From: guido@trentalancia.com (Guido Trentalancia) Date: Sun, 05 Aug 2012 22:49:03 +0200 Subject: [refpolicy] [PATCH]: mcelog module initial rewrite Message-ID: <201208052049.q75Kn3VS026295@vivaldi49.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Obsoltes (or is alternative to) the previous two mcelog patches. Initial rewrite of mcelog module: - version increment - fix and extend file contexts (private) - support daemon mode and init scripting (+ cron mode untested) - support triggers for all distributions, while leaving compatibility with their alternate location in Fedora (and current policy) - initial support for client mode (untested) Signed-off-by: Guido Trentalancia --- policy/modules/contrib/mcelog.fc | 15 +++++ policy/modules/contrib/mcelog.if | 100 ++++++++++++++++++++++++++++++++++ policy/modules/contrib/mcelog.te | 55 +++++++++++++++++- policy/modules/kernel/corecommands.fc | 6 -- 4 files changed, 167 insertions(+), 9 deletions(-) diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc --- refpolicy-04062012/policy/modules/contrib/mcelog.fc 2011-09-09 18:29:23.578610955 +0200 +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc 2012-08-05 23:36:37.355678527 +0200 @@ -1 +1,16 @@ +/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0) +/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:mcelog_exec_t,s0) +/etc/mcelog/.*.local -- gen_context(system_u:object_r:mcelog_exec_t,s0) + +ifdef(`distro_redhat',` +/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0) +/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:mcelog_exec_t,s0) +') + +/etc/rc.d/init.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0) + /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) + +/var/log/mcelog -- gen_context(system_u:object_r:mcelog_log_t,s0) +/var/run/mcelog.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0) +/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0) diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.if refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if --- refpolicy-04062012/policy/modules/contrib/mcelog.if 2011-09-09 18:29:23.578610955 +0200 +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if 2012-08-05 22:58:59.578345741 +0200 @@ -18,3 +18,103 @@ interface(`mcelog_domtrans',` domtrans_pattern($1, mcelog_exec_t, mcelog_t) ') +######################################## +## +## Read mcelog_etc_t files (usually +## in /etc/mcelog). +## +## +##

+## Allow the specified domain to read generic +## files in /etc/mcelog. These files are +## mcelog configuration files. +##

+##
+## +## +## Domain allowed access. +## +## +interface(`mcelog_read_etc_files',` + gen_require(` + type mcelog_etc_t; + ') + + allow $1 mcelog_etc_t:dir list_dir_perms; + read_files_pattern($1, mcelog_etc_t, mcelog_etc_t) + read_lnk_files_pattern($1, mcelog_etc_t, mcelog_etc_t) +') + +######################################## +## +## Read from an mcelog unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`mcelog_read_stream_sockets',` + gen_require(` + type mcelog_t, mcelog_var_run_t; + ') + + allow $1 mcelog_t:unix_stream_socket { read }; +') + +######################################## +## +## Read and write to an mcelog unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`mcelog_rw_stream_sockets',` + gen_require(` + type mcelog_t, mcelog_var_run_t; + ') + + allow $1 mcelog_t:unix_stream_socket { read write }; +') + +######################################## +## +## Write to an mcelog unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`mcelog_stream_write',` + gen_require(` + type mcelog_t, mcelog_var_run_t; + ') + + files_search_pids($1) + allow $1 mcelog_t:sock_file write; +') + +######################################## +## +## Connect to mcelog over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`mcelog_stream_connect',` + gen_require(` + type mcelog_t, mcelog_var_run_t; + ') + + files_search_pids($1) + allow $1 mcelog_t:unix_stream_socket connectto; +') diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te --- refpolicy-04062012/policy/modules/contrib/mcelog.te 2011-09-09 18:29:23.578610955 +0200 +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te 2012-08-06 00:27:04.614197400 +0200 @@ -1,14 +1,37 @@ -policy_module(mcelog, 1.1.0) +policy_module(mcelog, 1.1.1) ######################################## # # Declarations # +## +##

+## Enable support for mcelog in client mode. +##

+##
+gen_tunable(mcelog_client, false) + type mcelog_t; type mcelog_exec_t; +corecmd_executable_file(mcelog_exec_t); +init_daemon_domain(mcelog_t, mcelog_exec_t) + application_domain(mcelog_t, mcelog_exec_t) cron_system_entry(mcelog_t, mcelog_exec_t) +role system_r types mcelog_t; + +type mcelog_initrc_exec_t; +init_script_file(mcelog_initrc_exec_t) + +type mcelog_etc_t; +files_config_file(mcelog_etc_t) + +type mcelog_log_t; +logging_log_file(mcelog_log_t) + +type mcelog_var_run_t; +files_pid_file(mcelog_var_run_t) ######################################## # @@ -22,11 +45,37 @@ kernel_read_system_state(mcelog_t) dev_read_raw_memory(mcelog_t) dev_read_kmsg(mcelog_t) +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file }) + +# needed in daemon mode files_read_etc_files(mcelog_t) -# for /dev/mem access -mls_file_read_all_levels(mcelog_t) +locallogin_use_fds(mcelog_t) +# append to a logfile in a generic var_log_t directory +manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) +manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) +logging_log_filetrans(mcelog_t, mcelog_log_t, file) + +# use syslog functionality (optional, configurable) logging_send_syslog_msg(mcelog_t) +# to read the standard configuration file +mcelog_read_etc_files(mcelog_t) + +mcelog_stream_write(mcelog_t) + +# needed for client mode +tunable_policy(`mcelog_client',` + mcelog_read_stream_sockets(mcelog_t) + mcelog_stream_connect(mcelog_t) +') + miscfiles_read_localization(mcelog_t) + +# for /dev/mem access +mls_file_read_all_levels(mcelog_t) + +term_use_all_ttys(mcelog_t) diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc --- refpolicy-04062012/policy/modules/kernel/corecommands.fc 2012-08-05 04:52:17.194005067 +0200 +++ refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc 2012-08-05 17:49:05.594838788 +0200 @@ -72,12 +72,6 @@ ifdef(`distro_redhat',` /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) -/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0) -/etc/mcelog/.*.local -- gen_context(system_u:object_r:bin_t,s0) - -ifdef(`distro_redhat',` -/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) -') /etc/mgetty+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)