From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 08 Aug 2012 21:33:13 +0200
Subject: [refpolicy] [PATCH v6]: mcelog module initial rewrite
In-Reply-To: <50226348.5020303@tresys.com>
References: <201208061519.q76FJcDp011962@vivaldi31.register.it>
	<1344267046.29329.57.camel@d30.localdomain>
	<50201053.9000506@trentalancia.com>
	<1344282251.29329.73.camel@d30.localdomain>
	<50215188.7040900@trentalancia.com>
	<1344361404.2306.5.camel@d30.localdomain>
	<50216DFF.1050309@trentalancia.com>
	<1344368916.2306.14.camel@d30.localdomain>
	<50217898.1000106@trentalancia.com>
	<1344371220.2306.18.camel@d30.localdomain>
	<502190FD.4060905@trentalancia.com> <50226348.5020303@tresys.com>
Message-ID: <5022BEF9.2060004@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Christopher,

you can also add the following, if you like (I see from latest git that 
the duplicate etc_t file pattern interface have already been removed):

Reorder one file pattern interface in the recently updated mcelog.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---

--- refpolicy/policy/modules/contrib/mcelog.te	2012-08-08 
21:22:01.160888610 +0200
+++ refpolicy-08082012/policy/modules/contrib/mcelog.te	2012-08-08 
21:22:19.204057838 +0200
@@ -75,6 +75,7 @@ allow mcelog_t self:capability sys_admin
  allow mcelog_t self:unix_stream_socket connected_socket_perms;
  allow mcelog_t mcelog_etc_t:dir list_dir_perms;

+files_read_etc_files(mcelog_t)
  read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)

  # manage a logfile in a generic or private log directory
@@ -92,8 +93,6 @@ dev_read_raw_memory(mcelog_t)
  dev_read_kmsg(mcelog_t)
  dev_rw_sysfs(mcelog_t)

-files_read_etc_files(mcelog_t)
-
  # for /dev/mem access
  mls_file_read_all_levels(mcelog_t)



On 08/08/2012 15:02, Christopher J. PeBenito wrote:
> On 08/07/12 18:04, Guido Trentalancia wrote:
>> Here is the latest (v6) version:
>>
>> Rewrite of mcelog module:
>> - version increment
>> - fix and extend file contexts (private types)
>> - support daemon mode and init scripting (+ deprecated and untested cron
>> mode)
>> - support optional triggers for all distributions, while leaving
>>     compatibility with their alternate location in Fedora (and
>>     current policy)
>> - initial configurable support for client/server mode (untested)
>> - support for sysfs (rw)
>> - includes several revisions from Dominick Grift
>> - removed duplicate syslog interface over previous version 4
>> - reduced stream_connect_pattern to permissions from version 5
>
> Merged.  In the future, please do not increment the module version.
>
>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
>> ---
>>    policy/modules/contrib/mcelog.fc      |   12 +++
>>    policy/modules/contrib/mcelog.te      |  118
>> ++++++++++++++++++++++++++++++++--
>>    policy/modules/kernel/corecommands.fc |    8 ++
>>    3 files changed, 131 insertions(+), 7 deletions(-)
>>
>> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc
>> refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.fc
>> --- refpolicy-04062012/policy/modules/contrib/mcelog.fc	2011-09-09
>> 18:29:23.578610955 +0200
>> +++
>> refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.fc
>> 2012-08-07 21:10:43.247757154 +0200
>> @@ -1 +1,13 @@
>> +/etc/mcelog(/.*)?		gen_context(system_u:object_r:mcelog_etc_t,s0)
>> +
>> +ifdef(`distro_redhat',`
>> +/etc/mcelog/triggers	-d	gen_context(system_u:object_r:mcelog_etc_t,s0)
>> +')
>> +
>> +/etc/rc\.d/init\.d/mcelog	--
>> gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
>> +
>>    /usr/sbin/mcelog	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
>> +
>> +/var/log/mcelog.*	--	gen_context(system_u:object_r:mcelog_log_t,s0)
>> +/var/run/mcelog\.pid	--	gen_context(system_u:object_r:mcelog_var_run_t,s0)
>> +/var/run/mcelog-client	-s
>> gen_context(system_u:object_r:mcelog_var_run_t,s0)
>> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te
>> refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.te
>> --- refpolicy-04062012/policy/modules/contrib/mcelog.te	2011-09-09
>> 18:29:23.578610955 +0200
>> +++
>> refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.te
>> 2012-08-08 01:11:06.572330170 +0200
>> @@ -1,14 +1,70 @@
>> -policy_module(mcelog, 1.1.0)
>> +policy_module(mcelog, 1.1.1)
>>
>>    ########################################
>>    #
>>    # Declarations
>>    #
>>
>> +## <desc>
>> +## <p>
>> +## Allow mcelog to run in client mode.
>> +## Required to run mcelog in client
>> +## mode.
>> +## </p>
>> +## </desc>
>> +gen_tunable(mcelog_client, false)
>> +
>> +## <desc>
>> +## <p>
>> +## Allow mcelog to execute scripts.
>> +## Required to execute optional triggers
>> +## and/or local scripts.
>> +## </p>
>> +## </desc>
>> +gen_tunable(mcelog_exec_scripts, true)
>> +
>> +## <desc>
>> +## <p>
>> +## Allow mcelog to use all the user ttys.
>> +## Required in foreground mode and to
>> +## print out usage and version information.
>> +## </p>
>> +## </desc>
>> +gen_tunable(mcelog_foreground, true)
>> +
>> +## <desc>
>> +## <p>
>> +## Allow mcelog to run a server.
>> +## Required to enable the optional configurable
>> +## Unix stream socket server functionality.
>> +## </p>
>> +## </desc>
>> +gen_tunable(mcelog_server, false)
>> +
>> +## <desc>
>> +## <p>
>> +## Allow mcelog to use syslog.
>> +## Required to use the configurable
>> +## syslog option.
>> +## </p>
>> +## </desc>
>> +gen_tunable(mcelog_syslog, true)
>> +
>>    type mcelog_t;
>>    type mcelog_exec_t;
>> -application_domain(mcelog_t, mcelog_exec_t)
>> -cron_system_entry(mcelog_t, mcelog_exec_t)
>> +init_daemon_domain(mcelog_t, mcelog_exec_t)
>> +
>> +type mcelog_initrc_exec_t;
>> +init_script_file(mcelog_initrc_exec_t)
>> +
>> +type mcelog_etc_t;
>> +files_config_file(mcelog_etc_t)
>> +
>> +type mcelog_log_t;
>> +logging_log_file(mcelog_log_t)
>> +
>> +type mcelog_var_run_t;
>> +files_pid_file(mcelog_var_run_t)
>>
>>    ########################################
>>    #
>> @@ -16,17 +72,67 @@ cron_system_entry(mcelog_t, mcelog_exec_
>>    #
>>
>>    allow mcelog_t self:capability sys_admin;
>> +allow mcelog_t self:unix_stream_socket connected_socket_perms;
>> +allow mcelog_t mcelog_etc_t:dir list_dir_perms;
>> +
>> +files_search_pids(mcelog_t)
>> +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
>> +
>> +# manage a logfile in a generic or private log directory
>> +manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +logging_log_filetrans(mcelog_t, mcelog_log_t, file)
>> +
>> +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
>> +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
>> +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
>>
>>    kernel_read_system_state(mcelog_t)
>>
>>    dev_read_raw_memory(mcelog_t)
>>    dev_read_kmsg(mcelog_t)
>> +dev_rw_sysfs(mcelog_t)
>>
>>    files_read_etc_files(mcelog_t)
>> +files_search_pids(mcelog_t)
>> +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
>> +
>> +locallogin_use_fds(mcelog_t)
>> +
>> +miscfiles_read_localization(mcelog_t)
>>
>>    # for /dev/mem access
>>    mls_file_read_all_levels(mcelog_t)
>>
>> -logging_send_syslog_msg(mcelog_t)
>> -
>> -miscfiles_read_localization(mcelog_t)
>> +# needed in client-mode
>> +tunable_policy(`mcelog_client',`
>> +	allow mcelog_t self:unix_stream_socket connectto;
>> +')
>> +
>> +# required for executing optional triggers and scripts
>> +tunable_policy(`mcelog_exec_scripts',`
>> +	allow mcelog_t self:fifo_file { read getattr write };
>> +	corecmd_exec_bin(mcelog_t)
>> +	corecmd_exec_shell(mcelog_t)
>> +')
>> +
>> +# required for optional foreground mode and
>> +# console output
>> +tunable_policy(`mcelog_foreground',`
>> +	userdom_use_user_terminals(mcelog_t)
>> +')
>> +
>> +# required for the optional server functionality
>> +tunable_policy(`mcelog_server',`
>> +	allow mcelog_t self:unix_stream_socket { listen accept };
>> +')
>> +
>> +# use syslog functionality (optional, configurable)
>> +tunable_policy(`mcelog_syslog',`
>> +	logging_send_syslog_msg(mcelog_t)
>> +')
>> +
>> +# optional support for running it as a cron job
>> +optional_policy(`
>> +	cron_system_entry(mcelog_t, mcelog_exec_t)
>> +')
>> diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc
>> refpolicy-04062012-mcelog-support-v6/policy/modules/kernel/corecommands.fc
>> --- refpolicy-04062012/policy/modules/kernel/corecommands.fc	2012-08-07
>> 18:38:05.323569047 +0200
>> +++
>> refpolicy-04062012-mcelog-support-v6/policy/modules/kernel/corecommands.fc
>> 2012-08-07 15:54:20.796905090 +0200
>> @@ -72,8 +72,14 @@ ifdef(`distro_redhat',`
>>    /etc/kde/shutdown(/.*)?			gen_context(system_u:object_r:bin_t,s0)
>>
>>    /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
>> -/etc/mcelog/cache-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
>> +
>> +/etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
>> +/etc/mcelog/.*\.local		--	gen_context(system_u:object_r:bin_t,s0)
>> +
>> +ifdef(`distro_redhat',`
>>    /etc/mcelog/triggers(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>> +')
>> +
>>    /etc/mgetty\+sendfax/new_fax	--	gen_context(system_u:object_r:bin_t,s0)
>>
>>    /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)
>