From: grzegorz.andrejczuk@intel.com (gandrejc) Date: Wed, 27 Apr 2016 10:25:35 +0200 Subject: [refpolicy] [PATCH 1/1] Add hwloc-dump-hwdata SELinux policy Message-ID: <1461745535-6857-1-git-send-email-grzegorz.andrejczuk@intel.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Grzegorz Andrejczuk New hwloc utility (hwloc-dump-hwdata) reads firmware entries and generates intermediate files to be used later by hwloc utils. This cannot be done when MLS is in enforicing mode because SELinux blocks access to var_run_t for user_t. The policy does the following: - adds hwloc_dhwd_exec_t type for hwloc-dump-hwdata executable - adds hwloc_dhwd_t system domain with entry point in hwloc_dhwd_exec_t - allows hwloc_dhwd_exec_t to be run as application - allows hwloc_dhwd_t access sysfs - allows hwloc_dhwd_t to create dir and file in /var/run - makes transition for hwloc-dump-hwdata output file from var_run_t to var_t. The data is derived from proprietary SMBIOS entries containing MCDRAM memory side cache configuration : cache size, associativity, inclusiveness and line size. Signed-off-by: Grzegorz Andrejczuk --- hwloc.fc | 3 +++ hwloc.if | 0 hwloc.te | 27 +++++++++++++++++++++++++++ 3 files changed, 30 insertions(+) create mode 100644 hwloc.fc create mode 100644 hwloc.if create mode 100644 hwloc.te diff --git a/hwloc.fc b/hwloc.fc new file mode 100644 index 0000000..3d31d96 --- /dev/null +++ b/hwloc.fc @@ -0,0 +1,3 @@ +/var/run/hwloc -d gen_context(system_u:object_r:var_run_t,s0) +/var/run/hwloc/knl_memoryside_cache -- gen_context(system_u:object_r:var_t,s0) +/usr/sbin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0) diff --git a/hwloc.if b/hwloc.if new file mode 100644 index 0000000..e69de29 diff --git a/hwloc.te b/hwloc.te new file mode 100644 index 0000000..292fd8c --- /dev/null +++ b/hwloc.te @@ -0,0 +1,27 @@ +policy_module(hwloc, 1.0) + +gen_require(` + type sysfs_t; + type var_run_t; + type var_t; +') + +type hwloc_dhwd_t; +type hwloc_dhwd_exec_t; + +init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t) + +dev_read_sysfs(hwloc_dhwd_t) + +# Allow for interactive use, no transition +application_executable_file(hwloc_dhwd_exec_t) + +# Allow read access to SMBIOS entries in /sys/firmware/dmi/entries +dev_read_sysfs(hwloc_dhwd_t) + +# Allow write access to var run, for /var/run/hwloc/ and knl_memoryside_cache +allow hwloc_dhwd_t var_run_t:dir { write create add_name }; +allow hwloc_dhwd_t var_t:file { write create open getattr }; + +# Transition knl_memory_side_cache to var_t, to allow broad access +filetrans_pattern(hwloc_dhwd_t, var_run_t, var_t, file, "knl_memoryside_cache") -- 2.5.1 -------------------------------------------------------------------- Intel Technology Poland sp. z o.o. ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 | Kapital zakladowy 200.000 PLN. Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata i moze zawierac informacje poufne. W razie przypadkowego otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie; jakiekolwiek przegladanie lub rozpowszechnianie jest zabronione. This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). If you are not the intended recipient, please contact the sender and delete all copies; any review or distribution by others is strictly prohibited.