From: guido@trentalancia.com (Guido Trentalancia)
Date: Mon, 06 Aug 2012 17:42:23 +0200
Subject: [refpolicy] My take on Guido Trentalancias' mcelog changes
Message-ID: <201208061542.q76FgNMs029019@vivaldi37.register.it>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

>On Mon, 2012-08-06 at 16:30 +0200, Dominick Grift wrote:
>> From c439dc3f8dcdfb20dd35e0838df7f6555c6a90b5 Mon, 6 Aug 2012 16:26:21 +0200
>> From: Dominick Grift <dominick.grift@gmail.com>
>> Date: Mon, 6 Aug 2012 16:16:48 +0200
>> Subject: [PATCH] Run mcelog as a daemon
>> 
>
>Looks like i am missing a file context specification for the
>mcelog_etc_t content.
>
>Where is it? is it "/etc/mcelog(/.*)?"

Please double-check, it should be there.

>> I haven't tested this.
>> I left out the "term_use_all_ttys(mcelog_t)"

It's for interactive use (including printing out the help file by using --help).

>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
>> diff --git a/mcelog.fc b/mcelog.fc
>> index 56c43c0..a16de0a 100644
>> --- a/mcelog.fc
>> +++ b/mcelog.fc
>> @@ -1 +1,8 @@
>> +/etc/rc.d/init.d/mcelog	--	gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
>> +
>>  /usr/sbin/mcelog	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
>> +
>> +/var/log/mcelog.*	--	gen_context(system_u:object_r:mcelog_log_t,s0)
>> +
>> +/var/run/mcelog.pid	--	gen_context(system_u:object_r:mcelog_var_run_t,s0)
>> +/var/run/mcelog-client	-s	gen_context(system_u:object_r:mcelog_var_run_t,s0)
>> diff --git a/mcelog.te b/mcelog.te
>> index 5671977..79d5856 100644
>> --- a/mcelog.te
>> +++ b/mcelog.te
>> @@ -7,8 +7,19 @@
>>  
>>  type mcelog_t;
>>  type mcelog_exec_t;
>> -application_domain(mcelog_t, mcelog_exec_t)
>> -cron_system_entry(mcelog_t, mcelog_exec_t)
>> +init_daemon_domain(mcelog_t, mcelog_exec_t)
>> +
>> +type mcelog_initrc_exec_t;
>> +init_script_file(mcelog_initrc_exec_t)
>> +
>> +type mcelog_etc_t;
>> +files_config_file(mcelog_etc_t)
>> +
>> +type mcelog_log_t;
>> +logging_log_file(mcelog_log_t)
>> +
>> +type mcelog_var_run_t;
>> +files_pid_file(mcelog_var_run_t)
>>  
>>  ########################################
>>  #
>> @@ -16,11 +27,29 @@
>>  #
>>  
>>  allow mcelog_t self:capability sys_admin;
>> +allow mcelog_t self:unix_stream_socket create_stream_socket_perms;
>> +
>> +allow mcelog_t mcelog_etc_t:dir list_dir_perms;
>> +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
>> +
>> +create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +logging_log_filetrans(mcelog_t, mcelog_log_t, file)
>> +
>> +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
>> +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
>> +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
>>  
>>  kernel_read_system_state(mcelog_t)
>>  
>> +corecmd_exec_bin(mcelog_t)
>> +
>>  dev_read_raw_memory(mcelog_t)
>>  dev_read_kmsg(mcelog_t)
>> +dev_rw_sysfs(mcelog_t)
>> +
>> +domain_use_interactive_fds(mcelog_t)
>>  
>>  files_read_etc_files(mcelog_t)
>>  
>> @@ -30,3 +59,7 @@
>>  logging_send_syslog_msg(mcelog_t)
>>  
>>  miscfiles_read_localization(mcelog_t)
>> +
>> +optional_policy(`
>> +	cron_system_entry(mcelog_t, mcelog_exec_t)
>> +')
>
>
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy
>
>