From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 08 Aug 2012 16:34:16 +0200 Subject: [refpolicy] [PATCH v6]: mcelog module initial rewrite In-Reply-To: <50226348.5020303@tresys.com> References: <201208061519.q76FJcDp011962@vivaldi31.register.it> <1344267046.29329.57.camel@d30.localdomain> <50201053.9000506@trentalancia.com> <1344282251.29329.73.camel@d30.localdomain> <50215188.7040900@trentalancia.com> <1344361404.2306.5.camel@d30.localdomain> <50216DFF.1050309@trentalancia.com> <1344368916.2306.14.camel@d30.localdomain> <50217898.1000106@trentalancia.com> <1344371220.2306.18.camel@d30.localdomain> <502190FD.4060905@trentalancia.com> <50226348.5020303@tresys.com> Message-ID: <502278E8.90900@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher. On 08/08/2012 15:02, Christopher J. PeBenito wrote: > On 08/07/12 18:04, Guido Trentalancia wrote: >> Here is the latest (v6) version: >> >> Rewrite of mcelog module: >> - version increment >> - fix and extend file contexts (private types) >> - support daemon mode and init scripting (+ deprecated and untested cron >> mode) >> - support optional triggers for all distributions, while leaving >> compatibility with their alternate location in Fedora (and >> current policy) >> - initial configurable support for client/server mode (untested) >> - support for sysfs (rw) >> - includes several revisions from Dominick Grift >> - removed duplicate syslog interface over previous version 4 >> - reduced stream_connect_pattern to permissions from version 5 > > Merged. In the future, please do not increment the module version. Good, so at least it would run now. At the end, it includes thermal errors detection, so no one now can be blamed if a CPU burns up ;) >> Signed-off-by: Guido Trentalancia >> --- >> policy/modules/contrib/mcelog.fc | 12 +++ >> policy/modules/contrib/mcelog.te | 118 >> ++++++++++++++++++++++++++++++++-- >> policy/modules/kernel/corecommands.fc | 8 ++ >> 3 files changed, 131 insertions(+), 7 deletions(-) >> >> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc >> refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.fc >> --- refpolicy-04062012/policy/modules/contrib/mcelog.fc 2011-09-09 >> 18:29:23.578610955 +0200 >> +++ >> refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.fc >> 2012-08-07 21:10:43.247757154 +0200 >> @@ -1 +1,13 @@ >> +/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0) >> + >> +ifdef(`distro_redhat',` >> +/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0) >> +') >> + >> +/etc/rc\.d/init\.d/mcelog -- >> gen_context(system_u:object_r:mcelog_initrc_exec_t,s0) Dominick has also noted that Debian (and Gentoo) are actually using a different path for the init scripts. I don't know how to move on with this really, as the rest of the current reference policy only has support for such alternative location in the hadoop module. I have already pointed out that without an updated official list of files from each distribution is not very easy to honour all these subtle differences (that unfortunately will prevent the reference policy from being plug-and-play). >> + >> /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) >> + >> +/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0) >> +/var/run/mcelog\.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0) >> +/var/run/mcelog-client -s >> gen_context(system_u:object_r:mcelog_var_run_t,s0) >> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te >> refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.te >> --- refpolicy-04062012/policy/modules/contrib/mcelog.te 2011-09-09 >> 18:29:23.578610955 +0200 >> +++ >> refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.te >> 2012-08-08 01:11:06.572330170 +0200 >> @@ -1,14 +1,70 @@ >> -policy_module(mcelog, 1.1.0) >> +policy_module(mcelog, 1.1.1) [cut] >> @@ -16,17 +72,67 @@ cron_system_entry(mcelog_t, mcelog_exec_ >> # >> >> allow mcelog_t self:capability sys_admin; >> +allow mcelog_t self:unix_stream_socket connected_socket_perms; >> +allow mcelog_t mcelog_etc_t:dir list_dir_perms; >> + >> +files_search_pids(mcelog_t) >> +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t) >> + >> +# manage a logfile in a generic or private log directory >> +manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) >> +manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) >> +logging_log_filetrans(mcelog_t, mcelog_log_t, file) >> + >> +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) >> +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) >> +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file }) >> >> kernel_read_system_state(mcelog_t) >> >> dev_read_raw_memory(mcelog_t) >> dev_read_kmsg(mcelog_t) >> +dev_rw_sysfs(mcelog_t) >> >> files_read_etc_files(mcelog_t) >> +files_search_pids(mcelog_t) >> +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t) I just realized the line above is duplicate and the above block of three lines should go before the kernel interfaces according to the style guidelines (no functional difference though). Thanks very much once again to Dominick for reviewing... Regards, Guido