From: dominick.grift@gmail.com (Dominick Grift)
Date: Sun, 05 Aug 2012 23:37:42 +0200
Subject: [refpolicy] [PATCH]: mcelog module initial rewrite
In-Reply-To: <201208052049.q75Kn3VS026295@vivaldi49.register.it>
References: <201208052049.q75Kn3VS026295@vivaldi49.register.it>
Message-ID: <1344202662.29329.16.camel@d30.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com



On Sun, 2012-08-05 at 22:49 +0200, Guido Trentalancia wrote:
> Obsoltes (or is alternative to) the previous two mcelog patches.
> 
> Initial rewrite of mcelog module:
> - version increment
> - fix and extend file contexts (private)
> - support daemon mode and init scripting (+ cron mode untested)
> - support triggers for all distributions, while leaving
>   compatibility with their alternate location in Fedora (and
>   current policy)
> - initial support for client mode (untested)
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
>  policy/modules/contrib/mcelog.fc      |   15 +++++
>  policy/modules/contrib/mcelog.if      |  100 ++++++++++++++++++++++++++++++++++
>  policy/modules/contrib/mcelog.te      |   55 +++++++++++++++++-
>  policy/modules/kernel/corecommands.fc |    6 --
>  4 files changed, 167 insertions(+), 9 deletions(-)
> 
> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc
> --- refpolicy-04062012/policy/modules/contrib/mcelog.fc	2011-09-09 18:29:23.578610955 +0200
> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc	2012-08-05 23:36:37.355678527 +0200
> @@ -1 +1,16 @@
> +/etc/mcelog(/.*)?	gen_context(system_u:object_r:mcelog_etc_t,s0)
> +/etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
> +/etc/mcelog/.*.local		--	gen_context(system_u:object_r:mcelog_exec_t,s0)

should probably be bin_t instead of mcelog_exec_t

> +
> +ifdef(`distro_redhat',`
> +/etc/mcelog/triggers	-d	gen_context(system_u:object_r:mcelog_etc_t,s0)
> +/etc/mcelog/triggers(/.*)?	gen_context(system_u:object_r:mcelog_exec_t,s0)

should probably be bin_t instead of mcelog_exec_t

> +')
> +
> +/etc/rc.d/init.d/mcelog	--	gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)

/etc/rc\.d/init\d/mcelog (escape the periods)

> +
>  /usr/sbin/mcelog	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
> +
> +/var/log/mcelog		--	gen_context(system_u:object_r:mcelog_log_t,s0)
> +/var/run/mcelog.pid	--	gen_context(system_u:object_r:mcelog_var_run_t,s0)
> +/var/run/mcelog-client	-s	gen_context(system_u:object_r:mcelog_var_run_t,s0)
> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.if refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if
> --- refpolicy-04062012/policy/modules/contrib/mcelog.if	2011-09-09 18:29:23.578610955 +0200
> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if	2012-08-05 22:58:59.578345741 +0200
> @@ -18,3 +18,103 @@ interface(`mcelog_domtrans',`
>  	domtrans_pattern($1, mcelog_exec_t, mcelog_t)
>  ')
>  
> +########################################
> +## <summary>
> +##	Read mcelog_etc_t files (usually
> +##	in /etc/mcelog).
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Allow the specified domain to read generic
> +##	files in /etc/mcelog. These files are
> +##	mcelog configuration files.
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +interface(`mcelog_read_etc_files',`
> +	gen_require(`
> +		type mcelog_etc_t;
> +	')
> +

files_search_etc($1)
> +	allow $1 mcelog_etc_t:dir list_dir_perms;
> +	read_files_pattern($1, mcelog_etc_t, mcelog_etc_t)
> +	read_lnk_files_pattern($1, mcelog_etc_t, mcelog_etc_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Read from an mcelog unix stream socket.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`mcelog_read_stream_sockets',`
> +	gen_require(`
> +		type mcelog_t, mcelog_var_run_t;
> +	')
> +
> +	allow $1 mcelog_t:unix_stream_socket { read };
> +')

I dont think mcelog_read_stream_sockets is needed

> +
> +########################################
> +## <summary>
> +##	Read and write to an mcelog unix stream socket.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`mcelog_rw_stream_sockets',`
> +	gen_require(`
> +		type mcelog_t, mcelog_var_run_t;
> +	')
> +
> +	allow $1 mcelog_t:unix_stream_socket { read write };
> +')

Might above be a leaked file descriptor issue?

> +
> +########################################
> +## <summary>
> +##	Write to an mcelog unix stream socket.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`mcelog_stream_write',`
> +	gen_require(`
> +		type mcelog_t, mcelog_var_run_t;
> +	')
> +
> +	files_search_pids($1)
> +	allow $1 mcelog_t:sock_file write;
> +')

The above isnt needed and wrong (mcelog_t is not a sock_file type), see
below

> +########################################
> +## <summary>
> +##	Connect to mcelog over an unix stream socket.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`mcelog_stream_connect',`
> +	gen_require(`
> +		type mcelog_t, mcelog_var_run_t;
> +	')
> +
> +	files_search_pids($1)
> +	allow $1 mcelog_t:unix_stream_socket connectto;

above is incorrect, use: stream_connect_pattern($1, mcelog_var_run_t,
mcelog_var_run_t, mcelog_t)

 
> +')
> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te
> --- refpolicy-04062012/policy/modules/contrib/mcelog.te	2011-09-09 18:29:23.578610955 +0200
> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te	2012-08-06 00:27:04.614197400 +0200
> @@ -1,14 +1,37 @@
> -policy_module(mcelog, 1.1.0)
> +policy_module(mcelog, 1.1.1)
>  
>  ########################################
>  #
>  # Declarations
>  #
>  
> +## <desc>
> +## <p>
> +## Enable support for mcelog in client mode.
> +## </p>
> +## </desc>
> +gen_tunable(mcelog_client, false)
> +

No need to make the above conditional

>  type mcelog_t;
>  type mcelog_exec_t;
> +corecmd_executable_file(mcelog_exec_t);

no ");"
can probably remove coremd_executable_file(mcelog_exec_t); altogether

> +init_daemon_domain(mcelog_t, mcelog_exec_t)
> +
>  application_domain(mcelog_t, mcelog_exec_t)
no need for this (already enclosed in init_daemon_domain())

>  cron_system_entry(mcelog_t, mcelog_exec_t)

Above is optional, wrap in optional policy and move to policy and out of
declarations

> +role system_r types mcelog_t;

above is  redundant , already allowed in init_daemon_domain()

> +
> +type mcelog_initrc_exec_t;
> +init_script_file(mcelog_initrc_exec_t)
> +
> +type mcelog_etc_t;
> +files_config_file(mcelog_etc_t)
> +
> +type mcelog_log_t;
> +logging_log_file(mcelog_log_t)
> +
> +type mcelog_var_run_t;
> +files_pid_file(mcelog_var_run_t)
>  
>  ########################################
>  #
> @@ -22,11 +45,37 @@ kernel_read_system_state(mcelog_t)
>  dev_read_raw_memory(mcelog_t)
>  dev_read_kmsg(mcelog_t)
>  
> +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
> +
> +# needed in daemon mode
>  files_read_etc_files(mcelog_t)
>  
> -# for /dev/mem access
> -mls_file_read_all_levels(mcelog_t)

> +locallogin_use_fds(mcelog_t)
>  
> +# append to a logfile in a generic var_log_t directory
> +manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +logging_log_filetrans(mcelog_t, mcelog_log_t, file)

use:
create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
logging_log_filetrans(mcelog_t, mcelog_log_t, file)


> +
> +# use syslog functionality (optional, configurable)
>  logging_send_syslog_msg(mcelog_t)
>  
> +# to read the standard configuration file
> +mcelog_read_etc_files(mcelog_t)
duplicate


> +mcelog_stream_write(mcelog_t)

no needed

> +# needed for client mode
> +tunable_policy(`mcelog_client',`
> +	mcelog_read_stream_sockets(mcelog_t)
> +	mcelog_stream_connect(mcelog_t)
> +')

not needed, add:

allow mcelog_t self:unix_stream_socket create_socket_perms;

>  miscfiles_read_localization(mcelog_t)
> +
> +# for /dev/mem access
> +mls_file_read_all_levels(mcelog_t)
> +
> +term_use_all_ttys(mcelog_t)
> diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc
> --- refpolicy-04062012/policy/modules/kernel/corecommands.fc	2012-08-05 04:52:17.194005067 +0200
> +++ refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc	2012-08-05 17:49:05.594838788 +0200
> @@ -72,12 +72,6 @@ ifdef(`distro_redhat',`
>  /etc/kde/shutdown(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>  
>  /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
> -/etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
> -/etc/mcelog/.*.local		--	gen_context(system_u:object_r:bin_t,s0)

No, dont remove this

> -ifdef(`distro_redhat',`
> -/etc/mcelog/triggers(/.*)?		gen_context(system_u:object_r:bin_t,s0)
> -')

No dont remove this

>  /etc/mgetty+sendfax/new_fax	--	gen_context(system_u:object_r:bin_t,s0)
>  
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy