From: guido@trentalancia.com (Guido Trentalancia)
Date: Sun, 05 Aug 2012 22:49:03 +0200
Subject: [refpolicy] [PATCH]: mcelog module initial rewrite
Message-ID: <201208052049.q75Kn3VS026295@vivaldi49.register.it>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Obsoltes (or is alternative to) the previous two mcelog patches.

Initial rewrite of mcelog module:
- version increment
- fix and extend file contexts (private)
- support daemon mode and init scripting (+ cron mode untested)
- support triggers for all distributions, while leaving
  compatibility with their alternate location in Fedora (and
  current policy)
- initial support for client mode (untested)

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/mcelog.fc      |   15 +++++
 policy/modules/contrib/mcelog.if      |  100 ++++++++++++++++++++++++++++++++++
 policy/modules/contrib/mcelog.te      |   55 +++++++++++++++++-
 policy/modules/kernel/corecommands.fc |    6 --
 4 files changed, 167 insertions(+), 9 deletions(-)

diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc
--- refpolicy-04062012/policy/modules/contrib/mcelog.fc	2011-09-09 18:29:23.578610955 +0200
+++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc	2012-08-05 23:36:37.355678527 +0200
@@ -1 +1,16 @@
+/etc/mcelog(/.*)?	gen_context(system_u:object_r:mcelog_etc_t,s0)
+/etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
+/etc/mcelog/.*.local		--	gen_context(system_u:object_r:mcelog_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/etc/mcelog/triggers	-d	gen_context(system_u:object_r:mcelog_etc_t,s0)
+/etc/mcelog/triggers(/.*)?	gen_context(system_u:object_r:mcelog_exec_t,s0)
+')
+
+/etc/rc.d/init.d/mcelog	--	gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
+
 /usr/sbin/mcelog	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
+
+/var/log/mcelog		--	gen_context(system_u:object_r:mcelog_log_t,s0)
+/var/run/mcelog.pid	--	gen_context(system_u:object_r:mcelog_var_run_t,s0)
+/var/run/mcelog-client	-s	gen_context(system_u:object_r:mcelog_var_run_t,s0)
diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.if refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if
--- refpolicy-04062012/policy/modules/contrib/mcelog.if	2011-09-09 18:29:23.578610955 +0200
+++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if	2012-08-05 22:58:59.578345741 +0200
@@ -18,3 +18,103 @@ interface(`mcelog_domtrans',`
 	domtrans_pattern($1, mcelog_exec_t, mcelog_t)
 ')
 
+########################################
+## <summary>
+##	Read mcelog_etc_t files (usually
+##	in /etc/mcelog).
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read generic
+##	files in /etc/mcelog. These files are
+##	mcelog configuration files.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+interface(`mcelog_read_etc_files',`
+	gen_require(`
+		type mcelog_etc_t;
+	')
+
+	allow $1 mcelog_etc_t:dir list_dir_perms;
+	read_files_pattern($1, mcelog_etc_t, mcelog_etc_t)
+	read_lnk_files_pattern($1, mcelog_etc_t, mcelog_etc_t)
+')
+
+########################################
+## <summary>
+##	Read from an mcelog unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mcelog_read_stream_sockets',`
+	gen_require(`
+		type mcelog_t, mcelog_var_run_t;
+	')
+
+	allow $1 mcelog_t:unix_stream_socket { read };
+')
+
+########################################
+## <summary>
+##	Read and write to an mcelog unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mcelog_rw_stream_sockets',`
+	gen_require(`
+		type mcelog_t, mcelog_var_run_t;
+	')
+
+	allow $1 mcelog_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	Write to an mcelog unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mcelog_stream_write',`
+	gen_require(`
+		type mcelog_t, mcelog_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 mcelog_t:sock_file write;
+')
+
+########################################
+## <summary>
+##	Connect to mcelog over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mcelog_stream_connect',`
+	gen_require(`
+		type mcelog_t, mcelog_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 mcelog_t:unix_stream_socket connectto;
+')
diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te
--- refpolicy-04062012/policy/modules/contrib/mcelog.te	2011-09-09 18:29:23.578610955 +0200
+++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te	2012-08-06 00:27:04.614197400 +0200
@@ -1,14 +1,37 @@
-policy_module(mcelog, 1.1.0)
+policy_module(mcelog, 1.1.1)
 
 ########################################
 #
 # Declarations
 #
 
+## <desc>
+## <p>
+## Enable support for mcelog in client mode.
+## </p>
+## </desc>
+gen_tunable(mcelog_client, false)
+
 type mcelog_t;
 type mcelog_exec_t;
+corecmd_executable_file(mcelog_exec_t);
+init_daemon_domain(mcelog_t, mcelog_exec_t)
+
 application_domain(mcelog_t, mcelog_exec_t)
 cron_system_entry(mcelog_t, mcelog_exec_t)
+role system_r types mcelog_t;
+
+type mcelog_initrc_exec_t;
+init_script_file(mcelog_initrc_exec_t)
+
+type mcelog_etc_t;
+files_config_file(mcelog_etc_t)
+
+type mcelog_log_t;
+logging_log_file(mcelog_log_t)
+
+type mcelog_var_run_t;
+files_pid_file(mcelog_var_run_t)
 
 ########################################
 #
@@ -22,11 +45,37 @@ kernel_read_system_state(mcelog_t)
 dev_read_raw_memory(mcelog_t)
 dev_read_kmsg(mcelog_t)
 
+manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
+
+# needed in daemon mode
 files_read_etc_files(mcelog_t)
 
-# for /dev/mem access
-mls_file_read_all_levels(mcelog_t)
+locallogin_use_fds(mcelog_t)
 
+# append to a logfile in a generic var_log_t directory
+manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+logging_log_filetrans(mcelog_t, mcelog_log_t, file)
+
+# use syslog functionality (optional, configurable)
 logging_send_syslog_msg(mcelog_t)
 
+# to read the standard configuration file
+mcelog_read_etc_files(mcelog_t)
+
+mcelog_stream_write(mcelog_t)
+
+# needed for client mode
+tunable_policy(`mcelog_client',`
+	mcelog_read_stream_sockets(mcelog_t)
+	mcelog_stream_connect(mcelog_t)
+')
+
 miscfiles_read_localization(mcelog_t)
+
+# for /dev/mem access
+mls_file_read_all_levels(mcelog_t)
+
+term_use_all_ttys(mcelog_t)
diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc
--- refpolicy-04062012/policy/modules/kernel/corecommands.fc	2012-08-05 04:52:17.194005067 +0200
+++ refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc	2012-08-05 17:49:05.594838788 +0200
@@ -72,12 +72,6 @@ ifdef(`distro_redhat',`
 /etc/kde/shutdown(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
-/etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
-/etc/mcelog/.*.local		--	gen_context(system_u:object_r:bin_t,s0)
-
-ifdef(`distro_redhat',`
-/etc/mcelog/triggers(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-')
 
 /etc/mgetty+sendfax/new_fax	--	gen_context(system_u:object_r:bin_t,s0)