From: grzegorz.andrejczuk@intel.com (gandrejc) Date: Wed, 27 Apr 2016 17:21:54 +0200 Subject: [refpolicy] [Patch V2 1/1] Update refpolicy to handle hwloc In-Reply-To: <1461745535-6857-1-git-send-email-grzegorz.andrejczuk@intel.com> References: <1461745535-6857-1-git-send-email-grzegorz.andrejczuk@intel.com> Message-ID: <1461770515-13153-1-git-send-email-grzegorz.andrejczuk@intel.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The Portable Hardware Locality (hwloc) software package provides a portable abstraction (across OS, versions, architectures, ...) of the hierarchical topology of modern architectures, including NUMA memory nodes, sockets, shared caches, cores and simultaneous multithreading. It also gathers various system attributes such as cache and memory information as well as the locality of I/O devices such as network interfaces, InfiniBand HCAs or GPUs. Following changes enable: - add interface to change dirs in /var/run - add optional policies for hwloc-dump-hwdata Signed-off-by: Grzegorz Andrejczuk --- policy/modules/kernel/files.if | 19 +++++++++++++++++++ policy/modules/roles/sysadm.te | 5 +++++ policy/modules/system/userdomain.if | 5 +++++ 3 files changed, 29 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index fc007b4..d942d8a 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -6077,6 +6077,25 @@ interface(`files_dontaudit_getattr_pid_dirs',` ######################################## ## +## Read and write generic runtime directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_rw_pid_dirs',` + gen_require(` + type var_run_t; + ') + + files_search_var($1) + rw_dirs_pattern($1, var_run_t, var_run_t) +') + +######################################## +## ## Set the attributes of the /var/run directory. ## ## diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index ceaa4cb..807c139 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -458,6 +458,11 @@ optional_policy(` ') optional_policy(` + hwloc_manage_runtime(sysadm_t) + hwloc_run_hwloc_dhwd(sysadm_t, sysadm_r) +') + +optional_policy(` howl_admin(sysadm_t, sysadm_r) ') diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index cbb6e09..0a46fda 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -619,6 +619,11 @@ template(`userdom_common_user_template',` ') optional_policy(` + hwloc_exec_hwloc_dhwd($1_t) + hwloc_read_runtime_files($1_t) + ') + + optional_policy(` inetd_use_fds($1_t) inetd_rw_tcp_sockets($1_t) ') -- 2.5.1 -------------------------------------------------------------------- Intel Technology Poland sp. z o.o. ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 | Kapital zakladowy 200.000 PLN. Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata i moze zawierac informacje poufne. W razie przypadkowego otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie; jakiekolwiek przegladanie lub rozpowszechnianie jest zabronione. This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). If you are not the intended recipient, please contact the sender and delete all copies; any review or distribution by others is strictly prohibited.