2012-08-05 20:49:03

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH]: mcelog module initial rewrite

Obsoltes (or is alternative to) the previous two mcelog patches.

Initial rewrite of mcelog module:
- version increment
- fix and extend file contexts (private)
- support daemon mode and init scripting (+ cron mode untested)
- support triggers for all distributions, while leaving
compatibility with their alternate location in Fedora (and
current policy)
- initial support for client mode (untested)

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/mcelog.fc | 15 +++++
policy/modules/contrib/mcelog.if | 100 ++++++++++++++++++++++++++++++++++
policy/modules/contrib/mcelog.te | 55 +++++++++++++++++-
policy/modules/kernel/corecommands.fc | 6 --
4 files changed, 167 insertions(+), 9 deletions(-)

diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc
--- refpolicy-04062012/policy/modules/contrib/mcelog.fc 2011-09-09 18:29:23.578610955 +0200
+++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc 2012-08-05 23:36:37.355678527 +0200
@@ -1 +1,16 @@
+/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0)
+/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+/etc/mcelog/.*.local -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0)
+/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:mcelog_exec_t,s0)
+')
+
+/etc/rc.d/init.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
+
/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+
+/var/log/mcelog -- gen_context(system_u:object_r:mcelog_log_t,s0)
+/var/run/mcelog.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0)
+/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.if refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if
--- refpolicy-04062012/policy/modules/contrib/mcelog.if 2011-09-09 18:29:23.578610955 +0200
+++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if 2012-08-05 22:58:59.578345741 +0200
@@ -18,3 +18,103 @@ interface(`mcelog_domtrans',`
domtrans_pattern($1, mcelog_exec_t, mcelog_t)
')

+########################################
+## <summary>
+## Read mcelog_etc_t files (usually
+## in /etc/mcelog).
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read generic
+## files in /etc/mcelog. These files are
+## mcelog configuration files.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+interface(`mcelog_read_etc_files',`
+ gen_require(`
+ type mcelog_etc_t;
+ ')
+
+ allow $1 mcelog_etc_t:dir list_dir_perms;
+ read_files_pattern($1, mcelog_etc_t, mcelog_etc_t)
+ read_lnk_files_pattern($1, mcelog_etc_t, mcelog_etc_t)
+')
+
+########################################
+## <summary>
+## Read from an mcelog unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mcelog_read_stream_sockets',`
+ gen_require(`
+ type mcelog_t, mcelog_var_run_t;
+ ')
+
+ allow $1 mcelog_t:unix_stream_socket { read };
+')
+
+########################################
+## <summary>
+## Read and write to an mcelog unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mcelog_rw_stream_sockets',`
+ gen_require(`
+ type mcelog_t, mcelog_var_run_t;
+ ')
+
+ allow $1 mcelog_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Write to an mcelog unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mcelog_stream_write',`
+ gen_require(`
+ type mcelog_t, mcelog_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 mcelog_t:sock_file write;
+')
+
+########################################
+## <summary>
+## Connect to mcelog over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mcelog_stream_connect',`
+ gen_require(`
+ type mcelog_t, mcelog_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 mcelog_t:unix_stream_socket connectto;
+')
diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te
--- refpolicy-04062012/policy/modules/contrib/mcelog.te 2011-09-09 18:29:23.578610955 +0200
+++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te 2012-08-06 00:27:04.614197400 +0200
@@ -1,14 +1,37 @@
-policy_module(mcelog, 1.1.0)
+policy_module(mcelog, 1.1.1)

########################################
#
# Declarations
#

+## <desc>
+## <p>
+## Enable support for mcelog in client mode.
+## </p>
+## </desc>
+gen_tunable(mcelog_client, false)
+
type mcelog_t;
type mcelog_exec_t;
+corecmd_executable_file(mcelog_exec_t);
+init_daemon_domain(mcelog_t, mcelog_exec_t)
+
application_domain(mcelog_t, mcelog_exec_t)
cron_system_entry(mcelog_t, mcelog_exec_t)
+role system_r types mcelog_t;
+
+type mcelog_initrc_exec_t;
+init_script_file(mcelog_initrc_exec_t)
+
+type mcelog_etc_t;
+files_config_file(mcelog_etc_t)
+
+type mcelog_log_t;
+logging_log_file(mcelog_log_t)
+
+type mcelog_var_run_t;
+files_pid_file(mcelog_var_run_t)

########################################
#
@@ -22,11 +45,37 @@ kernel_read_system_state(mcelog_t)
dev_read_raw_memory(mcelog_t)
dev_read_kmsg(mcelog_t)

+manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
+
+# needed in daemon mode
files_read_etc_files(mcelog_t)

-# for /dev/mem access
-mls_file_read_all_levels(mcelog_t)
+locallogin_use_fds(mcelog_t)

+# append to a logfile in a generic var_log_t directory
+manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+logging_log_filetrans(mcelog_t, mcelog_log_t, file)
+
+# use syslog functionality (optional, configurable)
logging_send_syslog_msg(mcelog_t)

+# to read the standard configuration file
+mcelog_read_etc_files(mcelog_t)
+
+mcelog_stream_write(mcelog_t)
+
+# needed for client mode
+tunable_policy(`mcelog_client',`
+ mcelog_read_stream_sockets(mcelog_t)
+ mcelog_stream_connect(mcelog_t)
+')
+
miscfiles_read_localization(mcelog_t)
+
+# for /dev/mem access
+mls_file_read_all_levels(mcelog_t)
+
+term_use_all_ttys(mcelog_t)
diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc
--- refpolicy-04062012/policy/modules/kernel/corecommands.fc 2012-08-05 04:52:17.194005067 +0200
+++ refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc 2012-08-05 17:49:05.594838788 +0200
@@ -72,12 +72,6 @@ ifdef(`distro_redhat',`
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)

/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
-/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
-/etc/mcelog/.*.local -- gen_context(system_u:object_r:bin_t,s0)
-
-ifdef(`distro_redhat',`
-/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
-')

/etc/mgetty+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)




2012-08-05 21:37:42

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH]: mcelog module initial rewrite



On Sun, 2012-08-05 at 22:49 +0200, Guido Trentalancia wrote:
> Obsoltes (or is alternative to) the previous two mcelog patches.
>
> Initial rewrite of mcelog module:
> - version increment
> - fix and extend file contexts (private)
> - support daemon mode and init scripting (+ cron mode untested)
> - support triggers for all distributions, while leaving
> compatibility with their alternate location in Fedora (and
> current policy)
> - initial support for client mode (untested)
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/mcelog.fc | 15 +++++
> policy/modules/contrib/mcelog.if | 100 ++++++++++++++++++++++++++++++++++
> policy/modules/contrib/mcelog.te | 55 +++++++++++++++++-
> policy/modules/kernel/corecommands.fc | 6 --
> 4 files changed, 167 insertions(+), 9 deletions(-)
>
> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc
> --- refpolicy-04062012/policy/modules/contrib/mcelog.fc 2011-09-09 18:29:23.578610955 +0200
> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc 2012-08-05 23:36:37.355678527 +0200
> @@ -1 +1,16 @@
> +/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0)
> +/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:mcelog_exec_t,s0)
> +/etc/mcelog/.*.local -- gen_context(system_u:object_r:mcelog_exec_t,s0)

should probably be bin_t instead of mcelog_exec_t

> +
> +ifdef(`distro_redhat',`
> +/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0)
> +/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:mcelog_exec_t,s0)

should probably be bin_t instead of mcelog_exec_t

> +')
> +
> +/etc/rc.d/init.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)

/etc/rc\.d/init\d/mcelog (escape the periods)

> +
> /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
> +
> +/var/log/mcelog -- gen_context(system_u:object_r:mcelog_log_t,s0)
> +/var/run/mcelog.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0)
> +/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.if refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if
> --- refpolicy-04062012/policy/modules/contrib/mcelog.if 2011-09-09 18:29:23.578610955 +0200
> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if 2012-08-05 22:58:59.578345741 +0200
> @@ -18,3 +18,103 @@ interface(`mcelog_domtrans',`
> domtrans_pattern($1, mcelog_exec_t, mcelog_t)
> ')
>
> +########################################
> +## <summary>
> +## Read mcelog_etc_t files (usually
> +## in /etc/mcelog).
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to read generic
> +## files in /etc/mcelog. These files are
> +## mcelog configuration files.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +interface(`mcelog_read_etc_files',`
> + gen_require(`
> + type mcelog_etc_t;
> + ')
> +

files_search_etc($1)
> + allow $1 mcelog_etc_t:dir list_dir_perms;
> + read_files_pattern($1, mcelog_etc_t, mcelog_etc_t)
> + read_lnk_files_pattern($1, mcelog_etc_t, mcelog_etc_t)
> +')
> +
> +########################################
> +## <summary>
> +## Read from an mcelog unix stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mcelog_read_stream_sockets',`
> + gen_require(`
> + type mcelog_t, mcelog_var_run_t;
> + ')
> +
> + allow $1 mcelog_t:unix_stream_socket { read };
> +')

I dont think mcelog_read_stream_sockets is needed

> +
> +########################################
> +## <summary>
> +## Read and write to an mcelog unix stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mcelog_rw_stream_sockets',`
> + gen_require(`
> + type mcelog_t, mcelog_var_run_t;
> + ')
> +
> + allow $1 mcelog_t:unix_stream_socket { read write };
> +')

Might above be a leaked file descriptor issue?

> +
> +########################################
> +## <summary>
> +## Write to an mcelog unix stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mcelog_stream_write',`
> + gen_require(`
> + type mcelog_t, mcelog_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + allow $1 mcelog_t:sock_file write;
> +')

The above isnt needed and wrong (mcelog_t is not a sock_file type), see
below

> +########################################
> +## <summary>
> +## Connect to mcelog over an unix stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mcelog_stream_connect',`
> + gen_require(`
> + type mcelog_t, mcelog_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + allow $1 mcelog_t:unix_stream_socket connectto;

above is incorrect, use: stream_connect_pattern($1, mcelog_var_run_t,
mcelog_var_run_t, mcelog_t)


> +')
> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te
> --- refpolicy-04062012/policy/modules/contrib/mcelog.te 2011-09-09 18:29:23.578610955 +0200
> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te 2012-08-06 00:27:04.614197400 +0200
> @@ -1,14 +1,37 @@
> -policy_module(mcelog, 1.1.0)
> +policy_module(mcelog, 1.1.1)
>
> ########################################
> #
> # Declarations
> #
>
> +## <desc>
> +## <p>
> +## Enable support for mcelog in client mode.
> +## </p>
> +## </desc>
> +gen_tunable(mcelog_client, false)
> +

No need to make the above conditional

> type mcelog_t;
> type mcelog_exec_t;
> +corecmd_executable_file(mcelog_exec_t);

no ");"
can probably remove coremd_executable_file(mcelog_exec_t); altogether

> +init_daemon_domain(mcelog_t, mcelog_exec_t)
> +
> application_domain(mcelog_t, mcelog_exec_t)
no need for this (already enclosed in init_daemon_domain())

> cron_system_entry(mcelog_t, mcelog_exec_t)

Above is optional, wrap in optional policy and move to policy and out of
declarations

> +role system_r types mcelog_t;

above is redundant , already allowed in init_daemon_domain()

> +
> +type mcelog_initrc_exec_t;
> +init_script_file(mcelog_initrc_exec_t)
> +
> +type mcelog_etc_t;
> +files_config_file(mcelog_etc_t)
> +
> +type mcelog_log_t;
> +logging_log_file(mcelog_log_t)
> +
> +type mcelog_var_run_t;
> +files_pid_file(mcelog_var_run_t)
>
> ########################################
> #
> @@ -22,11 +45,37 @@ kernel_read_system_state(mcelog_t)
> dev_read_raw_memory(mcelog_t)
> dev_read_kmsg(mcelog_t)
>
> +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
> +
> +# needed in daemon mode
> files_read_etc_files(mcelog_t)
>
> -# for /dev/mem access
> -mls_file_read_all_levels(mcelog_t)

> +locallogin_use_fds(mcelog_t)
>
> +# append to a logfile in a generic var_log_t directory
> +manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +logging_log_filetrans(mcelog_t, mcelog_log_t, file)

use:
create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
logging_log_filetrans(mcelog_t, mcelog_log_t, file)


> +
> +# use syslog functionality (optional, configurable)
> logging_send_syslog_msg(mcelog_t)
>
> +# to read the standard configuration file
> +mcelog_read_etc_files(mcelog_t)
duplicate


> +mcelog_stream_write(mcelog_t)

no needed

> +# needed for client mode
> +tunable_policy(`mcelog_client',`
> + mcelog_read_stream_sockets(mcelog_t)
> + mcelog_stream_connect(mcelog_t)
> +')

not needed, add:

allow mcelog_t self:unix_stream_socket create_socket_perms;

> miscfiles_read_localization(mcelog_t)
> +
> +# for /dev/mem access
> +mls_file_read_all_levels(mcelog_t)
> +
> +term_use_all_ttys(mcelog_t)
> diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc
> --- refpolicy-04062012/policy/modules/kernel/corecommands.fc 2012-08-05 04:52:17.194005067 +0200
> +++ refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc 2012-08-05 17:49:05.594838788 +0200
> @@ -72,12 +72,6 @@ ifdef(`distro_redhat',`
> /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
>
> /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
> -/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
> -/etc/mcelog/.*.local -- gen_context(system_u:object_r:bin_t,s0)

No, dont remove this

> -ifdef(`distro_redhat',`
> -/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
> -')

No dont remove this

> /etc/mgetty+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy