From: jason@perfinion.com (Jason Zaman)
Date: Thu, 28 Apr 2016 00:47:13 +0800
Subject: [refpolicy] [Patch V2 1/1] Add hwloc-dump-hwdata SELinux policy
In-Reply-To: <1461770515-13153-2-git-send-email-grzegorz.andrejczuk@intel.com>
References: <1461745535-6857-1-git-send-email-grzegorz.andrejczuk@intel.com>
	<1461770515-13153-1-git-send-email-grzegorz.andrejczuk@intel.com>
	<1461770515-13153-2-git-send-email-grzegorz.andrejczuk@intel.com>
Message-ID: <CAPuKSJb+uvUE5Zj7DgJNAFfHaM=5VDW=G+Ff2+hQJyCL93SAOw@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 27 Apr 2016 23:22, "gandrejc" <grzegorz.andrejczuk@intel.com> wrote:
>
> The Portable Hardware Locality (hwloc) software package
> provides a portable abstraction (across OS, versions, architectures, ...)
> of the hierarchical topology of modern architectures,
> including NUMA memory nodes, sockets, shared caches,
> cores and simultaneous multithreading.
> It also gathers various system attributes such as cache and memory
information
> as well as the locality of I/O devices such as network interfaces,
> InfiniBand HCAs or GPUs.
>
> New hwloc utility (hwloc-dump-hwdata) reads firmware entries and generates
> intermediate files to be used later by hwloc utils.
>
> This cannot be done when MLS is in enforicing mode because SELinux blocks
> access to var_run_t for user_t.
>
> The policy does the following:
> - adds hwloc_dhwd_exec_t type for hwloc-dump-hwdata executable
> - adds hwloc_dhwd_t system domain with entry point in
> hwloc_dhwd_exec_t
> - allows hwloc_dhwd_exec_t to be run as application
> - allows hwloc_dhwd_t access sysfs
> - allows hwloc_dhwd_t to create dir and file in /var/run
> - makes transition for hwloc-dump-hwdata output file from var_run_t to
> var_t.
>
> The data is derived from proprietary SMBIOS entries containing MCDRAM
memory
> side cache configuration : cache size, associativity, inclusiveness and
> line size.
>
> Signed-off-by: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
> ---
>  hwloc.fc |   3 ++
>  hwloc.if | 103
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  hwloc.te |  28 +++++++++++++++++
>  3 files changed, 134 insertions(+)
>  create mode 100644 hwloc.fc
>  create mode 100644 hwloc.if
>  create mode 100644 hwloc.te
>
> diff --git a/hwloc.fc b/hwloc.fc
> new file mode 100644
> index 0000000..81c6451
> --- /dev/null
> +++ b/hwloc.fc
> @@ -0,0 +1,3 @@
> +/usr/sbin/hwloc-dump-hwdata    --
gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
> +
> +/var/run/hwloc(/.*)?   gen_context(system_u:object_r:hwloc_var_run_t,s0)
> diff --git a/hwloc.if b/hwloc.if
> new file mode 100644
> index 0000000..f0a5217
> --- /dev/null
> +++ b/hwloc.if
> @@ -0,0 +1,103 @@
> +## <summary>Dump topology and locality information from hardware
tables.</summary>
> +
> +########################################
> +## <summary>
> +##     Execute hwloc dhwd in the hwloc dhwd domain.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed to transition.
> +##     </summary>
> +## </param>
> +#
> +interface(`hwloc_domtrans_hwloc_dhwd',`
> +       gen_require(`
> +               type hwloc_dhwd_t, hwloc_dhwd_exec_t;
> +       ')
> +
> +       domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t)
> +')
> +
> +########################################
> +## <summary>
> +##     Execute hwloc dhwd in the hwloc dhwd domain, and
> +##     allow the specified role the hwloc dhwd domain,
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed to transition.
> +##     </summary>
> +## </param>
> +## <param name="role">
> +##     <summary>
> +##     Role allowed access.
> +##     </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`hwloc_run_hwloc_dhwd',`
> +       gen_require(`
> +               attribute_role hwloc_dhwd_roles;
> +       ')
> +
> +       hwloc_domtrans_hwloc_dhwd($1)
> +       roleattribute $2 hwloc_dhwd_roles;
> +')
> +
> +########################################
> +## <summary>
> +##     Execute hwloc dhwd in the caller domain.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`hwloc_exec_hwloc_dhwd',`
> +       gen_require(`
> +               type hwloc_dhwd_exec_t;
> +       ')
> +
> +       can_exec($1, hwloc_dhwd_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +##     Manage hwloc runtime.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`hwloc_manage_runtime',`
> +       gen_require(`
> +               type hwloc_var_run_t;
> +       ')
> +
> +       files_rw_pid_dirs($1)
This seems wrong. Shouldn't it be a pid filetrans on 'hwloc'? There is no
reason to give rw perms on everything in /run.

-- Jason

> +       allow $1 hwloc_var_run_t:dir manage_dir_perms;
> +       allow $1 hwloc_var_run_t:file manage_file_perms;
> +       allow $1 hwloc_var_run_t:lnk_file manage_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##     Read hwloc runtime files.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`hwloc_read_runtime_files',`
> +       gen_require(`
> +               type hwloc_var_run_t;
> +       ')
> +
> +       files_search_pids($1)
> +       read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t)
> +')
> diff --git a/hwloc.te b/hwloc.te
> new file mode 100644
> index 0000000..3465e3a
> --- /dev/null
> +++ b/hwloc.te
> @@ -0,0 +1,28 @@
> +policy_module(hwloc, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role hwloc_dhwd_roles;
> +roleattribute system_r hwloc_dhwd_roles;
> +
> +type hwloc_dhwd_t;
> +type hwloc_dhwd_exec_t;
> +init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t)
> +role hwloc_dhwd_roles types hwloc_dhwd_t;
> +
> +type hwloc_var_run_t;
> +files_pid_file(hwloc_var_run_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms;
> +allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms;
> +files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
> +
> +dev_read_sysfs(hwloc_dhwd_t)
> --
> 2.5.1
>
> --------------------------------------------------------------------
>
> Intel Technology Poland sp. z o.o.
> ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII
Wydzial Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP
957-07-52-316 | Kapital zakladowy 200.000 PLN.
>
> Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego
adresata i moze zawierac informacje poufne. W razie przypadkowego
otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej
usuniecie; jakiekolwiek
> przegladanie lub rozpowszechnianie jest zabronione.
> This e-mail and any attachments may contain confidential material for the
sole use of the intended recipient(s). If you are not the intended
recipient, please contact the sender and delete all copies; any review or
distribution by
> others is strictly prohibited.
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20160428/474dd194/attachment-0001.html