Rewrite of mcelog module:
- version increment
- fix and extend file contexts (private types)
- support daemon mode and init scripting (+ deprecated and untested cron mode)
- support triggers for all distributions, while leaving
compatibility with their alternate location in Fedora (and
current policy)
- initial support for client mode (untested)
- support for sysfs (rw)
- includes several revisions from Dominick Grift
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/mcelog.fc | 15 ++++++
policy/modules/contrib/mcelog.if | 75 ++++++++++++++++++++++++++++++++++
policy/modules/contrib/mcelog.te | 54 ++++++++++++++++++++++--
policy/modules/kernel/corecommands.fc | 6 --
4 files changed, 139 insertions(+), 11 deletions(-)
diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc
--- refpolicy-04062012/policy/modules/contrib/mcelog.fc 2011-09-09 18:29:23.578610955 +0200
+++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc 2012-08-06 13:34:45.568049105 +0200
@@ -1 +1,16 @@
+/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0)
+/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+/etc/mcelog/.*.local -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0)
+/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:mcelog_exec_t,s0)
+')
+
+/etc/rc.d/init.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
+
/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+
+/var/log/mcelog -- gen_context(system_u:object_r:mcelog_log_t,s0)
+/var/run/mcelog.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0)
+/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.if refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if
--- refpolicy-04062012/policy/modules/contrib/mcelog.if 2011-09-09 18:29:23.578610955 +0200
+++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if 2012-08-06 15:37:21.714522005 +0200
@@ -18,3 +18,78 @@ interface(`mcelog_domtrans',`
domtrans_pattern($1, mcelog_exec_t, mcelog_t)
')
+########################################
+## <summary>
+## Read the mcelog configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mcelog_read_config',`
+ gen_require(`
+ type mcelog_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, mcelog_etc_t, mcelog_etc_t)
+ allow $1 mcelog_etc_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Create an mcelog unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mcelog_stream_socket_create',`
+ gen_require(`
+ type mcelog_t;
+ ')
+
+ allow $1 mcelog_t:unix_stream_socket create_socket_perms;
+')
+
+########################################
+## <summary>
+## Read from an mcelog unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mcelog_stream_socket_read',`
+ gen_require(`
+ type mcelog_t, mcelog_var_run_t;
+ ')
+
+ allow $1 mcelog_var_run_t:unix_stream_socket { read };
+')
+
+########################################
+## <summary>
+## Connect to mcelog over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mcelog_stream_socket_connect',`
+ gen_require(`
+ type mcelog_t, mcelog_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, mcelog_var_run_t, mcelog_var_run_t, mcelog_t);
+')
diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te
--- refpolicy-04062012/policy/modules/contrib/mcelog.te 2011-09-09 18:29:23.578610955 +0200
+++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te 2012-08-06 16:01:45.087746478 +0200
@@ -1,4 +1,4 @@
-policy_module(mcelog, 1.1.0)
+policy_module(mcelog, 1.1.1)
########################################
#
@@ -7,8 +7,20 @@ policy_module(mcelog, 1.1.0)
type mcelog_t;
type mcelog_exec_t;
-application_domain(mcelog_t, mcelog_exec_t)
-cron_system_entry(mcelog_t, mcelog_exec_t)
+corecmd_executable_file(mcelog_exec_t);
+init_daemon_domain(mcelog_t, mcelog_exec_t)
+
+type mcelog_initrc_exec_t;
+init_script_file(mcelog_initrc_exec_t)
+
+type mcelog_etc_t;
+files_config_file(mcelog_etc_t)
+
+type mcelog_log_t;
+logging_log_file(mcelog_log_t)
+
+type mcelog_var_run_t;
+files_pid_file(mcelog_var_run_t)
########################################
#
@@ -17,16 +29,48 @@ cron_system_entry(mcelog_t, mcelog_exec_
allow mcelog_t self:capability sys_admin;
+can_exec(mcelog_t, mcelog_exec_t)
+
kernel_read_system_state(mcelog_t)
dev_read_raw_memory(mcelog_t)
dev_read_kmsg(mcelog_t)
+dev_rw_sysfs(mcelog_t)
+
+# optional support for running it as a cron job
+optional_policy(`
+ cron_system_entry(mcelog_t, mcelog_exec_t)
+')
+
+manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
+
+# needed in daemon mode
files_read_etc_files(mcelog_t)
-# for /dev/mem access
-mls_file_read_all_levels(mcelog_t)
+locallogin_use_fds(mcelog_t)
+
+# create/append a logfile in a private log directory
+create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+logging_log_filetrans(mcelog_t, mcelog_log_t, file)
+# use syslog functionality (optional, configurable)
logging_send_syslog_msg(mcelog_t)
+# to read the standard configuration file
+mcelog_read_config(mcelog_t)
+
+mcelog_stream_socket_create(mcelog_t)
+mcelog_stream_socket_read(mcelog_t)
+mcelog_stream_socket_connect(mcelog_t)
+
miscfiles_read_localization(mcelog_t)
+
+# for /dev/mem access
+mls_file_read_all_levels(mcelog_t)
+
+term_use_all_ttys(mcelog_t)
diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc
--- refpolicy-04062012/policy/modules/kernel/corecommands.fc 2012-08-05 04:52:17.194005067 +0200
+++ refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc 2012-08-05 17:49:05.594838788 +0200
@@ -72,12 +72,6 @@ ifdef(`distro_redhat',`
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
-/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
-/etc/mcelog/.*.local -- gen_context(system_u:object_r:bin_t,s0)
-
-ifdef(`distro_redhat',`
-/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
-')
/etc/mgetty+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
On Mon, 2012-08-06 at 14:45 +0200, Guido Trentalancia wrote:
> Rewrite of mcelog module:
> - version increment
> - fix and extend file contexts (private types)
> - support daemon mode and init scripting (+ deprecated and untested cron mode)
> - support triggers for all distributions, while leaving
> compatibility with their alternate location in Fedora (and
> current policy)
> - initial support for client mode (untested)
> - support for sysfs (rw)
> - includes several revisions from Dominick Grift
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/mcelog.fc | 15 ++++++
> policy/modules/contrib/mcelog.if | 75 ++++++++++++++++++++++++++++++++++
> policy/modules/contrib/mcelog.te | 54 ++++++++++++++++++++++--
> policy/modules/kernel/corecommands.fc | 6 --
> 4 files changed, 139 insertions(+), 11 deletions(-)
>
> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc
> --- refpolicy-04062012/policy/modules/contrib/mcelog.fc 2011-09-09 18:29:23.578610955 +0200
> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc 2012-08-06 13:34:45.568049105 +0200
> @@ -1 +1,16 @@
> +/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0)
> +/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:mcelog_exec_t,s0)
> +/etc/mcelog/.*.local -- gen_context(system_u:object_r:mcelog_exec_t,s0)
> +
I dont have a good argument for using bin_t but i dont have a good
argument for using mcelog_exec_t either , therefore i suggest keeping it
bin_t
> +ifdef(`distro_redhat',`
> +/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0)
> +/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:mcelog_exec_t,s0)
> +')
> +
> +/etc/rc.d/init.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
> +
Weird, i still dont see the periods escaped above.
> /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
> +
> +/var/log/mcelog -- gen_context(system_u:object_r:mcelog_log_t,s0)
> +/var/run/mcelog.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0)
> +/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.if refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if
> --- refpolicy-04062012/policy/modules/contrib/mcelog.if 2011-09-09 18:29:23.578610955 +0200
> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if 2012-08-06 15:37:21.714522005 +0200
> @@ -18,3 +18,78 @@ interface(`mcelog_domtrans',`
> domtrans_pattern($1, mcelog_exec_t, mcelog_t)
> ')
>
> +########################################
> +## <summary>
> +## Read the mcelog configuration files.
I would probably use "Read mcelog configuration files."
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`mcelog_read_config',`
I would probably call the interface "mcelog_read_config_files" or
"mcelog_read_etc_files"
> + gen_require(`
> + type mcelog_etc_t;
> + ')
> +
> + files_search_etc($1)
> + read_files_pattern($1, mcelog_etc_t, mcelog_etc_t)
> + allow $1 mcelog_etc_t:dir list_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Create an mcelog unix stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mcelog_stream_socket_create',`
> + gen_require(`
> + type mcelog_t;
> + ')
> +
> + allow $1 mcelog_t:unix_stream_socket create_socket_perms;
> +')
Not needed.
> +########################################
> +## <summary>
> +## Read from an mcelog unix stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mcelog_stream_socket_read',`
> + gen_require(`
> + type mcelog_t, mcelog_var_run_t;
> + ')
> +
> + allow $1 mcelog_var_run_t:unix_stream_socket { read };
> +')
not needed.
> +########################################
> +## <summary>
> +## Connect to mcelog over an unix stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mcelog_stream_socket_connect',`
> + gen_require(`
> + type mcelog_t, mcelog_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, mcelog_var_run_t, mcelog_var_run_t, mcelog_t);
> +')
Not needed.
> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te
> --- refpolicy-04062012/policy/modules/contrib/mcelog.te 2011-09-09 18:29:23.578610955 +0200
> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te 2012-08-06 16:01:45.087746478 +0200
> @@ -1,4 +1,4 @@
> -policy_module(mcelog, 1.1.0)
> +policy_module(mcelog, 1.1.1)
>
> ########################################
> #
> @@ -7,8 +7,20 @@ policy_module(mcelog, 1.1.0)
>
> type mcelog_t;
> type mcelog_exec_t;
> -application_domain(mcelog_t, mcelog_exec_t)
> -cron_system_entry(mcelog_t, mcelog_exec_t)
> +corecmd_executable_file(mcelog_exec_t);
I still dont think corecmd_executable_file is needed. Not sure though.
> +init_daemon_domain(mcelog_t, mcelog_exec_t)
> +
> +type mcelog_initrc_exec_t;
> +init_script_file(mcelog_initrc_exec_t)
> +
> +type mcelog_etc_t;
> +files_config_file(mcelog_etc_t)
> +
> +type mcelog_log_t;
> +logging_log_file(mcelog_log_t)
> +
> +type mcelog_var_run_t;
> +files_pid_file(mcelog_var_run_t)
>
> ########################################
> #
> @@ -17,16 +29,48 @@ cron_system_entry(mcelog_t, mcelog_exec_
>
> allow mcelog_t self:capability sys_admin;
add:
allow mcelog_t self:unix_stream_socket create_stream_socket_perms;
>
> +can_exec(mcelog_t, mcelog_exec_t)
> +
If we keep using bin_t then this isnt needed
> kernel_read_system_state(mcelog_t)
>
> dev_read_raw_memory(mcelog_t)
> dev_read_kmsg(mcelog_t)
>
> +dev_rw_sysfs(mcelog_t)
> +
> +# optional support for running it as a cron job
> +optional_policy(`
> + cron_system_entry(mcelog_t, mcelog_exec_t)
> +')
> +
> +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
> +
> +# needed in daemon mode
> files_read_etc_files(mcelog_t)
>
> -# for /dev/mem access
> -mls_file_read_all_levels(mcelog_t)
> +locallogin_use_fds(mcelog_t)
> +
> +# create/append a logfile in a private log directory
> +create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +logging_log_filetrans(mcelog_t, mcelog_log_t, file)
>
> +# use syslog functionality (optional, configurable)
> logging_send_syslog_msg(mcelog_t)
>
> +# to read the standard configuration file
> +mcelog_read_config(mcelog_t)
use read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
Interfaces are not for internal use
> +
> +mcelog_stream_socket_create(mcelog_t)
> +mcelog_stream_socket_read(mcelog_t)
> +mcelog_stream_socket_connect(mcelog_t)
> +
none of the above are needed
> miscfiles_read_localization(mcelog_t)
> +
> +# for /dev/mem access
> +mls_file_read_all_levels(mcelog_t)
> +
> +term_use_all_ttys(mcelog_t)
> diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc
> --- refpolicy-04062012/policy/modules/kernel/corecommands.fc 2012-08-05 04:52:17.194005067 +0200
> +++ refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc 2012-08-05 17:49:05.594838788 +0200
> @@ -72,12 +72,6 @@ ifdef(`distro_redhat',`
> /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
>
> /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
> -/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
> -/etc/mcelog/.*.local -- gen_context(system_u:object_r:bin_t,s0)
> -
> -ifdef(`distro_redhat',`
> -/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
> -')
>
> /etc/mgetty+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
>
>
>
On Mon, 2012-08-06 at 15:40 +0200, Dominick Grift wrote:
>
> On Mon, 2012-08-06 at 14:45 +0200, Guido Trentalancia wrote:
> > Rewrite of mcelog module:
> > - version increment
> > - fix and extend file contexts (private types)
> > - support daemon mode and init scripting (+ deprecated and untested cron mode)
> > - support triggers for all distributions, while leaving
> > compatibility with their alternate location in Fedora (and
> > current policy)
> > - initial support for client mode (untested)
> > - support for sysfs (rw)
> > - includes several revisions from Dominick Grift
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > policy/modules/contrib/mcelog.fc | 15 ++++++
> > policy/modules/contrib/mcelog.if | 75 ++++++++++++++++++++++++++++++++++
> > policy/modules/contrib/mcelog.te | 54 ++++++++++++++++++++++--
> > policy/modules/kernel/corecommands.fc | 6 --
> > 4 files changed, 139 insertions(+), 11 deletions(-)
> >
> > diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc
> > --- refpolicy-04062012/policy/modules/contrib/mcelog.fc 2011-09-09 18:29:23.578610955 +0200
> > +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc 2012-08-06 13:34:45.568049105 +0200
> > @@ -1 +1,16 @@
> > +/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0)
> > +/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:mcelog_exec_t,s0)
> > +/etc/mcelog/.*.local -- gen_context(system_u:object_r:mcelog_exec_t,s0)
> > +
>
> I dont have a good argument for using bin_t but i dont have a good
> argument for using mcelog_exec_t either , therefore i suggest keeping it
> bin_t
>
> > +ifdef(`distro_redhat',`
> > +/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0)
> > +/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:mcelog_exec_t,s0)
> > +')
> > +
> > +/etc/rc.d/init.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
> > +
>
> Weird, i still dont see the periods escaped above.
>
> > /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
> > +
> > +/var/log/mcelog -- gen_context(system_u:object_r:mcelog_log_t,s0)
> > +/var/run/mcelog.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0)
> > +/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
> > diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.if refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if
> > --- refpolicy-04062012/policy/modules/contrib/mcelog.if 2011-09-09 18:29:23.578610955 +0200
> > +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if 2012-08-06 15:37:21.714522005 +0200
> > @@ -18,3 +18,78 @@ interface(`mcelog_domtrans',`
> > domtrans_pattern($1, mcelog_exec_t, mcelog_t)
> > ')
> >
> > +########################################
> > +## <summary>
> > +## Read the mcelog configuration files.
>
> I would probably use "Read mcelog configuration files."
>
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +## <rolecap/>
> > +#
> > +interface(`mcelog_read_config',`
>
> I would probably call the interface "mcelog_read_config_files" or
> "mcelog_read_etc_files"
>
> > + gen_require(`
> > + type mcelog_etc_t;
> > + ')
> > +
> > + files_search_etc($1)
> > + read_files_pattern($1, mcelog_etc_t, mcelog_etc_t)
> > + allow $1 mcelog_etc_t:dir list_dir_perms;
> > +')
Not needed. Interfaces shouldnt be used internally
> > +########################################
> > +## <summary>
> > +## Create an mcelog unix stream socket.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`mcelog_stream_socket_create',`
> > + gen_require(`
> > + type mcelog_t;
> > + ')
> > +
> > + allow $1 mcelog_t:unix_stream_socket create_socket_perms;
> > +')
>
> Not needed.
>
> > +########################################
> > +## <summary>
> > +## Read from an mcelog unix stream socket.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`mcelog_stream_socket_read',`
> > + gen_require(`
> > + type mcelog_t, mcelog_var_run_t;
> > + ')
> > +
> > + allow $1 mcelog_var_run_t:unix_stream_socket { read };
> > +')
>
> not needed.
>
> > +########################################
> > +## <summary>
> > +## Connect to mcelog over an unix stream socket.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`mcelog_stream_socket_connect',`
> > + gen_require(`
> > + type mcelog_t, mcelog_var_run_t;
> > + ')
> > +
> > + files_search_pids($1)
> > + stream_connect_pattern($1, mcelog_var_run_t, mcelog_var_run_t, mcelog_t);
> > +')
>
> Not needed.
>
> > diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te
> > --- refpolicy-04062012/policy/modules/contrib/mcelog.te 2011-09-09 18:29:23.578610955 +0200
> > +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te 2012-08-06 16:01:45.087746478 +0200
> > @@ -1,4 +1,4 @@
> > -policy_module(mcelog, 1.1.0)
> > +policy_module(mcelog, 1.1.1)
> >
> > ########################################
> > #
> > @@ -7,8 +7,20 @@ policy_module(mcelog, 1.1.0)
> >
> > type mcelog_t;
> > type mcelog_exec_t;
> > -application_domain(mcelog_t, mcelog_exec_t)
> > -cron_system_entry(mcelog_t, mcelog_exec_t)
> > +corecmd_executable_file(mcelog_exec_t);
>
> I still dont think corecmd_executable_file is needed. Not sure though.
>
> > +init_daemon_domain(mcelog_t, mcelog_exec_t)
> > +
> > +type mcelog_initrc_exec_t;
> > +init_script_file(mcelog_initrc_exec_t)
> > +
> > +type mcelog_etc_t;
> > +files_config_file(mcelog_etc_t)
> > +
> > +type mcelog_log_t;
> > +logging_log_file(mcelog_log_t)
> > +
> > +type mcelog_var_run_t;
> > +files_pid_file(mcelog_var_run_t)
> >
> > ########################################
> > #
> > @@ -17,16 +29,48 @@ cron_system_entry(mcelog_t, mcelog_exec_
> >
> > allow mcelog_t self:capability sys_admin;
>
> add:
>
> allow mcelog_t self:unix_stream_socket create_stream_socket_perms;
>
> >
> > +can_exec(mcelog_t, mcelog_exec_t)
> > +
>
> If we keep using bin_t then this isnt needed
>
> > kernel_read_system_state(mcelog_t)
> >
> > dev_read_raw_memory(mcelog_t)
> > dev_read_kmsg(mcelog_t)
> >
> > +dev_rw_sysfs(mcelog_t)
> > +
> > +# optional support for running it as a cron job
> > +optional_policy(`
> > + cron_system_entry(mcelog_t, mcelog_exec_t)
> > +')
This needs to be all the way below (tunable policy goes below : see
tresys policy writing guidelines.)
> > +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> > +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> > +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
> > +
> > +# needed in daemon mode
> > files_read_etc_files(mcelog_t)
> >
> > -# for /dev/mem access
> > -mls_file_read_all_levels(mcelog_t)
> > +locallogin_use_fds(mcelog_t)
> > +
> > +# create/append a logfile in a private log directory
> > +create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> > +append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> > +setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> > +logging_log_filetrans(mcelog_t, mcelog_log_t, file)
> >
> > +# use syslog functionality (optional, configurable)
> > logging_send_syslog_msg(mcelog_t)
> >
> > +# to read the standard configuration file
> > +mcelog_read_config(mcelog_t)
>
> use read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
>
> Interfaces are not for internal use
>
> > +
> > +mcelog_stream_socket_create(mcelog_t)
> > +mcelog_stream_socket_read(mcelog_t)
> > +mcelog_stream_socket_connect(mcelog_t)
> > +
>
> none of the above are needed
>
> > miscfiles_read_localization(mcelog_t)
> > +
> > +# for /dev/mem access
> > +mls_file_read_all_levels(mcelog_t)
> > +
> > +term_use_all_ttys(mcelog_t)
> > diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc
> > --- refpolicy-04062012/policy/modules/kernel/corecommands.fc 2012-08-05 04:52:17.194005067 +0200
> > +++ refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc 2012-08-05 17:49:05.594838788 +0200
> > @@ -72,12 +72,6 @@ ifdef(`distro_redhat',`
> > /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
> >
> > /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
> > -/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
> > -/etc/mcelog/.*.local -- gen_context(system_u:object_r:bin_t,s0)
> > -
> > -ifdef(`distro_redhat',`
> > -/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
> > -')
> >
> > /etc/mgetty+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
> >
> >
> >
>
>
> >
> > On Mon, 2012-08-06 at 14:45 +0200, Guido Trentalancia wrote:
<..snip ..>
Also don't create patches on patches ( i think your v2 patch is a patch
on your initial patch?)
On 08/06/12 09:46, Dominick Grift wrote:
>
>>>
>>> On Mon, 2012-08-06 at 14:45 +0200, Guido Trentalancia wrote:
>
> <..snip ..>
>
> Also don't create patches on patches ( i think your v2 patch is a patch
> on your initial patch?)
I'm still sorting through all the emails, but if thats the case, Guido, please resubmit as a proper patch set (no patches on patches).
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Hello Christopher.
On 07/08/2012 19:49, Christopher J. PeBenito wrote:
> On 08/06/12 09:46, Dominick Grift wrote:
>>
>>>>
>>>> On Mon, 2012-08-06 at 14:45 +0200, Guido Trentalancia wrote:
>>
>> <..snip ..>
>>
>> Also don't create patches on patches ( i think your v2 patch is a patch
>> on your initial patch?)
>
> I'm still sorting through all the emails, but if thats the case, Guido, please resubmit as a proper patch set (no patches on patches).
It's not patches on patches: they are all the same patch in different
versions.
Increasing version numbers imply increased stability, improved style and
so on. But it was mostly working since the initial version, which
creates an advantage in terms of time, I suppose, if you consider the
actual state is basically unsupported (daemon won't start).
Since Dominick is not entirely happy with it, I suggest you apply the
latest version (v4) and then let him follow on, as I am entirely
satisfied with such version and at the same time I believe I have
followed all of his advice as applicable (except from the booleans that
I need on my system).
Regards,
Guido