From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 08 Aug 2012 21:33:13 +0200 Subject: [refpolicy] [PATCH v6]: mcelog module initial rewrite In-Reply-To: <50226348.5020303@tresys.com> References: <201208061519.q76FJcDp011962@vivaldi31.register.it> <1344267046.29329.57.camel@d30.localdomain> <50201053.9000506@trentalancia.com> <1344282251.29329.73.camel@d30.localdomain> <50215188.7040900@trentalancia.com> <1344361404.2306.5.camel@d30.localdomain> <50216DFF.1050309@trentalancia.com> <1344368916.2306.14.camel@d30.localdomain> <50217898.1000106@trentalancia.com> <1344371220.2306.18.camel@d30.localdomain> <502190FD.4060905@trentalancia.com> <50226348.5020303@tresys.com> Message-ID: <5022BEF9.2060004@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Christopher, you can also add the following, if you like (I see from latest git that the duplicate etc_t file pattern interface have already been removed): Reorder one file pattern interface in the recently updated mcelog. Signed-off-by: Guido Trentalancia --- --- refpolicy/policy/modules/contrib/mcelog.te 2012-08-08 21:22:01.160888610 +0200 +++ refpolicy-08082012/policy/modules/contrib/mcelog.te 2012-08-08 21:22:19.204057838 +0200 @@ -75,6 +75,7 @@ allow mcelog_t self:capability sys_admin allow mcelog_t self:unix_stream_socket connected_socket_perms; allow mcelog_t mcelog_etc_t:dir list_dir_perms; +files_read_etc_files(mcelog_t) read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t) # manage a logfile in a generic or private log directory @@ -92,8 +93,6 @@ dev_read_raw_memory(mcelog_t) dev_read_kmsg(mcelog_t) dev_rw_sysfs(mcelog_t) -files_read_etc_files(mcelog_t) - # for /dev/mem access mls_file_read_all_levels(mcelog_t) On 08/08/2012 15:02, Christopher J. PeBenito wrote: > On 08/07/12 18:04, Guido Trentalancia wrote: >> Here is the latest (v6) version: >> >> Rewrite of mcelog module: >> - version increment >> - fix and extend file contexts (private types) >> - support daemon mode and init scripting (+ deprecated and untested cron >> mode) >> - support optional triggers for all distributions, while leaving >> compatibility with their alternate location in Fedora (and >> current policy) >> - initial configurable support for client/server mode (untested) >> - support for sysfs (rw) >> - includes several revisions from Dominick Grift >> - removed duplicate syslog interface over previous version 4 >> - reduced stream_connect_pattern to permissions from version 5 > > Merged. In the future, please do not increment the module version. > > >> Signed-off-by: Guido Trentalancia >> --- >> policy/modules/contrib/mcelog.fc | 12 +++ >> policy/modules/contrib/mcelog.te | 118 >> ++++++++++++++++++++++++++++++++-- >> policy/modules/kernel/corecommands.fc | 8 ++ >> 3 files changed, 131 insertions(+), 7 deletions(-) >> >> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc >> refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.fc >> --- refpolicy-04062012/policy/modules/contrib/mcelog.fc 2011-09-09 >> 18:29:23.578610955 +0200 >> +++ >> refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.fc >> 2012-08-07 21:10:43.247757154 +0200 >> @@ -1 +1,13 @@ >> +/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0) >> + >> +ifdef(`distro_redhat',` >> +/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0) >> +') >> + >> +/etc/rc\.d/init\.d/mcelog -- >> gen_context(system_u:object_r:mcelog_initrc_exec_t,s0) >> + >> /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0) >> + >> +/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0) >> +/var/run/mcelog\.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0) >> +/var/run/mcelog-client -s >> gen_context(system_u:object_r:mcelog_var_run_t,s0) >> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te >> refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.te >> --- refpolicy-04062012/policy/modules/contrib/mcelog.te 2011-09-09 >> 18:29:23.578610955 +0200 >> +++ >> refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.te >> 2012-08-08 01:11:06.572330170 +0200 >> @@ -1,14 +1,70 @@ >> -policy_module(mcelog, 1.1.0) >> +policy_module(mcelog, 1.1.1) >> >> ######################################## >> # >> # Declarations >> # >> >> +## >> +##

>> +## Allow mcelog to run in client mode. >> +## Required to run mcelog in client >> +## mode. >> +##

>> +##
>> +gen_tunable(mcelog_client, false) >> + >> +## >> +##

>> +## Allow mcelog to execute scripts. >> +## Required to execute optional triggers >> +## and/or local scripts. >> +##

>> +##
>> +gen_tunable(mcelog_exec_scripts, true) >> + >> +## >> +##

>> +## Allow mcelog to use all the user ttys. >> +## Required in foreground mode and to >> +## print out usage and version information. >> +##

>> +##
>> +gen_tunable(mcelog_foreground, true) >> + >> +## >> +##

>> +## Allow mcelog to run a server. >> +## Required to enable the optional configurable >> +## Unix stream socket server functionality. >> +##

>> +##
>> +gen_tunable(mcelog_server, false) >> + >> +## >> +##

>> +## Allow mcelog to use syslog. >> +## Required to use the configurable >> +## syslog option. >> +##

>> +##
>> +gen_tunable(mcelog_syslog, true) >> + >> type mcelog_t; >> type mcelog_exec_t; >> -application_domain(mcelog_t, mcelog_exec_t) >> -cron_system_entry(mcelog_t, mcelog_exec_t) >> +init_daemon_domain(mcelog_t, mcelog_exec_t) >> + >> +type mcelog_initrc_exec_t; >> +init_script_file(mcelog_initrc_exec_t) >> + >> +type mcelog_etc_t; >> +files_config_file(mcelog_etc_t) >> + >> +type mcelog_log_t; >> +logging_log_file(mcelog_log_t) >> + >> +type mcelog_var_run_t; >> +files_pid_file(mcelog_var_run_t) >> >> ######################################## >> # >> @@ -16,17 +72,67 @@ cron_system_entry(mcelog_t, mcelog_exec_ >> # >> >> allow mcelog_t self:capability sys_admin; >> +allow mcelog_t self:unix_stream_socket connected_socket_perms; >> +allow mcelog_t mcelog_etc_t:dir list_dir_perms; >> + >> +files_search_pids(mcelog_t) >> +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t) >> + >> +# manage a logfile in a generic or private log directory >> +manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) >> +manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) >> +logging_log_filetrans(mcelog_t, mcelog_log_t, file) >> + >> +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) >> +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) >> +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file }) >> >> kernel_read_system_state(mcelog_t) >> >> dev_read_raw_memory(mcelog_t) >> dev_read_kmsg(mcelog_t) >> +dev_rw_sysfs(mcelog_t) >> >> files_read_etc_files(mcelog_t) >> +files_search_pids(mcelog_t) >> +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t) >> + >> +locallogin_use_fds(mcelog_t) >> + >> +miscfiles_read_localization(mcelog_t) >> >> # for /dev/mem access >> mls_file_read_all_levels(mcelog_t) >> >> -logging_send_syslog_msg(mcelog_t) >> - >> -miscfiles_read_localization(mcelog_t) >> +# needed in client-mode >> +tunable_policy(`mcelog_client',` >> + allow mcelog_t self:unix_stream_socket connectto; >> +') >> + >> +# required for executing optional triggers and scripts >> +tunable_policy(`mcelog_exec_scripts',` >> + allow mcelog_t self:fifo_file { read getattr write }; >> + corecmd_exec_bin(mcelog_t) >> + corecmd_exec_shell(mcelog_t) >> +') >> + >> +# required for optional foreground mode and >> +# console output >> +tunable_policy(`mcelog_foreground',` >> + userdom_use_user_terminals(mcelog_t) >> +') >> + >> +# required for the optional server functionality >> +tunable_policy(`mcelog_server',` >> + allow mcelog_t self:unix_stream_socket { listen accept }; >> +') >> + >> +# use syslog functionality (optional, configurable) >> +tunable_policy(`mcelog_syslog',` >> + logging_send_syslog_msg(mcelog_t) >> +') >> + >> +# optional support for running it as a cron job >> +optional_policy(` >> + cron_system_entry(mcelog_t, mcelog_exec_t) >> +') >> diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc >> refpolicy-04062012-mcelog-support-v6/policy/modules/kernel/corecommands.fc >> --- refpolicy-04062012/policy/modules/kernel/corecommands.fc 2012-08-07 >> 18:38:05.323569047 +0200 >> +++ >> refpolicy-04062012-mcelog-support-v6/policy/modules/kernel/corecommands.fc >> 2012-08-07 15:54:20.796905090 +0200 >> @@ -72,8 +72,14 @@ ifdef(`distro_redhat',` >> /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) >> >> /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) >> -/etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0) >> + >> +/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0) >> +/etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0) >> + >> +ifdef(`distro_redhat',` >> /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) >> +') >> + >> /etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0) >> >> /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) >