From: guido@trentalancia.com (Guido Trentalancia) Date: Thu, 09 Aug 2012 23:54:09 +0200 Subject: [refpolicy] [PATCH v6]: mcelog module initial rewrite In-Reply-To: <5023E67E.1060909@tresys.com> References: <201208061519.q76FJcDp011962@vivaldi31.register.it> <1344267046.29329.57.camel@d30.localdomain> <50201053.9000506@trentalancia.com> <1344282251.29329.73.camel@d30.localdomain> <50215188.7040900@trentalancia.com> <1344361404.2306.5.camel@d30.localdomain> <50216DFF.1050309@trentalancia.com> <1344368916.2306.14.camel@d30.localdomain> <50217898.1000106@trentalancia.com> <1344371220.2306.18.camel@d30.localdomain> <502190FD.4060905@trentalancia.com> <50226348.5020303@tresys.com> <5022BEF9.2060004@trentalancia.com> <5023E67E.1060909@tresys.com> Message-ID: <50243181.3040908@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher. On 09/08/2012 18:34, Christopher J. PeBenito wrote: > On 08/08/12 15:33, Guido Trentalancia wrote: >> Christopher, >> >> you can also add the following, if you like (I see from latest git that the duplicate etc_t file pattern interface have already been removed): >> >> Reorder one file pattern interface in the recently updated mcelog. >> >> Signed-off-by: Guido Trentalancia >> --- >> >> --- refpolicy/policy/modules/contrib/mcelog.te 2012-08-08 21:22:01.160888610 +0200 >> +++ refpolicy-08082012/policy/modules/contrib/mcelog.te 2012-08-08 21:22:19.204057838 +0200 >> @@ -75,6 +75,7 @@ allow mcelog_t self:capability sys_admin >> allow mcelog_t self:unix_stream_socket connected_socket_perms; >> allow mcelog_t mcelog_etc_t:dir list_dir_perms; >> >> +files_read_etc_files(mcelog_t) >> read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t) >> >> # manage a logfile in a generic or private log directory >> @@ -92,8 +93,6 @@ dev_read_raw_memory(mcelog_t) >> dev_read_kmsg(mcelog_t) >> dev_rw_sysfs(mcelog_t) >> >> -files_read_etc_files(mcelog_t) >> - >> # for /dev/mem access >> mls_file_read_all_levels(mcelog_t) > > This isn't necessary. The reading etc files stands on its own where it is. If we want to be really thorough, you could add files_search_etc() by the read_files_pattern, but I think its fine as is. Yes, why not ? I have also added a comment to be 100% transparent to the user, if anybodys want to further restrict it under particular circumstances: mcelog module: - allow files_search_etc() as it might be needed for non-standard configuration subdirectories; - add a comment for the files_read_etc_files() interface, so that it can be later restricted further if needed. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/mcelog.te | 2 ++ 1 file changed, 2 insertions(+) diff -pruN refpolicy-08092012/policy/modules/contrib/mcelog.te refpolicy-08092012-mcelog-allow_files_search_etc_t/policy/modules/contrib/mcelog.te --- refpolicy-08092012/policy/modules/contrib/mcelog.te 2012-08-08 21:22:01.160888610 +0200 +++ refpolicy-08092012-mcelog-allow_files_search_etc_t/policy/modules/contrib/mcelog.te 2012-08-09 23:33:25.321471690 +0200 @@ -76,6 +76,7 @@ allow mcelog_t self:unix_stream_socket c allow mcelog_t mcelog_etc_t:dir list_dir_perms; read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t) +files_search_etc(mcelog_t) # manage a logfile in a generic or private log directory manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t) @@ -92,6 +93,7 @@ dev_read_raw_memory(mcelog_t) dev_read_kmsg(mcelog_t) dev_rw_sysfs(mcelog_t) +# needed in daemon mode only files_read_etc_files(mcelog_t) # for /dev/mem access