From: guido@trentalancia.com (Guido Trentalancia)
Date: Tue, 07 Aug 2012 19:34:00 +0200
Subject: [refpolicy] [PATCH v4]: mcelog module initial rewrite
In-Reply-To: <1344282251.29329.73.camel@d30.localdomain>
References: <201208061519.q76FJcDp011962@vivaldi31.register.it>
	<1344267046.29329.57.camel@d30.localdomain>
	<50201053.9000506@trentalancia.com>
	<1344282251.29329.73.camel@d30.localdomain>
Message-ID: <50215188.7040900@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Here is the latest (v4) version of the mcelog module:

Rewrite of mcelog module:
- version increment
- fix and extend file contexts (private types)
- support daemon mode and init scripting (+ deprecated and untested cron 
mode)
- support optional triggers for all distributions, while leaving
   compatibility with their alternate location in Fedora (and
   current policy)
- initial configurable support for client/server mode (untested)
- support for sysfs (rw)
- includes several revisions from Dominick Grift

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
  policy/modules/contrib/mcelog.fc      |   12 +++
  policy/modules/contrib/mcelog.te      |  119 
++++++++++++++++++++++++++++++++--
  policy/modules/kernel/corecommands.fc |    8 ++
  3 files changed, 133 insertions(+), 6 deletions(-)

diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc 
refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc
--- refpolicy-04062012/policy/modules/contrib/mcelog.fc	2011-09-09 
18:29:23.578610955 +0200
+++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc 
2012-08-07 21:10:43.247757154 +0200
@@ -1 +1,13 @@
+/etc/mcelog(/.*)?		gen_context(system_u:object_r:mcelog_etc_t,s0)
+
+ifdef(`distro_redhat',`
+/etc/mcelog/triggers	-d	gen_context(system_u:object_r:mcelog_etc_t,s0)
+')
+
+/etc/rc\.d/init\.d/mcelog	-- 
gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
+
  /usr/sbin/mcelog	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
+
+/var/log/mcelog.*	--	gen_context(system_u:object_r:mcelog_log_t,s0)
+/var/run/mcelog\.pid	--	gen_context(system_u:object_r:mcelog_var_run_t,s0)
+/var/run/mcelog-client	-s 
gen_context(system_u:object_r:mcelog_var_run_t,s0)
diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te 
refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te
--- refpolicy-04062012/policy/modules/contrib/mcelog.te	2011-09-09 
18:29:23.578610955 +0200
+++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te 
2012-08-07 20:53:05.056511692 +0200
@@ -1,14 +1,70 @@
-policy_module(mcelog, 1.1.0)
+policy_module(mcelog, 1.1.1)

  ########################################
  #
  # Declarations
  #

+## <desc>
+## <p>
+## Allow mcelog to run in client mode.
+## Required to run mcelog in client
+## mode.
+## </p>
+## </desc>
+gen_tunable(mcelog_client, false)
+
+## <desc>
+## <p>
+## Allow mcelog to execute scripts.
+## Required to execute optional triggers
+## and/or local scripts.
+## </p>
+## </desc>
+gen_tunable(mcelog_exec_scripts, true)
+
+## <desc>
+## <p>
+## Allow mcelog to use all the user ttys.
+## Required in foreground mode and to
+## print out usage and version information.
+## </p>
+## </desc>
+gen_tunable(mcelog_foreground, true)
+
+## <desc>
+## <p>
+## Allow mcelog to run a server.
+## Required to enable the optional configurable
+## Unix stream socket server functionality.
+## </p>
+## </desc>
+gen_tunable(mcelog_server, false)
+
+## <desc>
+## <p>
+## Allow mcelog to use syslog.
+## Required to use the configurable
+## syslog option.
+## </p>
+## </desc>
+gen_tunable(mcelog_syslog, true)
+
  type mcelog_t;
  type mcelog_exec_t;
-application_domain(mcelog_t, mcelog_exec_t)
-cron_system_entry(mcelog_t, mcelog_exec_t)
+init_daemon_domain(mcelog_t, mcelog_exec_t)
+
+type mcelog_initrc_exec_t;
+init_script_file(mcelog_initrc_exec_t)
+
+type mcelog_etc_t;
+files_config_file(mcelog_etc_t)
+
+type mcelog_log_t;
+logging_log_file(mcelog_log_t)
+
+type mcelog_var_run_t;
+files_pid_file(mcelog_var_run_t)

  ########################################
  #
@@ -17,16 +73,69 @@ cron_system_entry(mcelog_t, mcelog_exec_

  allow mcelog_t self:capability sys_admin;

+allow mcelog_t mcelog_etc_t:dir list_dir_perms;
+
+files_search_pids(mcelog_t)
+read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
+
+# manage a logfile in a generic or private log directory
+manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+logging_log_filetrans(mcelog_t, mcelog_log_t, file)
+
+manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
+
  kernel_read_system_state(mcelog_t)

  dev_read_raw_memory(mcelog_t)
  dev_read_kmsg(mcelog_t)
+dev_rw_sysfs(mcelog_t)

  files_read_etc_files(mcelog_t)
+files_search_pids(mcelog_t)
+read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)

-# for /dev/mem access
-mls_file_read_all_levels(mcelog_t)
+locallogin_use_fds(mcelog_t)

+# use syslog functionality (optional, configurable)
  logging_send_syslog_msg(mcelog_t)

  miscfiles_read_localization(mcelog_t)
+
+# for /dev/mem access
+mls_file_read_all_levels(mcelog_t)
+
+# needed in client-mode
+tunable_policy(`mcelog_client',`
+	stream_connect_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t, 
mcelog_t)
+')
+
+# required for executing optional triggers and scripts
+tunable_policy(`mcelog_exec_scripts',`
+	allow mcelog_t self:fifo_file { read getattr write };
+	corecmd_exec_bin(mcelog_t)
+	corecmd_exec_shell(mcelog_t)
+')
+
+# required for optional foreground mode and
+# console output
+tunable_policy(`mcelog_foreground',`
+	userdom_use_user_terminals(mcelog_t)
+')
+
+# required for the optional server functionality
+tunable_policy(`mcelog_server',`
+	allow mcelog_t self:unix_stream_socket create_stream_socket_perms;
+')
+
+# use syslog functionality (optional, configurable)
+tunable_policy(`mcelog_syslog',`
+	logging_send_syslog_msg(mcelog_t)
+')
+
+# optional support for running it as a cron job
+optional_policy(`
+	cron_system_entry(mcelog_t, mcelog_exec_t)
+')
diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc 
refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc
--- refpolicy-04062012/policy/modules/kernel/corecommands.fc	2012-08-07 
18:38:05.323569047 +0200
+++ 
refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc 
2012-08-07 15:54:20.796905090 +0200
@@ -72,8 +72,14 @@ ifdef(`distro_redhat',`
  /etc/kde/shutdown(/.*)?			gen_context(system_u:object_r:bin_t,s0)

  /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
-/etc/mcelog/cache-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/mcelog/.*\.local		--	gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_redhat',`
  /etc/mcelog/triggers(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+')
+
  /etc/mgetty\+sendfax/new_fax	--	gen_context(system_u:object_r:bin_t,s0)

  /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)



On 06/08/2012 21:44, Dominick Grift wrote:
>
>
> On Mon, 2012-08-06 at 20:43 +0200, Guido Trentalancia wrote:
>
>>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
>> ---
>>    policy/modules/contrib/mcelog.fc      |   15 +++++++
>>    policy/modules/contrib/mcelog.te      |   67
>> +++++++++++++++++++++++++++++++---
>>    policy/modules/kernel/corecommands.fc |    6 ---
>>    3 files changed, 77 insertions(+), 11 deletions(-)
>>
>> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc
>> refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc
>> --- refpolicy-04062012/policy/modules/contrib/mcelog.fc	2011-09-09
>> 18:29:23.578610955 +0200
>> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc
>> 2012-08-06 21:11:19.617661468 +0200
>> @@ -1 +1,16 @@
>> +/etc/mcelog(/.*)?	gen_context(system_u:object_r:mcelog_etc_t,s0)
>> +/etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
>> +/etc/mcelog/.*\.local		--	gen_context(system_u:object_r:bin_t,s0)
>> +
>> +ifdef(`distro_redhat',`
>> +/etc/mcelog/triggers	-d	gen_context(system_u:object_r:mcelog_etc_t,s0)
>> +/etc/mcelog/triggers(/.*)?	gen_context(system_u:object_r:bin_t,s0)
> The context specs with bin_t do not belong in this module. they should
> be moved to corecommands.fc (i believe)

Done.

>> +')
>> +
>> +/etc/rc\.d/init\.d/mcelog	--
>> gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
>> +
>>    /usr/sbin/mcelog	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
>> +
>> +/var/log/mcelog		--	gen_context(system_u:object_r:mcelog_log_t,s0)
>
> I would use "/var/log/mcelog.*" for logrotate support. logrotate
> sometimes append datestamps to rotated logs and we still want them to
> keep the right label

Good idea !

>> +/var/run/mcelog\.pid	--	gen_context(system_u:object_r:mcelog_var_run_t,s0)
>> +/var/run/mcelog-client	-s
>> gen_context(system_u:object_r:mcelog_var_run_t,s0)
>> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te
>> refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te
>> --- refpolicy-04062012/policy/modules/contrib/mcelog.te	2011-09-09
>> 18:29:23.578610955 +0200
>> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te
>> 2012-08-06 22:18:27.551975687 +0200
>> @@ -1,14 +1,34 @@
>> -policy_module(mcelog, 1.1.0)
>> +policy_module(mcelog, 1.1.1)
>>
>>    ########################################
>>    #
>>    # Declarations
>>    #
>>
>> +## <desc>
>> +## <p>
>> +## Allow mcelog to use all the ttys.
>> +## Required in foreground mode and to
>> +## print out usage and version information.
>> +## </p>
>> +## </desc>
>> +gen_tunable(mcelog_foreground, true)
>
> No need for a boolean for this imho

I've decided to leave them and add another one for syslog functionality. 
They all default to true (except from the client/server ones, see 
below), so each user has maximum freedom of choice, while leaving a 
default full-featured behaviour.

>>    type mcelog_t;
>>    type mcelog_exec_t;
>> -application_domain(mcelog_t, mcelog_exec_t)
>> -cron_system_entry(mcelog_t, mcelog_exec_t)
>> +init_daemon_domain(mcelog_t, mcelog_exec_t)
>> +
>> +type mcelog_initrc_exec_t;
>> +init_script_file(mcelog_initrc_exec_t)
>> +
>> +type mcelog_etc_t;
>> +files_config_file(mcelog_etc_t)
>> +
>> +type mcelog_log_t;
>> +logging_log_file(mcelog_log_t)
>> +
>> +type mcelog_var_run_t;
>> +files_pid_file(mcelog_var_run_t)
>>
>>    ########################################
>>    #
>> @@ -17,16 +37,53 @@ cron_system_entry(mcelog_t, mcelog_exec_
>>
>>    allow mcelog_t self:capability sys_admin;
>>
>> +allow mcelog_t mcelog_etc_t:dir list_dir_perms;
>> +
>> +allow mcelog_t mcelog_t:unix_stream_socket create_socket_perms;
> This needs to go under the "allow mcelog_t self:capability sysadmin;"
> See style guide.
>
> also use create_stream_socket_perms instead of create_socket_perms

Done.

>>    kernel_read_system_state(mcelog_t)
>>
>> +corecmd_exec_bin(mcelog_t)
>> +
>>    dev_read_raw_memory(mcelog_t)
>>    dev_read_kmsg(mcelog_t)
>> +dev_rw_sysfs(mcelog_t)
>> +
>> +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
>> +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
>> +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
>
> This needs to above "kernel_read_system_state(mcelog_t) See style guide

Done.

>>    files_read_etc_files(mcelog_t)
>> +files_search_etc(mcelog_t)
>
> No need for this. files_read_etc_files(mcelog_t) already allow this

Done.

>> +files_search_pids(mcelog_t)
>> +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
>> +
> This needs to go above kernel_read_system_state(mcelog_t) See style
> guide

Done.

>> +locallogin_use_fds(mcelog_t)
>> +
>> +# manage a logfile in a generic or private log directory
>> +manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +logging_log_filetrans(mcelog_t, mcelog_log_t, file)
>
> This needs to go above kernel_read_system_state(mcelog_t) See style
> guide

Done.

>> +# use syslog functionality (optional, configurable)
>> +logging_send_syslog_msg(mcelog_t)
>> +
>> +miscfiles_read_localization(mcelog_t)
>>
>>    # for /dev/mem access
>>    mls_file_read_all_levels(mcelog_t)
>>
>> -logging_send_syslog_msg(mcelog_t)
>> +stream_connect_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t,
>> mcelog_t)
>
> This isnt needed

It's needed for the (untested) client mode.

There is a boolean for that (and for the server mode, as one might want 
to write another client for example).

>> -miscfiles_read_localization(mcelog_t)
>> +term_dontaudit_use_all_ptys(mcelog_t)
>> +term_dontaudit_use_all_ttys(mcelog_t)
>
> not needed. use: userdom_use_user_terminals(mcelog_t)

It works and it appears to be widely used.

However I am not entirely clear to me what would happen if the 
userdomain module is explicitly turned off and whether it will keep 
working in single-user mode...

>> +tunable_policy(`mcelog_foreground',`
>> +term_use_all_ttys(mcelog_t)
>> +term_use_all_ptys(mcelog_t)
>> +')
>
> Not needed.

See above.

>> +# optional support for running it as a cron job
>> +optional_policy(`
>> +        cron_system_entry(mcelog_t, mcelog_exec_t)
>> +')
>> Binary files refpolicy-04062012/policy/modules/contrib/.xen.te.swp and
>> refpolicy-04062012-mcelog-support/policy/modules/contrib/.xen.te.swp differ
>> diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc
>> refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc
>> --- refpolicy-04062012/policy/modules/kernel/corecommands.fc	2012-08-05
>> 04:52:17.194005067 +0200
>> +++
>> refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc
>> 2012-08-05 17:49:05.594838788 +0200
>> @@ -72,12 +72,6 @@ ifdef(`distro_redhat',`
>>    /etc/kde/shutdown(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>>
>>    /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
>> -/etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
>> -/etc/mcelog/.*\.local		--	gen_context(system_u:object_r:bin_t,s0)
>> -
>> -ifdef(`distro_redhat',`
>> -/etc/mcelog/triggers(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>> -')
>
> dont remove this, this belongs here and not in mcelog.fc

Right, after reverting the scripts to bin_t, I have now moved it back to 
corecommands.

>>    /etc/mgetty\+sendfax/new_fax	--	gen_context(system_u:object_r:bin_t,s0)
>>
>>

Regards,

Guido