From: dac.override@gmail.com (Dominick Grift)
Date: Wed, 27 Apr 2016 11:40:26 +0200
Subject: [refpolicy] [PATCH 1/1] Add hwloc-dump-hwdata SELinux policy
In-Reply-To: <1461745535-6857-1-git-send-email-grzegorz.andrejczuk@intel.com>
References: <1461745535-6857-1-git-send-email-grzegorz.andrejczuk@intel.com>
Message-ID: <1e313b9b-ccd9-c26d-d3ad-c7f2a1da6f63@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/27/2016 10:25 AM, gandrejc wrote:
> From: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
> 
> New hwloc utility (hwloc-dump-hwdata) reads firmware entries and
> generates intermediate files to be used later by hwloc utils.
> 
> This cannot be done when MLS is in enforicing mode because SELinux
> blocks access to var_run_t for user_t.

See below how i think this should be implemented. If any questions,
let me know.

> /var/run/hwloc/knl_memoryside_cache The policy does the following: 
> - adds hwloc_dhwd_exec_t type for hwloc-dump-hwdata executable -
> adds hwloc_dhwd_t system domain with entry point in 
> hwloc_dhwd_exec_t - allows hwloc_dhwd_exec_t to be run as
> application - allows hwloc_dhwd_t access sysfs - allows
> hwloc_dhwd_t to create dir and file in /var/run - makes transition
> for hwloc-dump-hwdata output file from var_run_t to var_t.
> 
> The data is derived from proprietary SMBIOS entries containing
> MCDRAM memory side cache configuration : cache size, associativity,
> inclusiveness and line size.
> 
> Signed-off-by: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com> 
> ---

<snip>

Here is how it should, probably, look instead:

system/hwloc.fc:

> /usr/sbin/hwloc-dump-hwdata	--
> gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)

> /var/run/hwloc(/.*)?
> gen_context(system_u:object_r:hwloc_var_run_t,s0)

system/hwloc.te:

> policy_module(hwloc,1.0.0)
> 
> attribute_role hwloc_roles; roleattribute system_r hwloc_roles;
> 
> type hwloc_dhwd_t; type hwloc_dhwd_exec_t; 
> init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t) role
> hwloc_roles types hwloc_dhwd_t;
> 
> type hwloc_var_run_t; files_pid_file(hwloc_var_run_t)
> 
> allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms; allow
> hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms; 
> files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
> 
> dev_read_sysfs(hwloc_dhwd_t)

system/hwloc.if

> ## <summary>Dump topology and locality information from hardware
> tables.</summary>
> 
> ######################################## ## <summary> ##	Execute
> hwloc dhwd in the mount hwloc dhwd domain. ## </summary> ## <param
> name="domain"> ##	<summary> ##	Domain allowed to transition. ##
> </summary> ## </param> # interface(`hwloc_domtrans_hwloc_dhwd',` 
> gen_require(` type hwloc_dhwd_t, hwloc_dhwd_exec_t; ')
> 
> domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t) ')
> 
> ######################################## ## <summary> ##	Execute
> hwloc dhwd in the hwloc dhwd domain, and ##	allow the specified
> role the hwloc dhwd domain. ## </summary> ## <param name="domain"> 
> ##	<summary> ##	Domain allowed to transition. ##	</summary> ##
> </param> ## <param name="role"> ##	<summary> ##	Role allowed
> access. ##	</summary> ## </param> ## <rolecap/> # 
> interface(`hwloc_run_hwloc_dhwd',` gen_require(` attribute_role
> hwloc_roles; ')
> 
> hwloc_domtrans_hwloc_dhwd($1) roleattribute $2 hwloc_roles; ')
> 
> ######################################## ## <summary> ##	Execute
> hwloc dhwd in the caller domain. ## </summary> ## <param
> name="domain"> ##	<summary> ##	Domain allowed access. ##
> </summary> ## </param> # interface(`hwloc_exec_hwloc_dhwd',` 
> gen_require(` type hwloc_dhwd_exec_t; ')
> 
> can_exec($1, hwloc_hdwd_exec_t) ')
> 
> ######################################## ## <summary> ##	Read
> runtime files. ## </summary> ## <param name="domain"> ##	<summary> 
> ##	Domain allowed access. ##	</summary> ## </param> # 
> interface(`hwloc_read_runtime_files',` gen_require(` type
> hwloc_var_run_t; ')
> 
> files_search_pids($1) read_files_pattern($1, hwloc_var_run_t,
> hwloc_var_run_t) ')
> 
> ######################################## ## <summary> ##	Manage
> runtime. ## </summary> ## <param name="domain"> ##	<summary> ##
> Domain allowed access. ##	</summary> ## </param> # 
> interface(`hwloc_manage_runtime',` gen_require(` type
> hwloc_var_run_t; ')
> 
> files_rw_pid_dirs($1) allow $1 hwloc_var_run_t:dir
> manage_dir_perms; allow $1 hwloc_var_run_t:file manage_file_perms; 
> allow $1 hwloc_var_run_t:lnk_file manage_lnk_file_perms; ')

Then you would call the interfaces in the respective modules to allow
shells to run or execute it, For example

roles/sysadm.te:

> 
> optional_policy(` hwloc_run_hwloc_dhwd(sysadm_t, sysadm_r) 
> hwloc_manage_runtime(sysadm_t) ')

roles/user.te:

> optional_policy(` hwloc_exec_hwloc_dhwd(user_t) 
> hwloc_read_runtime_files(user_t) ')

roles/staff.te:

> optional_policy(` hwloc_exec_hwloc_dhwd(staff_t) 
> hwloc_read_runtime_files(staff_t) ')

- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXIIkFAAoJECV0jlU3+Udpon8L/1yoJqFL0XFh/j43lrpIoA1+
qFPiKlxw9icqcITYrnaepf7AKeag3h04neHgVIzdZBdVZ2+6W0fmORtBRcsu6aaH
d8wtT44/Fw4ZJobrU6fmuxWbzABqFyaR1qGD+IynT3F/WOE4WWqwC929dT7kglHL
NTbJlFqhlIwaN1XEU8Be7AlBGiU1tuo9nqAZ4dEuxbNPUGduP5LMV2GQ6cusG9xm
vsxWgTHyD3HLs6ySNxsqHXmk8oZfy30Y/Ob7rOqi39mE1BeTcdJzcR0p6m2Gl0Du
+o0vEb7DnUHLu8r3uHLUw52TO1dPi4MDKdraZn3sNyyixbf88RAKcgpadSKvjR0e
L17dqdaqCU3ulF5k6Bt7huCBg3ItAtd+SJ7VL7T7B4Ek/Bb8ufYExHSfJ0kmNhMW
gzd3kj+Um9u58z9iUyQ0V7/eu4dh853eyMStmY0CDhw20XNkgTZKMurzKiadnR/i
+6cyu3bJgQKVZwzFHTNFVfcOoTMe73KS0QAgcVPfZw==
=A2Cm
-----END PGP SIGNATURE-----