From: dominick.grift@gmail.com (Dominick Grift)
Date: Mon, 06 Aug 2012 21:44:11 +0200
Subject: [refpolicy] [PATCH v3]: mcelog module initial rewrite
In-Reply-To: <50201053.9000506@trentalancia.com>
References: <201208061519.q76FJcDp011962@vivaldi31.register.it>
	<1344267046.29329.57.camel@d30.localdomain>
	<50201053.9000506@trentalancia.com>
Message-ID: <1344282251.29329.73.camel@d30.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com



On Mon, 2012-08-06 at 20:43 +0200, Guido Trentalancia wrote:

> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
>   policy/modules/contrib/mcelog.fc      |   15 +++++++
>   policy/modules/contrib/mcelog.te      |   67 
> +++++++++++++++++++++++++++++++---
>   policy/modules/kernel/corecommands.fc |    6 ---
>   3 files changed, 77 insertions(+), 11 deletions(-)
> 
> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc 
> refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc
> --- refpolicy-04062012/policy/modules/contrib/mcelog.fc	2011-09-09 
> 18:29:23.578610955 +0200
> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc 
> 2012-08-06 21:11:19.617661468 +0200
> @@ -1 +1,16 @@
> +/etc/mcelog(/.*)?	gen_context(system_u:object_r:mcelog_etc_t,s0)
> +/etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
> +/etc/mcelog/.*\.local		--	gen_context(system_u:object_r:bin_t,s0)
> +
> +ifdef(`distro_redhat',`
> +/etc/mcelog/triggers	-d	gen_context(system_u:object_r:mcelog_etc_t,s0)
> +/etc/mcelog/triggers(/.*)?	gen_context(system_u:object_r:bin_t,s0)
The context specs with bin_t do not belong in this module. they should
be moved to corecommands.fc (i believe)

> +')
> +
> +/etc/rc\.d/init\.d/mcelog	-- 
> gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
> +
>   /usr/sbin/mcelog	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
> +
> +/var/log/mcelog		--	gen_context(system_u:object_r:mcelog_log_t,s0)

I would use "/var/log/mcelog.*" for logrotate support. logrotate
sometimes append datestamps to rotated logs and we still want them to
keep the right label

> +/var/run/mcelog\.pid	--	gen_context(system_u:object_r:mcelog_var_run_t,s0)
> +/var/run/mcelog-client	-s 
> gen_context(system_u:object_r:mcelog_var_run_t,s0)
> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te 
> refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te
> --- refpolicy-04062012/policy/modules/contrib/mcelog.te	2011-09-09 
> 18:29:23.578610955 +0200
> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te 
> 2012-08-06 22:18:27.551975687 +0200
> @@ -1,14 +1,34 @@
> -policy_module(mcelog, 1.1.0)
> +policy_module(mcelog, 1.1.1)
> 
>   ########################################
>   #
>   # Declarations
>   #
> 
> +## <desc>
> +## <p>
> +## Allow mcelog to use all the ttys.
> +## Required in foreground mode and to
> +## print out usage and version information.
> +## </p>
> +## </desc>
> +gen_tunable(mcelog_foreground, true)

No need for a boolean for this imho

>   type mcelog_t;
>   type mcelog_exec_t;
> -application_domain(mcelog_t, mcelog_exec_t)
> -cron_system_entry(mcelog_t, mcelog_exec_t)
> +init_daemon_domain(mcelog_t, mcelog_exec_t)
> +
> +type mcelog_initrc_exec_t;
> +init_script_file(mcelog_initrc_exec_t)
> +
> +type mcelog_etc_t;
> +files_config_file(mcelog_etc_t)
> +
> +type mcelog_log_t;
> +logging_log_file(mcelog_log_t)
> +
> +type mcelog_var_run_t;
> +files_pid_file(mcelog_var_run_t)
> 
>   ########################################
>   #
> @@ -17,16 +37,53 @@ cron_system_entry(mcelog_t, mcelog_exec_
> 
>   allow mcelog_t self:capability sys_admin;
> 
> +allow mcelog_t mcelog_etc_t:dir list_dir_perms;
> +
> +allow mcelog_t mcelog_t:unix_stream_socket create_socket_perms;
This needs to go under the "allow mcelog_t self:capability sysadmin;"
See style guide.

also use create_stream_socket_perms instead of create_socket_perms

>   kernel_read_system_state(mcelog_t)
> 
> +corecmd_exec_bin(mcelog_t)
> +
>   dev_read_raw_memory(mcelog_t)
>   dev_read_kmsg(mcelog_t)
> +dev_rw_sysfs(mcelog_t)
> +
> +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })

This needs to above "kernel_read_system_state(mcelog_t) See style guide

>   files_read_etc_files(mcelog_t)
> +files_search_etc(mcelog_t)

No need for this. files_read_etc_files(mcelog_t) already allow this

> +files_search_pids(mcelog_t)
> +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
> +
This needs to go above kernel_read_system_state(mcelog_t) See style
guide

> +locallogin_use_fds(mcelog_t)
> +
> +# manage a logfile in a generic or private log directory
> +manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +logging_log_filetrans(mcelog_t, mcelog_log_t, file)

This needs to go above kernel_read_system_state(mcelog_t) See style
guide

> +# use syslog functionality (optional, configurable)
> +logging_send_syslog_msg(mcelog_t)
> +
> +miscfiles_read_localization(mcelog_t)
> 
>   # for /dev/mem access
>   mls_file_read_all_levels(mcelog_t)
> 
> -logging_send_syslog_msg(mcelog_t)
> +stream_connect_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t, 
> mcelog_t)

This isnt needed

> -miscfiles_read_localization(mcelog_t)
> +term_dontaudit_use_all_ptys(mcelog_t)
> +term_dontaudit_use_all_ttys(mcelog_t)

not needed. use: userdom_use_user_terminals(mcelog_t)

> +tunable_policy(`mcelog_foreground',`
> +term_use_all_ttys(mcelog_t)
> +term_use_all_ptys(mcelog_t)
> +')

Not needed.

> +# optional support for running it as a cron job
> +optional_policy(`
> +        cron_system_entry(mcelog_t, mcelog_exec_t)
> +')
> Binary files refpolicy-04062012/policy/modules/contrib/.xen.te.swp and 
> refpolicy-04062012-mcelog-support/policy/modules/contrib/.xen.te.swp differ
> diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc 
> refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc
> --- refpolicy-04062012/policy/modules/kernel/corecommands.fc	2012-08-05 
> 04:52:17.194005067 +0200
> +++ 
> refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc 
> 2012-08-05 17:49:05.594838788 +0200
> @@ -72,12 +72,6 @@ ifdef(`distro_redhat',`
>   /etc/kde/shutdown(/.*)?			gen_context(system_u:object_r:bin_t,s0)
> 
>   /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
> -/etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
> -/etc/mcelog/.*\.local		--	gen_context(system_u:object_r:bin_t,s0)
> -
> -ifdef(`distro_redhat',`
> -/etc/mcelog/triggers(/.*)?		gen_context(system_u:object_r:bin_t,s0)
> -')

dont remove this, this belongs here and not in mcelog.fc

>   /etc/mgetty\+sendfax/new_fax	--	gen_context(system_u:object_r:bin_t,s0)
> 
>