From: guido@trentalancia.com (Guido Trentalancia)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v6]: mcelog module initial rewrite
Date: Wed, 08 Aug 2012 00:04:45 +0200 [thread overview]
Message-ID: <502190FD.4060905@trentalancia.com> (raw)
In-Reply-To: <1344371220.2306.18.camel@d30.localdomain>
Here is the latest (v6) version:
Rewrite of mcelog module:
- version increment
- fix and extend file contexts (private types)
- support daemon mode and init scripting (+ deprecated and untested cron
mode)
- support optional triggers for all distributions, while leaving
compatibility with their alternate location in Fedora (and
current policy)
- initial configurable support for client/server mode (untested)
- support for sysfs (rw)
- includes several revisions from Dominick Grift
- removed duplicate syslog interface over previous version 4
- reduced stream_connect_pattern to permissions from version 5
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/contrib/mcelog.fc | 12 +++
policy/modules/contrib/mcelog.te | 118
++++++++++++++++++++++++++++++++--
policy/modules/kernel/corecommands.fc | 8 ++
3 files changed, 131 insertions(+), 7 deletions(-)
diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc
refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.fc
--- refpolicy-04062012/policy/modules/contrib/mcelog.fc 2011-09-09
18:29:23.578610955 +0200
+++
refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.fc
2012-08-07 21:10:43.247757154 +0200
@@ -1 +1,13 @@
+/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0)
+
+ifdef(`distro_redhat',`
+/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0)
+')
+
+/etc/rc\.d/init\.d/mcelog --
gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
+
/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
+/var/run/mcelog\.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0)
+/var/run/mcelog-client -s
gen_context(system_u:object_r:mcelog_var_run_t,s0)
diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te
refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.te
--- refpolicy-04062012/policy/modules/contrib/mcelog.te 2011-09-09
18:29:23.578610955 +0200
+++
refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.te
2012-08-08 01:11:06.572330170 +0200
@@ -1,14 +1,70 @@
-policy_module(mcelog, 1.1.0)
+policy_module(mcelog, 1.1.1)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow mcelog to run in client mode.
+## Required to run mcelog in client
+## mode.
+## </p>
+## </desc>
+gen_tunable(mcelog_client, false)
+
+## <desc>
+## <p>
+## Allow mcelog to execute scripts.
+## Required to execute optional triggers
+## and/or local scripts.
+## </p>
+## </desc>
+gen_tunable(mcelog_exec_scripts, true)
+
+## <desc>
+## <p>
+## Allow mcelog to use all the user ttys.
+## Required in foreground mode and to
+## print out usage and version information.
+## </p>
+## </desc>
+gen_tunable(mcelog_foreground, true)
+
+## <desc>
+## <p>
+## Allow mcelog to run a server.
+## Required to enable the optional configurable
+## Unix stream socket server functionality.
+## </p>
+## </desc>
+gen_tunable(mcelog_server, false)
+
+## <desc>
+## <p>
+## Allow mcelog to use syslog.
+## Required to use the configurable
+## syslog option.
+## </p>
+## </desc>
+gen_tunable(mcelog_syslog, true)
+
type mcelog_t;
type mcelog_exec_t;
-application_domain(mcelog_t, mcelog_exec_t)
-cron_system_entry(mcelog_t, mcelog_exec_t)
+init_daemon_domain(mcelog_t, mcelog_exec_t)
+
+type mcelog_initrc_exec_t;
+init_script_file(mcelog_initrc_exec_t)
+
+type mcelog_etc_t;
+files_config_file(mcelog_etc_t)
+
+type mcelog_log_t;
+logging_log_file(mcelog_log_t)
+
+type mcelog_var_run_t;
+files_pid_file(mcelog_var_run_t)
########################################
#
@@ -16,17 +72,67 @@ cron_system_entry(mcelog_t, mcelog_exec_
#
allow mcelog_t self:capability sys_admin;
+allow mcelog_t self:unix_stream_socket connected_socket_perms;
+allow mcelog_t mcelog_etc_t:dir list_dir_perms;
+
+files_search_pids(mcelog_t)
+read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
+
+# manage a logfile in a generic or private log directory
+manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+logging_log_filetrans(mcelog_t, mcelog_log_t, file)
+
+manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
kernel_read_system_state(mcelog_t)
dev_read_raw_memory(mcelog_t)
dev_read_kmsg(mcelog_t)
+dev_rw_sysfs(mcelog_t)
files_read_etc_files(mcelog_t)
+files_search_pids(mcelog_t)
+read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
+
+locallogin_use_fds(mcelog_t)
+
+miscfiles_read_localization(mcelog_t)
# for /dev/mem access
mls_file_read_all_levels(mcelog_t)
-logging_send_syslog_msg(mcelog_t)
-
-miscfiles_read_localization(mcelog_t)
+# needed in client-mode
+tunable_policy(`mcelog_client',`
+ allow mcelog_t self:unix_stream_socket connectto;
+')
+
+# required for executing optional triggers and scripts
+tunable_policy(`mcelog_exec_scripts',`
+ allow mcelog_t self:fifo_file { read getattr write };
+ corecmd_exec_bin(mcelog_t)
+ corecmd_exec_shell(mcelog_t)
+')
+
+# required for optional foreground mode and
+# console output
+tunable_policy(`mcelog_foreground',`
+ userdom_use_user_terminals(mcelog_t)
+')
+
+# required for the optional server functionality
+tunable_policy(`mcelog_server',`
+ allow mcelog_t self:unix_stream_socket { listen accept };
+')
+
+# use syslog functionality (optional, configurable)
+tunable_policy(`mcelog_syslog',`
+ logging_send_syslog_msg(mcelog_t)
+')
+
+# optional support for running it as a cron job
+optional_policy(`
+ cron_system_entry(mcelog_t, mcelog_exec_t)
+')
diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc
refpolicy-04062012-mcelog-support-v6/policy/modules/kernel/corecommands.fc
--- refpolicy-04062012/policy/modules/kernel/corecommands.fc 2012-08-07
18:38:05.323569047 +0200
+++
refpolicy-04062012-mcelog-support-v6/policy/modules/kernel/corecommands.fc
2012-08-07 15:54:20.796905090 +0200
@@ -72,8 +72,14 @@ ifdef(`distro_redhat',`
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
-/etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
+/etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_redhat',`
/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
+')
+
/etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
On 07/08/2012 22:27, Dominick Grift wrote:
>
>
> On Tue, 2012-08-07 at 22:20 +0200, Guido Trentalancia wrote:
>
>>>
>>> allow mcslog_t self:unix_stream_socket { create_socket_perms
>>> connectto; }
>>
>> Yes, I think it can be done, but I would need to check. But is this not
>> going to be considered overengineering ?
>
> No that is the way to go
Since apparently it hasn't been applied yet, I have attached a new
version (v6) above. It reduces the stream_connect_pattern so that it
works better with the client/server tunable policy.
>> I don't like such term very much in this context anyway, as usually
>> there is always an advantage in terms of maintanability.
>>
>>> or show me the avc denials related to mcelog_t operating on mcelog_t
>>> unix stream sockets so that we can figure out the exact permissions.
>>>
>>> but using stream_connect_pattern() is not the way to go here
>>
>> Initially you had suggested that pattern, so I went for that.
>
> Right but at that time i didnt see the big picture (context of the
> usage)
Ok, I hope now it's fine for everyone. There is a lot more to be done,
so it's probably pointless focusing eccesively on this at this point.
Regards,
Guido
next prev parent reply other threads:[~2012-08-07 22:04 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-06 15:19 [refpolicy] [PATCH v2]: mcelog module initial rewrite Guido Trentalancia
2012-08-06 15:30 ` Dominick Grift
2012-08-06 18:43 ` [refpolicy] [PATCH v3]: " Guido Trentalancia
2012-08-06 19:44 ` Dominick Grift
2012-08-07 17:34 ` [refpolicy] [PATCH v4]: " Guido Trentalancia
2012-08-07 17:43 ` Dominick Grift
2012-08-07 17:57 ` Guido Trentalancia
2012-08-07 19:35 ` Guido Trentalancia
2012-08-07 19:48 ` Dominick Grift
2012-08-07 20:20 ` Guido Trentalancia
2012-08-07 20:27 ` Dominick Grift
2012-08-07 22:04 ` Guido Trentalancia [this message]
2012-08-08 13:02 ` [refpolicy] [PATCH v6]: " Christopher J. PeBenito
2012-08-08 14:34 ` Guido Trentalancia
2012-08-08 14:41 ` Christopher J. PeBenito
2012-08-08 19:33 ` Guido Trentalancia
2012-08-09 16:34 ` Christopher J. PeBenito
2012-08-09 21:54 ` Guido Trentalancia
2012-08-10 14:47 ` Christopher J. PeBenito
2012-08-10 19:27 ` Guido Trentalancia
2012-08-14 12:23 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=502190FD.4060905@trentalancia.com \
--to=guido@trentalancia.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.