Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp816311pxb; Thu, 17 Feb 2022 15:39:45 -0800 (PST) X-Google-Smtp-Source: ABdhPJweqNiUFYbEkSMjSf/Yk53q38ebWSJMCBAcdMtwDQJpTAZvcYsBUsx1TYZZrmaWimZiKCYH X-Received: by 2002:a17:902:7c01:b0:14f:44f2:4fa with SMTP id x1-20020a1709027c0100b0014f44f204famr5020205pll.36.1645141185230; Thu, 17 Feb 2022 15:39:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645141185; cv=none; d=google.com; s=arc-20160816; b=B7zEdxS8ypj/jZCjLbQgZKZX7gOoFZ/1l2ympF31YwW+DvpnHJz3LtRAjLvmprwGV0 Qkudm6ITGAUWmwO5T1uwLVYWH91qG+fL9hYq1f8uh36+oVjANXzT6A7ErYSze+75y8YC tO8dKbifKN8hAG+1Qg8JIJ7/MFao95HFJ0BYi5qpQf3uTPCdub1GHdhCpSzaUVJybrYs ELpcY0GKHcKmqn+Y/eIg7edqgHIzoQID0GwA7LqvO14KqRKv9r02Y1/Ih5fuV03JoTai Pz6cYLqKBxZIsmOrxA81rgei+5ZB/Hs7GLbyB8sglcaqQJ4zvvPC7xwdX/zif4QvqruT hnfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:references:in-reply-to:user-agent:subject:to:from:date :dkim-signature; bh=w6yJHnqMNrt5lSilrESb7Alz9EPliwh90nvJg7Wbbi0=; b=NG9OqiJvW5+vm4uYNc6d9IlTjiQ4qho/IAVnOnxVjX79TJDlmNktdsuFfBotCPfGYm vj55Dz6/sb5ksvYcCqY6E2TawHUyOHxrwhyxteralQhcPcLiy7mdKWHn2CC1akmwI3wG iQ9TgyitCkQfl+Q2+L4xcm9OAfZfQmAVYeHn75IkKY6Wwbpfzgo4nIyV9RaJYZ6NzT5Y h9m9dIWkyL94LQavre/Ewx5PXQ/wFKXR6iTyIQmjddpCDWMOBQsvdR70gl8njqxThEAu E+YyxxdSU6hYTqotl3AnLiN9OIde6dqfA+ZoaIihcgpZUw4DwsTYZ21EWaTJnS9IPHXN a4sg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=S3FlMGK9; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id pj9si2206174pjb.76.2022.02.17.15.39.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Feb 2022 15:39:44 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=S3FlMGK9; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 0436B35DDC; Thu, 17 Feb 2022 15:17:05 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235894AbiBQP2I (ORCPT + 22 others); Thu, 17 Feb 2022 10:28:08 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:35054 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242461AbiBQP2H (ORCPT ); Thu, 17 Feb 2022 10:28:07 -0500 Received: from smtp.sws.net.au (smtp.sws.net.au [144.76.241.179]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0A3FC294113 for ; Thu, 17 Feb 2022 07:27:51 -0800 (PST) Received: from [IPv6:::1] (unknown [IPv6:2001:4479:5d00:8300:996b:a210:4e95:d5c5]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id A93C0106FC; Fri, 18 Feb 2022 02:27:46 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1645111670; bh=w6yJHnqMNrt5lSilrESb7Alz9EPliwh90nvJg7Wbbi0=; l=5478; h=Date:From:To:Subject:In-Reply-To:References:From; b=S3FlMGK9rRXY+E2ARHnd/PMrpkhvfUehwLfdldVHP/MNuotRV+/vUdjv4rJIkXoXC c1AJSDBS1F/c4Q4HIA8jCo01hjCNSPqdz0FzbmkyYdA00QxGoRz2w2n4VxTXyEyHwX QHG1B2pmdELB1LYpTTIzh19FHEpUHs2Sv3Z5xJ4o= Date: Fri, 18 Feb 2022 02:13:55 +1100 From: Russell Coker To: Daniel Burgener , selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] rasdaemon V2 User-Agent: K-9 Mail for Android In-Reply-To: References: Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Thanks=2E I'll send another patch based on that in about 12 hours=2E On 18 February 2022 1:54:19 am AEDT, Daniel Burgener wrote: >On 2/17/2022 9:46 AM, Russell Coker wrote: >> Same as before but with the needed summary and removed the obsolete loc= kdown >> rule=2E >>=20 >> Should be ready for merging now=2E >> Signed-off-by: Russell Coker > >I thought this sounded familiar, so I searched my inbox, and it looks >like you submitted this same patch a year ago, and there was feedback >from Chris and Dominick that doesn't seem to be addressed yet=2E I'll >try to capture it all inline below=2E > >>=20 >> Index: refpolicy-2=2E20220217/policy/modules/kernel/filesystem=2Eif >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> --- refpolicy-2=2E20220217=2Eorig/policy/modules/kernel/filesystem=2Eif >> +++ refpolicy-2=2E20220217/policy/modules/kernel/filesystem=2Eif >> @@ -5485,6 +5485,43 @@ interface(`fs_getattr_tracefs_files',` >> =20 >> ######################################## >> ## >> +## Read/write trace filesystem files >> +## >> +## >> +## >> +## Domain allowed access=2E >> +## >> +## >> +# >> +interface(`fs_write_tracefs_files',` >> + gen_require(` >> + type tracefs_t; >> + ') >> + >> + allow $1 tracefs_t:dir list_dir_perms; >> + allow $1 tracefs_t:file rw_file_perms; >> +') >> + >> +######################################## >> +## >> +## create trace filesystem directories >> +## >> +## >> +## >> +## Domain allowed access=2E >> +## >> +## >> +# >> +interface(`fs_create_tracefs_dirs',` >> + gen_require(` >> + type tracefs_t; >> + ') >> + >> + allow $1 tracefs_t:dir { create rw_dir_perms }; >> +') >> + >> +######################################## >> +## >> ## Mount a XENFS filesystem=2E >> ## >> ## >> Index: refpolicy-2=2E20220217/policy/modules/services/rasdaemon=2Efc >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> --- /dev/null >> +++ refpolicy-2=2E20220217/policy/modules/services/rasdaemon=2Efc >> @@ -0,0 +1,3 @@ >> +/usr/sbin/rasdaemon -- gen_context(system_u:object_r:rasdaemon_exec_= t,s0) >> +/var/lib/rasdaemon(/=2E*)? gen_context(system_u:object_r:rasdaemon_v= ar_t,s0) >> + >> Index: refpolicy-2=2E20220217/policy/modules/services/rasdaemon=2Eif >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> --- /dev/null >> +++ refpolicy-2=2E20220217/policy/modules/services/rasdaemon=2Eif >> @@ -0,0 +1 @@ >> +## RAS (Reliability, Availability and Serviceability) logging= tool >> Index: refpolicy-2=2E20220217/policy/modules/services/rasdaemon=2Ete >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> --- /dev/null >> +++ refpolicy-2=2E20220217/policy/modules/services/rasdaemon=2Ete >> @@ -0,0 +1,47 @@ >> +policy_module(rasdaemon, 1=2E0=2E0) >> + >> +# rasdaemon is a RAS (Reliability, Availability and Serviceability) lo= gging >> +# tool=2E It currently records memory errors, using the EDAC tracing = events=2E >> +# EDAC are drivers in the Linux kernel that handle detection of ECC er= rors >> +# from memory controllers for most chipsets on x86 and ARM architectur= es=2E >> +# >> +# https://git=2Einfradead=2Eorg/users/mchehab/rasdaemon=2Egit > >This can get wrapped in xml and tags so it gets put in= =20 >docs=2E > >> + >> +######################################## >> +# >> +# Declarations >> +# >> + >> +type rasdaemon_t; >> +type rasdaemon_exec_t; >> +init_daemon_domain(rasdaemon_t, rasdaemon_exec_t) >> + >> +type rasdaemon_var_t; >> +files_type(rasdaemon_var_t) >> + >> +######################################## >> +# >> +# Local policy >> +# >> + >> +allow rasdaemon_t self:unix_dgram_socket create_socket_perms; > >This is redundant, implied by logging_send_syslog_message() > >> + >> +allow rasdaemon_t rasdaemon_var_t:dir manage_dir_perms; >> +allow rasdaemon_t rasdaemon_var_t:file manage_file_perms; >> + >> +kernel_read_debugfs(rasdaemon_t) >> +kernel_read_system_state(rasdaemon_t) >> +kernel_read_vm_overcommit_sysctl(rasdaemon_t) >> +kernel_search_fs_sysctls(rasdaemon_t) >> + >> +dev_list_sysfs(rasdaemon_t) >> +dev_read_urand(rasdaemon_t) >> + >> +files_read_etc_symlinks(rasdaemon_t) > >This is redundant (implied by miscfiles_read_localization) > >> +files_search_var_lib(rasdaemon_t) >> +fs_write_tracefs_files(rasdaemon_t) >> +fs_create_tracefs_dirs(rasdaemon_t) >> + >> +logging_send_syslog_msg(rasdaemon_t) >> +miscfiles_read_localization(rasdaemon_t) >> + > --=20 Sent from my Huawei Mate 9 with K-9 Mail=2E