemon, the new replacement for mcelog. The >> /dev/mcelog device is now an obsolete kernel feature that can be enabled >> for backward compatibility and rasdaeon with tracefs is the new way. >> >> I've tested this and it seems to work OK, but all my servers are working >> well so I haven't been able to test the case of actually detecting an >> error. It would be good if someone with a known damaged server could give >> it a go. >> >> I think this is ready for merging. >> >> Signed-off-by: Russell Coker >> >> Index: refpolicy-2.20210203/policy/modules/kernel/filesystem.if >> =================================================================== >> --- refpolicy-2.20210203.orig/policy/modules/kernel/filesystem.if >> +++ refpolicy-2.20210203/policy/modules/kernel/filesystem.if >> @@ -5302,6 +5302,25 @@ interface(`fs_getattr_tracefs_files',` >> >> ######################################## >> ## >> +## Read/write trace filesystem files >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`fs_write_tracefs_files',` >> + gen_require(` >> + type tracefs_t; >> + ') >> + >> + allow $1 tracefs_t:dir list_dir_perms; >> + allow $1 tracefs_t:file rw_file_perms; >> +') >> + >> +######################################## >> +## >> ## Mount a XENFS filesystem. >> ## >> ## >> Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.fc >> =================================================================== >> --- /dev/null >> +++ refpolicy-2.20210203/policy/modules/services/rasdaemon.fc >> @@ -0,0 +1,3 @@ >> +/usr/sbin/rasdaemon -- gen_context(system_u:object_r:rasdaemon_exec_t,s0) >> +/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_t,s0) >> + >> Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.if >> =================================================================== >> --- /dev/null >> +++ refpolicy-2.20210203/policy/modules/services/rasdaemon.if >> @@ -0,0 +1 @@ >> +## >> Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.te >> =================================================================== >> --- /dev/null >> +++ refpolicy-2.20210203/policy/modules/services/rasdaemon.te >> @@ -0,0 +1,49 @@ >> +policy_module(rasdaemon, 1.0.0) >> + >> +# rasdaemon is a RAS (Reliability, Availability and Serviceability) logging >> +# tool. It currently records memory errors, using the EDAC tracing events. >> +# EDAC are drivers in the Linux kernel that handle detection of ECC errors >> +# from memory controllers for most chipsets on x86 and ARM architectures. >> +# >> +# https://git.infradead.org/users/mchehab/rasdaemon.git > > Please use the for description. We have an api > browser (make doc) and the description should end up there as well. > > Reliability, Availability and Serviceability (RAS) logging tool. > > I would omit the url because those are often subject to change anyway. > >> + >> +######################################## >> +# >> +# Declarations >> +# >> + >> +type rasdaemon_t; >> +type rasdaemon_exec_t; >> +init_daemon_domain(rasdaemon_t, rasdaemon_exec_t) >> + >> +type rasdaemon_var_t; >> +files_type(rasdaemon_var_t) > > Someone should at some point maybe consider creating a files_state_file() > for /var/lib so that we can differentiate there > >> + >> +######################################## >> +# >> +# Local policy >> +# >> + >> +allow rasdaemon_t self:unix_dgram_socket create_socket_perms; > > redundant: implied with logging_send_syslog_msg() > >> + >> +# confidentiality for tracefs and integrity for debugfs >> +allow rasdaemon_t self:lockdown { confidentiality integrity }; >> + >> +allow rasdaemon_t rasdaemon_var_t:dir manage_dir_perms; >> +allow rasdaemon_t rasdaemon_var_t:file manage_file_perms; >> + >> +kernel_read_debugfs(rasdaemon_t) >> +kernel_read_system_state(rasdaemon_t) >> +kernel_read_vm_overcommit_sysctl(rasdaemon_t) >> +kernel_search_fs_sysctls(rasdaemon_t) >> + >> +dev_list_sysfs(rasdaemon_t) >> +dev_read_urand(rasdaemon_t) >> + >> +files_read_etc_symlinks(rasdaemon_t) Redundant: implied with miscfiles_read_localization() >> +files_search_var_lib(rasdaemon_t) >> +fs_write_tracefs_files(rasdaemon_t) >> + >> +logging_send_syslog_msg(rasdaemon_t) >> +miscfiles_read_localization(rasdaemon_t) >> + >> -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift