From: guido@trentalancia.com (Guido Trentalancia) Date: Mon, 06 Aug 2012 20:43:31 +0200 Subject: [refpolicy] [PATCH v3]: mcelog module initial rewrite In-Reply-To: <1344267046.29329.57.camel@d30.localdomain> References: <201208061519.q76FJcDp011962@vivaldi31.register.it> <1344267046.29329.57.camel@d30.localdomain> Message-ID: <50201053.9000506@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/08/2012 17:30, Dominick Grift wrote: > On Mon, 2012-08-06 at 17:19 +0200, Guido Trentalancia wrote: >> If we keep bin_t, then we need to use corecmd_exec_bin() or whatever that is called, which means it can execute any script and in particular any binary. >> >> So, the good reason is restricting the type of files that mcelog can execute. In my opinion policy should always been designed that way, when the application needs to execute internal (or user-defined) scripts or binaries (as opposed to system-wide executables in /bin, /sbin, /usr/bin or /usr/sbin). >> >> Unless you give me a good reason, I won't change that. A good reason is that it won't work properly as it was and this is because the triggers are scripts which in turn execute generic bin_t. So, I have changed the executable file contexts as generic bin_t. > The only good reason i can come up with right now is that if you change > this the maintainer might not accept the patch. > >> Ok. I will create a third version (v3) with further changes as necessary. > > This interface is not needed at all. I have then removed all internal interfaces and also added other stylistic corrections as you suggested. However, I have not removed term_use_all_ttys completely because otherwise user might think the application is broken, while it is not (consider --help and a foreground mode are all referenced in the manual page). Instead I have created tunable policy to disable use of ttys in a paranoid setting (default is applcation is allowed to use ttys). Consider, it wasn't working at all in current policy, that's why I have rushed a little bit more with an initial version. Here is the latest version (v3): Rewrite of mcelog module: - version increment - fix and extend file contexts (private types) - support daemon mode and init scripting (+ deprecated and untested cron mode) - support triggers for all distributions, while leaving compatibility with their alternate location in Fedora (and current policy) - initial support for client mode (untested) - support for sysfs (rw) - includes several revisions from Dominick Grift Signed-off-by: Guido Trentalancia --- policy/modules/contrib/mcelog.fc | 15 +++++++ policy/modules/contrib/mcelog.te | 67 +++++++++++++++++++++++++++++++--- policy/modules/kernel/corecommands.fc | 6 --- 3 files changed, 77 insertions(+), 11 deletions(-) diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc --- refpolicy-04062012/policy/modules/contrib/mcelog.fc 2011-09-09 18:29:23.578610955 +0200 +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc 2012-08-06 21:11:19.617661468 +0200 @@ -1 +1,16 @@ +/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0) +/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0) +/etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0) + +ifdef(`distro_redhat',` +/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0) +/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) +') + +/etc/rc\.d/init\.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0) + /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) + +/var/log/mcelog -- gen_context(system_u:object_r:mcelog_log_t,s0) +/var/run/mcelog\.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0) +/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0) diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te --- refpolicy-04062012/policy/modules/contrib/mcelog.te 2011-09-09 18:29:23.578610955 +0200 +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te 2012-08-06 22:18:27.551975687 +0200 @@ -1,14 +1,34 @@ -policy_module(mcelog, 1.1.0) +policy_module(mcelog, 1.1.1) ######################################## # # Declarations # +## +##

+## Allow mcelog to use all the ttys. +## Required in foreground mode and to +## print out usage and version information. +##

+##
+gen_tunable(mcelog_foreground, true) + type mcelog_t; type mcelog_exec_t; -application_domain(mcelog_t, mcelog_exec_t) -cron_system_entry(mcelog_t, mcelog_exec_t) +init_daemon_domain(mcelog_t, mcelog_exec_t) + +type mcelog_initrc_exec_t; +init_script_file(mcelog_initrc_exec_t) + +type mcelog_etc_t; +files_config_file(mcelog_etc_t) + +type mcelog_log_t; +logging_log_file(mcelog_log_t) + +type mcelog_var_run_t; +files_pid_file(mcelog_var_run_t) ######################################## # @@ -17,16 +37,53 @@ cron_system_entry(mcelog_t, mcelog_exec_ allow mcelog_t self:capability sys_admin; +allow mcelog_t mcelog_etc_t:dir list_dir_perms; + +allow mcelog_t mcelog_t:unix_stream_socket create_socket_perms; + kernel_read_system_state(mcelog_t) +corecmd_exec_bin(mcelog_t) + dev_read_raw_memory(mcelog_t) dev_read_kmsg(mcelog_t) +dev_rw_sysfs(mcelog_t) + +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file }) files_read_etc_files(mcelog_t) +files_search_etc(mcelog_t) +files_search_pids(mcelog_t) +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t) + +locallogin_use_fds(mcelog_t) + +# manage a logfile in a generic or private log directory +manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) +manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) +logging_log_filetrans(mcelog_t, mcelog_log_t, file) + +# use syslog functionality (optional, configurable) +logging_send_syslog_msg(mcelog_t) + +miscfiles_read_localization(mcelog_t) # for /dev/mem access mls_file_read_all_levels(mcelog_t) -logging_send_syslog_msg(mcelog_t) +stream_connect_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t, mcelog_t) -miscfiles_read_localization(mcelog_t) +term_dontaudit_use_all_ptys(mcelog_t) +term_dontaudit_use_all_ttys(mcelog_t) + +tunable_policy(`mcelog_foreground',` +term_use_all_ttys(mcelog_t) +term_use_all_ptys(mcelog_t) +') + +# optional support for running it as a cron job +optional_policy(` + cron_system_entry(mcelog_t, mcelog_exec_t) +') Binary files refpolicy-04062012/policy/modules/contrib/.xen.te.swp and refpolicy-04062012-mcelog-support/policy/modules/contrib/.xen.te.swp differ diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc --- refpolicy-04062012/policy/modules/kernel/corecommands.fc 2012-08-05 04:52:17.194005067 +0200 +++ refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc 2012-08-05 17:49:05.594838788 +0200 @@ -72,12 +72,6 @@ ifdef(`distro_redhat',` /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) -/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0) -/etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0) - -ifdef(`distro_redhat',` -/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) -') /etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)