From: dominick.grift@gmail.com (Dominick Grift) Date: Mon, 06 Aug 2012 21:44:11 +0200 Subject: [refpolicy] [PATCH v3]: mcelog module initial rewrite In-Reply-To: <50201053.9000506@trentalancia.com> References: <201208061519.q76FJcDp011962@vivaldi31.register.it> <1344267046.29329.57.camel@d30.localdomain> <50201053.9000506@trentalancia.com> Message-ID: <1344282251.29329.73.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 2012-08-06 at 20:43 +0200, Guido Trentalancia wrote: > > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/mcelog.fc | 15 +++++++ > policy/modules/contrib/mcelog.te | 67 > +++++++++++++++++++++++++++++++--- > policy/modules/kernel/corecommands.fc | 6 --- > 3 files changed, 77 insertions(+), 11 deletions(-) > > diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc > refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc > --- refpolicy-04062012/policy/modules/contrib/mcelog.fc 2011-09-09 > 18:29:23.578610955 +0200 > +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc > 2012-08-06 21:11:19.617661468 +0200 > @@ -1 +1,16 @@ > +/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0) > +/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0) > +/etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0) > + > +ifdef(`distro_redhat',` > +/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0) > +/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) The context specs with bin_t do not belong in this module. they should be moved to corecommands.fc (i believe) > +') > + > +/etc/rc\.d/init\.d/mcelog -- > gen_context(system_u:object_r:mcelog_initrc_exec_t,s0) > + > /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) > + > +/var/log/mcelog -- gen_context(system_u:object_r:mcelog_log_t,s0) I would use "/var/log/mcelog.*" for logrotate support. logrotate sometimes append datestamps to rotated logs and we still want them to keep the right label > +/var/run/mcelog\.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0) > +/var/run/mcelog-client -s > gen_context(system_u:object_r:mcelog_var_run_t,s0) > diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te > refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te > --- refpolicy-04062012/policy/modules/contrib/mcelog.te 2011-09-09 > 18:29:23.578610955 +0200 > +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te > 2012-08-06 22:18:27.551975687 +0200 > @@ -1,14 +1,34 @@ > -policy_module(mcelog, 1.1.0) > +policy_module(mcelog, 1.1.1) > > ######################################## > # > # Declarations > # > > +## > +##

> +## Allow mcelog to use all the ttys. > +## Required in foreground mode and to > +## print out usage and version information. > +##

> +##
> +gen_tunable(mcelog_foreground, true) No need for a boolean for this imho > type mcelog_t; > type mcelog_exec_t; > -application_domain(mcelog_t, mcelog_exec_t) > -cron_system_entry(mcelog_t, mcelog_exec_t) > +init_daemon_domain(mcelog_t, mcelog_exec_t) > + > +type mcelog_initrc_exec_t; > +init_script_file(mcelog_initrc_exec_t) > + > +type mcelog_etc_t; > +files_config_file(mcelog_etc_t) > + > +type mcelog_log_t; > +logging_log_file(mcelog_log_t) > + > +type mcelog_var_run_t; > +files_pid_file(mcelog_var_run_t) > > ######################################## > # > @@ -17,16 +37,53 @@ cron_system_entry(mcelog_t, mcelog_exec_ > > allow mcelog_t self:capability sys_admin; > > +allow mcelog_t mcelog_etc_t:dir list_dir_perms; > + > +allow mcelog_t mcelog_t:unix_stream_socket create_socket_perms; This needs to go under the "allow mcelog_t self:capability sysadmin;" See style guide. also use create_stream_socket_perms instead of create_socket_perms > kernel_read_system_state(mcelog_t) > > +corecmd_exec_bin(mcelog_t) > + > dev_read_raw_memory(mcelog_t) > dev_read_kmsg(mcelog_t) > +dev_rw_sysfs(mcelog_t) > + > +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) > +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) > +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file }) This needs to above "kernel_read_system_state(mcelog_t) See style guide > files_read_etc_files(mcelog_t) > +files_search_etc(mcelog_t) No need for this. files_read_etc_files(mcelog_t) already allow this > +files_search_pids(mcelog_t) > +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t) > + This needs to go above kernel_read_system_state(mcelog_t) See style guide > +locallogin_use_fds(mcelog_t) > + > +# manage a logfile in a generic or private log directory > +manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) > +manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) > +logging_log_filetrans(mcelog_t, mcelog_log_t, file) This needs to go above kernel_read_system_state(mcelog_t) See style guide > +# use syslog functionality (optional, configurable) > +logging_send_syslog_msg(mcelog_t) > + > +miscfiles_read_localization(mcelog_t) > > # for /dev/mem access > mls_file_read_all_levels(mcelog_t) > > -logging_send_syslog_msg(mcelog_t) > +stream_connect_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t, > mcelog_t) This isnt needed > -miscfiles_read_localization(mcelog_t) > +term_dontaudit_use_all_ptys(mcelog_t) > +term_dontaudit_use_all_ttys(mcelog_t) not needed. use: userdom_use_user_terminals(mcelog_t) > +tunable_policy(`mcelog_foreground',` > +term_use_all_ttys(mcelog_t) > +term_use_all_ptys(mcelog_t) > +') Not needed. > +# optional support for running it as a cron job > +optional_policy(` > + cron_system_entry(mcelog_t, mcelog_exec_t) > +') > Binary files refpolicy-04062012/policy/modules/contrib/.xen.te.swp and > refpolicy-04062012-mcelog-support/policy/modules/contrib/.xen.te.swp differ > diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc > refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc > --- refpolicy-04062012/policy/modules/kernel/corecommands.fc 2012-08-05 > 04:52:17.194005067 +0200 > +++ > refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc > 2012-08-05 17:49:05.594838788 +0200 > @@ -72,12 +72,6 @@ ifdef(`distro_redhat',` > /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) > > /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) > -/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0) > -/etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0) > - > -ifdef(`distro_redhat',` > -/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) > -') dont remove this, this belongs here and not in mcelog.fc > /etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0) > >