>On Mon, 2012-08-06 at 16:30 +0200, Dominick Grift wrote:
>> From c439dc3f8dcdfb20dd35e0838df7f6555c6a90b5 Mon, 6 Aug 2012 16:26:21 +0200
>> From: Dominick Grift <[email protected]>
>> Date: Mon, 6 Aug 2012 16:16:48 +0200
>> Subject: [PATCH] Run mcelog as a daemon
>>
>
>Looks like i am missing a file context specification for the
>mcelog_etc_t content.
>
>Where is it? is it "/etc/mcelog(/.*)?"
Please double-check, it should be there.
>> I haven't tested this.
>> I left out the "term_use_all_ttys(mcelog_t)"
It's for interactive use (including printing out the help file by using --help).
>> Signed-off-by: Dominick Grift <[email protected]>
>> diff --git a/mcelog.fc b/mcelog.fc
>> index 56c43c0..a16de0a 100644
>> --- a/mcelog.fc
>> +++ b/mcelog.fc
>> @@ -1 +1,8 @@
>> +/etc/rc.d/init.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
>> +
>> /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
>> +
>> +/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
>> +
>> +/var/run/mcelog.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0)
>> +/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
>> diff --git a/mcelog.te b/mcelog.te
>> index 5671977..79d5856 100644
>> --- a/mcelog.te
>> +++ b/mcelog.te
>> @@ -7,8 +7,19 @@
>>
>> type mcelog_t;
>> type mcelog_exec_t;
>> -application_domain(mcelog_t, mcelog_exec_t)
>> -cron_system_entry(mcelog_t, mcelog_exec_t)
>> +init_daemon_domain(mcelog_t, mcelog_exec_t)
>> +
>> +type mcelog_initrc_exec_t;
>> +init_script_file(mcelog_initrc_exec_t)
>> +
>> +type mcelog_etc_t;
>> +files_config_file(mcelog_etc_t)
>> +
>> +type mcelog_log_t;
>> +logging_log_file(mcelog_log_t)
>> +
>> +type mcelog_var_run_t;
>> +files_pid_file(mcelog_var_run_t)
>>
>> ########################################
>> #
>> @@ -16,11 +27,29 @@
>> #
>>
>> allow mcelog_t self:capability sys_admin;
>> +allow mcelog_t self:unix_stream_socket create_stream_socket_perms;
>> +
>> +allow mcelog_t mcelog_etc_t:dir list_dir_perms;
>> +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
>> +
>> +create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +logging_log_filetrans(mcelog_t, mcelog_log_t, file)
>> +
>> +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
>> +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
>> +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
>>
>> kernel_read_system_state(mcelog_t)
>>
>> +corecmd_exec_bin(mcelog_t)
>> +
>> dev_read_raw_memory(mcelog_t)
>> dev_read_kmsg(mcelog_t)
>> +dev_rw_sysfs(mcelog_t)
>> +
>> +domain_use_interactive_fds(mcelog_t)
>>
>> files_read_etc_files(mcelog_t)
>>
>> @@ -30,3 +59,7 @@
>> logging_send_syslog_msg(mcelog_t)
>>
>> miscfiles_read_localization(mcelog_t)
>> +
>> +optional_policy(`
>> + cron_system_entry(mcelog_t, mcelog_exec_t)
>> +')
>
>
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
On Mon, 2012-08-06 at 17:42 +0200, Guido Trentalancia wrote:
> >On Mon, 2012-08-06 at 16:30 +0200, Dominick Grift wrote:
> >> From c439dc3f8dcdfb20dd35e0838df7f6555c6a90b5 Mon, 6 Aug 2012 16:26:21 +0200
> >> From: Dominick Grift <[email protected]>
> >> Date: Mon, 6 Aug 2012 16:16:48 +0200
> >> Subject: [PATCH] Run mcelog as a daemon
> >>
> >
> >Looks like i am missing a file context specification for the
> >mcelog_etc_t content.
> >
> >Where is it? is it "/etc/mcelog(/.*)?"
>
> Please double-check, it should be there.
OK, must have overlooked that
> >> I haven't tested this.
> >> I left out the "term_use_all_ttys(mcelog_t)"
>
> It's for interactive use (including printing out the help file by using --help).
probably use userdom_use_user_terminals instead.