From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 27 Apr 2016 13:33:50 -0400
Subject: [refpolicy] [Patch V2 1/1] Add hwloc-dump-hwdata SELinux policy
In-Reply-To: <1461770515-13153-2-git-send-email-grzegorz.andrejczuk@intel.com>
References: <1461745535-6857-1-git-send-email-grzegorz.andrejczuk@intel.com>
	<1461770515-13153-1-git-send-email-grzegorz.andrejczuk@intel.com>
	<1461770515-13153-2-git-send-email-grzegorz.andrejczuk@intel.com>
Message-ID: <5720F7FE.80603@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 4/27/2016 11:21 AM, gandrejc wrote:

> --- /dev/null
> +++ b/hwloc.if
> @@ -0,0 +1,103 @@
> +## <summary>Dump topology and locality information from hardware tables.</summary>
> +
> +########################################
> +## <summary>
> +##	Execute hwloc dhwd in the hwloc dhwd domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`hwloc_domtrans_hwloc_dhwd',`

I would name this hwloc_domtrans_dhwd.


> +########################################
> +## <summary>
> +##	Manage hwloc runtime.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`hwloc_manage_runtime',`
> +	gen_require(`
> +		type hwloc_var_run_t;
> +	')
> +
> +	files_rw_pid_dirs($1)
> +	allow $1 hwloc_var_run_t:dir manage_dir_perms;
> +	allow $1 hwloc_var_run_t:file manage_file_perms;
> +	allow $1 hwloc_var_run_t:lnk_file manage_lnk_file_perms;
> +')

Are there subdirectories under /var/run/hwloc?  If not, I would reduce
the access to rw_dir_perms on hwloc_var_run_t dirs.

Additionally, since the tool itself seems to create the top level dir
(based on the below filetrans in the .te), it doesn't seem appropriate
for this interface allow the caller files_rw_pid_dirs(), but to simply
search pid dirs.  The rw_pid_dirs would more likely fall under a
filetrans interface.


> diff --git a/hwloc.te b/hwloc.te
> new file mode 100644
> index 0000000..3465e3a
> --- /dev/null
> +++ b/hwloc.te
> @@ -0,0 +1,28 @@
> +policy_module(hwloc, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role hwloc_dhwd_roles;
> +roleattribute system_r hwloc_dhwd_roles;
> +
> +type hwloc_dhwd_t;
> +type hwloc_dhwd_exec_t;
> +init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t)
> +role hwloc_dhwd_roles types hwloc_dhwd_t;
> +
> +type hwloc_var_run_t;
> +files_pid_file(hwloc_var_run_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms;
> +allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms;
> +files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
> +
> +dev_read_sysfs(hwloc_dhwd_t)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com