From: dominick.grift@gmail.com (Dominick Grift) Date: Mon, 06 Aug 2012 15:40:05 +0200 Subject: [refpolicy] [PATCH v2]: mcelog module initial rewrite In-Reply-To: <201208061245.q76CjODc032232@vivaldi30.register.it> References: <201208061245.q76CjODc032232@vivaldi30.register.it> Message-ID: <1344260405.29329.38.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 2012-08-06 at 14:45 +0200, Guido Trentalancia wrote: > Rewrite of mcelog module: > - version increment > - fix and extend file contexts (private types) > - support daemon mode and init scripting (+ deprecated and untested cron mode) > - support triggers for all distributions, while leaving > compatibility with their alternate location in Fedora (and > current policy) > - initial support for client mode (untested) > - support for sysfs (rw) > - includes several revisions from Dominick Grift > > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/mcelog.fc | 15 ++++++ > policy/modules/contrib/mcelog.if | 75 ++++++++++++++++++++++++++++++++++ > policy/modules/contrib/mcelog.te | 54 ++++++++++++++++++++++-- > policy/modules/kernel/corecommands.fc | 6 -- > 4 files changed, 139 insertions(+), 11 deletions(-) > > diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc > --- refpolicy-04062012/policy/modules/contrib/mcelog.fc 2011-09-09 18:29:23.578610955 +0200 > +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc 2012-08-06 13:34:45.568049105 +0200 > @@ -1 +1,16 @@ > +/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0) > +/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:mcelog_exec_t,s0) > +/etc/mcelog/.*.local -- gen_context(system_u:object_r:mcelog_exec_t,s0) > + I dont have a good argument for using bin_t but i dont have a good argument for using mcelog_exec_t either , therefore i suggest keeping it bin_t > +ifdef(`distro_redhat',` > +/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0) > +/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:mcelog_exec_t,s0) > +') > + > +/etc/rc.d/init.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0) > + Weird, i still dont see the periods escaped above. > /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) > + > +/var/log/mcelog -- gen_context(system_u:object_r:mcelog_log_t,s0) > +/var/run/mcelog.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0) > +/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0) > diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.if refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if > --- refpolicy-04062012/policy/modules/contrib/mcelog.if 2011-09-09 18:29:23.578610955 +0200 > +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if 2012-08-06 15:37:21.714522005 +0200 > @@ -18,3 +18,78 @@ interface(`mcelog_domtrans',` > domtrans_pattern($1, mcelog_exec_t, mcelog_t) > ') > > +######################################## > +## > +## Read the mcelog configuration files. I would probably use "Read mcelog configuration files." > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`mcelog_read_config',` I would probably call the interface "mcelog_read_config_files" or "mcelog_read_etc_files" > + gen_require(` > + type mcelog_etc_t; > + ') > + > + files_search_etc($1) > + read_files_pattern($1, mcelog_etc_t, mcelog_etc_t) > + allow $1 mcelog_etc_t:dir list_dir_perms; > +') > + > +######################################## > +## > +## Create an mcelog unix stream socket. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mcelog_stream_socket_create',` > + gen_require(` > + type mcelog_t; > + ') > + > + allow $1 mcelog_t:unix_stream_socket create_socket_perms; > +') Not needed. > +######################################## > +## > +## Read from an mcelog unix stream socket. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mcelog_stream_socket_read',` > + gen_require(` > + type mcelog_t, mcelog_var_run_t; > + ') > + > + allow $1 mcelog_var_run_t:unix_stream_socket { read }; > +') not needed. > +######################################## > +## > +## Connect to mcelog over an unix stream socket. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mcelog_stream_socket_connect',` > + gen_require(` > + type mcelog_t, mcelog_var_run_t; > + ') > + > + files_search_pids($1) > + stream_connect_pattern($1, mcelog_var_run_t, mcelog_var_run_t, mcelog_t); > +') Not needed. > diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te > --- refpolicy-04062012/policy/modules/contrib/mcelog.te 2011-09-09 18:29:23.578610955 +0200 > +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te 2012-08-06 16:01:45.087746478 +0200 > @@ -1,4 +1,4 @@ > -policy_module(mcelog, 1.1.0) > +policy_module(mcelog, 1.1.1) > > ######################################## > # > @@ -7,8 +7,20 @@ policy_module(mcelog, 1.1.0) > > type mcelog_t; > type mcelog_exec_t; > -application_domain(mcelog_t, mcelog_exec_t) > -cron_system_entry(mcelog_t, mcelog_exec_t) > +corecmd_executable_file(mcelog_exec_t); I still dont think corecmd_executable_file is needed. Not sure though. > +init_daemon_domain(mcelog_t, mcelog_exec_t) > + > +type mcelog_initrc_exec_t; > +init_script_file(mcelog_initrc_exec_t) > + > +type mcelog_etc_t; > +files_config_file(mcelog_etc_t) > + > +type mcelog_log_t; > +logging_log_file(mcelog_log_t) > + > +type mcelog_var_run_t; > +files_pid_file(mcelog_var_run_t) > > ######################################## > # > @@ -17,16 +29,48 @@ cron_system_entry(mcelog_t, mcelog_exec_ > > allow mcelog_t self:capability sys_admin; add: allow mcelog_t self:unix_stream_socket create_stream_socket_perms; > > +can_exec(mcelog_t, mcelog_exec_t) > + If we keep using bin_t then this isnt needed > kernel_read_system_state(mcelog_t) > > dev_read_raw_memory(mcelog_t) > dev_read_kmsg(mcelog_t) > > +dev_rw_sysfs(mcelog_t) > + > +# optional support for running it as a cron job > +optional_policy(` > + cron_system_entry(mcelog_t, mcelog_exec_t) > +') > + > +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) > +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) > +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file }) > + > +# needed in daemon mode > files_read_etc_files(mcelog_t) > > -# for /dev/mem access > -mls_file_read_all_levels(mcelog_t) > +locallogin_use_fds(mcelog_t) > + > +# create/append a logfile in a private log directory > +create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) > +append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) > +setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) > +logging_log_filetrans(mcelog_t, mcelog_log_t, file) > > +# use syslog functionality (optional, configurable) > logging_send_syslog_msg(mcelog_t) > > +# to read the standard configuration file > +mcelog_read_config(mcelog_t) use read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t) Interfaces are not for internal use > + > +mcelog_stream_socket_create(mcelog_t) > +mcelog_stream_socket_read(mcelog_t) > +mcelog_stream_socket_connect(mcelog_t) > + none of the above are needed > miscfiles_read_localization(mcelog_t) > + > +# for /dev/mem access > +mls_file_read_all_levels(mcelog_t) > + > +term_use_all_ttys(mcelog_t) > diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc > --- refpolicy-04062012/policy/modules/kernel/corecommands.fc 2012-08-05 04:52:17.194005067 +0200 > +++ refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc 2012-08-05 17:49:05.594838788 +0200 > @@ -72,12 +72,6 @@ ifdef(`distro_redhat',` > /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) > > /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) > -/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0) > -/etc/mcelog/.*.local -- gen_context(system_u:object_r:bin_t,s0) > - > -ifdef(`distro_redhat',` > -/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) > -') > > /etc/mgetty+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0) > > >