From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 10 Aug 2012 10:47:35 -0400
Subject: [refpolicy] [PATCH v6]: mcelog module initial rewrite
In-Reply-To: <50243181.3040908@trentalancia.com>
References: <201208061519.q76FJcDp011962@vivaldi31.register.it>
	<1344267046.29329.57.camel@d30.localdomain>
	<50201053.9000506@trentalancia.com>
	<1344282251.29329.73.camel@d30.localdomain>
	<50215188.7040900@trentalancia.com>
	<1344361404.2306.5.camel@d30.localdomain>
	<50216DFF.1050309@trentalancia.com>
	<1344368916.2306.14.camel@d30.localdomain>
	<50217898.1000106@trentalancia.com>
	<1344371220.2306.18.camel@d30.localdomain>
	<502190FD.4060905@trentalancia.com> <50226348.5020303@tresys.com>
	<5022BEF9.2060004@trentalancia.com> <5023E67E.1060909@tresys.com>
	<50243181.3040908@trentalancia.com>
Message-ID: <50251F07.8050301@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/09/12 17:54, Guido Trentalancia wrote:
> On 09/08/2012 18:34, Christopher J. PeBenito wrote:
>> On 08/08/12 15:33, Guido Trentalancia wrote:
>>> --- refpolicy/policy/modules/contrib/mcelog.te    2012-08-08 21:22:01.160888610 +0200
>>> +++ refpolicy-08082012/policy/modules/contrib/mcelog.te    2012-08-08 21:22:19.204057838 +0200
>>> @@ -75,6 +75,7 @@ allow mcelog_t self:capability sys_admin
>>>   allow mcelog_t self:unix_stream_socket connected_socket_perms;
>>>   allow mcelog_t mcelog_etc_t:dir list_dir_perms;
>>>
>>> +files_read_etc_files(mcelog_t)
>>>   read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
>>>
>>>   # manage a logfile in a generic or private log directory
>>> @@ -92,8 +93,6 @@ dev_read_raw_memory(mcelog_t)
>>>   dev_read_kmsg(mcelog_t)
>>>   dev_rw_sysfs(mcelog_t)
>>>
>>> -files_read_etc_files(mcelog_t)
>>> -
>>>   # for /dev/mem access
>>>   mls_file_read_all_levels(mcelog_t)
>>
>> This isn't necessary.  The reading etc files stands on its own where it is.  If we want to be really thorough, you could add files_search_etc() by the read_files_pattern, but I think its fine as is.
> 
> Yes, why not ? I have also added a comment to be 100% transparent to the 
> user, if anybodys want to further restrict it under particular 
> circumstances:

Reading etc_t files is not a required access for reading mcelog_etc_t files.  If mcelog does not read etc_t files, then moving the line makes sense, if its also changed to files_search_etc().


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com