From: guido@trentalancia.com (Guido Trentalancia) Date: Mon, 06 Aug 2012 14:45:24 +0200 Subject: [refpolicy] [PATCH v2]: mcelog module initial rewrite Message-ID: <201208061245.q76CjODc032232@vivaldi30.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Rewrite of mcelog module: - version increment - fix and extend file contexts (private types) - support daemon mode and init scripting (+ deprecated and untested cron mode) - support triggers for all distributions, while leaving compatibility with their alternate location in Fedora (and current policy) - initial support for client mode (untested) - support for sysfs (rw) - includes several revisions from Dominick Grift Signed-off-by: Guido Trentalancia --- policy/modules/contrib/mcelog.fc | 15 ++++++ policy/modules/contrib/mcelog.if | 75 ++++++++++++++++++++++++++++++++++ policy/modules/contrib/mcelog.te | 54 ++++++++++++++++++++++-- policy/modules/kernel/corecommands.fc | 6 -- 4 files changed, 139 insertions(+), 11 deletions(-) diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc --- refpolicy-04062012/policy/modules/contrib/mcelog.fc 2011-09-09 18:29:23.578610955 +0200 +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc 2012-08-06 13:34:45.568049105 +0200 @@ -1 +1,16 @@ +/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0) +/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:mcelog_exec_t,s0) +/etc/mcelog/.*.local -- gen_context(system_u:object_r:mcelog_exec_t,s0) + +ifdef(`distro_redhat',` +/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0) +/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:mcelog_exec_t,s0) +') + +/etc/rc.d/init.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0) + /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) + +/var/log/mcelog -- gen_context(system_u:object_r:mcelog_log_t,s0) +/var/run/mcelog.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0) +/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0) diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.if refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if --- refpolicy-04062012/policy/modules/contrib/mcelog.if 2011-09-09 18:29:23.578610955 +0200 +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if 2012-08-06 15:37:21.714522005 +0200 @@ -18,3 +18,78 @@ interface(`mcelog_domtrans',` domtrans_pattern($1, mcelog_exec_t, mcelog_t) ') +######################################## +## +## Read the mcelog configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mcelog_read_config',` + gen_require(` + type mcelog_etc_t; + ') + + files_search_etc($1) + read_files_pattern($1, mcelog_etc_t, mcelog_etc_t) + allow $1 mcelog_etc_t:dir list_dir_perms; +') + +######################################## +## +## Create an mcelog unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`mcelog_stream_socket_create',` + gen_require(` + type mcelog_t; + ') + + allow $1 mcelog_t:unix_stream_socket create_socket_perms; +') + +######################################## +## +## Read from an mcelog unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`mcelog_stream_socket_read',` + gen_require(` + type mcelog_t, mcelog_var_run_t; + ') + + allow $1 mcelog_var_run_t:unix_stream_socket { read }; +') + +######################################## +## +## Connect to mcelog over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`mcelog_stream_socket_connect',` + gen_require(` + type mcelog_t, mcelog_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, mcelog_var_run_t, mcelog_var_run_t, mcelog_t); +') diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te --- refpolicy-04062012/policy/modules/contrib/mcelog.te 2011-09-09 18:29:23.578610955 +0200 +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te 2012-08-06 16:01:45.087746478 +0200 @@ -1,4 +1,4 @@ -policy_module(mcelog, 1.1.0) +policy_module(mcelog, 1.1.1) ######################################## # @@ -7,8 +7,20 @@ policy_module(mcelog, 1.1.0) type mcelog_t; type mcelog_exec_t; -application_domain(mcelog_t, mcelog_exec_t) -cron_system_entry(mcelog_t, mcelog_exec_t) +corecmd_executable_file(mcelog_exec_t); +init_daemon_domain(mcelog_t, mcelog_exec_t) + +type mcelog_initrc_exec_t; +init_script_file(mcelog_initrc_exec_t) + +type mcelog_etc_t; +files_config_file(mcelog_etc_t) + +type mcelog_log_t; +logging_log_file(mcelog_log_t) + +type mcelog_var_run_t; +files_pid_file(mcelog_var_run_t) ######################################## # @@ -17,16 +29,48 @@ cron_system_entry(mcelog_t, mcelog_exec_ allow mcelog_t self:capability sys_admin; +can_exec(mcelog_t, mcelog_exec_t) + kernel_read_system_state(mcelog_t) dev_read_raw_memory(mcelog_t) dev_read_kmsg(mcelog_t) +dev_rw_sysfs(mcelog_t) + +# optional support for running it as a cron job +optional_policy(` + cron_system_entry(mcelog_t, mcelog_exec_t) +') + +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file }) + +# needed in daemon mode files_read_etc_files(mcelog_t) -# for /dev/mem access -mls_file_read_all_levels(mcelog_t) +locallogin_use_fds(mcelog_t) + +# create/append a logfile in a private log directory +create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) +append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) +setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) +logging_log_filetrans(mcelog_t, mcelog_log_t, file) +# use syslog functionality (optional, configurable) logging_send_syslog_msg(mcelog_t) +# to read the standard configuration file +mcelog_read_config(mcelog_t) + +mcelog_stream_socket_create(mcelog_t) +mcelog_stream_socket_read(mcelog_t) +mcelog_stream_socket_connect(mcelog_t) + miscfiles_read_localization(mcelog_t) + +# for /dev/mem access +mls_file_read_all_levels(mcelog_t) + +term_use_all_ttys(mcelog_t) diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc --- refpolicy-04062012/policy/modules/kernel/corecommands.fc 2012-08-05 04:52:17.194005067 +0200 +++ refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc 2012-08-05 17:49:05.594838788 +0200 @@ -72,12 +72,6 @@ ifdef(`distro_redhat',` /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) -/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0) -/etc/mcelog/.*.local -- gen_context(system_u:object_r:bin_t,s0) - -ifdef(`distro_redhat',` -/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) -') /etc/mgetty+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)