From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v6]: mcelog module initial rewrite
Date: Wed, 8 Aug 2012 09:02:00 -0400 [thread overview]
Message-ID: <50226348.5020303@tresys.com> (raw)
In-Reply-To: <502190FD.4060905@trentalancia.com>
On 08/07/12 18:04, Guido Trentalancia wrote:
> Here is the latest (v6) version:
>
> Rewrite of mcelog module:
> - version increment
> - fix and extend file contexts (private types)
> - support daemon mode and init scripting (+ deprecated and untested cron
> mode)
> - support optional triggers for all distributions, while leaving
> compatibility with their alternate location in Fedora (and
> current policy)
> - initial configurable support for client/server mode (untested)
> - support for sysfs (rw)
> - includes several revisions from Dominick Grift
> - removed duplicate syslog interface over previous version 4
> - reduced stream_connect_pattern to permissions from version 5
Merged. In the future, please do not increment the module version.
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
> policy/modules/contrib/mcelog.fc | 12 +++
> policy/modules/contrib/mcelog.te | 118
> ++++++++++++++++++++++++++++++++--
> policy/modules/kernel/corecommands.fc | 8 ++
> 3 files changed, 131 insertions(+), 7 deletions(-)
>
> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc
> refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.fc
> --- refpolicy-04062012/policy/modules/contrib/mcelog.fc 2011-09-09
> 18:29:23.578610955 +0200
> +++
> refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.fc
> 2012-08-07 21:10:43.247757154 +0200
> @@ -1 +1,13 @@
> +/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0)
> +
> +ifdef(`distro_redhat',`
> +/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0)
> +')
> +
> +/etc/rc\.d/init\.d/mcelog --
> gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
> +
> /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
> +
> +/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
> +/var/run/mcelog\.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0)
> +/var/run/mcelog-client -s
> gen_context(system_u:object_r:mcelog_var_run_t,s0)
> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te
> refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.te
> --- refpolicy-04062012/policy/modules/contrib/mcelog.te 2011-09-09
> 18:29:23.578610955 +0200
> +++
> refpolicy-04062012-mcelog-support-v6/policy/modules/contrib/mcelog.te
> 2012-08-08 01:11:06.572330170 +0200
> @@ -1,14 +1,70 @@
> -policy_module(mcelog, 1.1.0)
> +policy_module(mcelog, 1.1.1)
>
> ########################################
> #
> # Declarations
> #
>
> +## <desc>
> +## <p>
> +## Allow mcelog to run in client mode.
> +## Required to run mcelog in client
> +## mode.
> +## </p>
> +## </desc>
> +gen_tunable(mcelog_client, false)
> +
> +## <desc>
> +## <p>
> +## Allow mcelog to execute scripts.
> +## Required to execute optional triggers
> +## and/or local scripts.
> +## </p>
> +## </desc>
> +gen_tunable(mcelog_exec_scripts, true)
> +
> +## <desc>
> +## <p>
> +## Allow mcelog to use all the user ttys.
> +## Required in foreground mode and to
> +## print out usage and version information.
> +## </p>
> +## </desc>
> +gen_tunable(mcelog_foreground, true)
> +
> +## <desc>
> +## <p>
> +## Allow mcelog to run a server.
> +## Required to enable the optional configurable
> +## Unix stream socket server functionality.
> +## </p>
> +## </desc>
> +gen_tunable(mcelog_server, false)
> +
> +## <desc>
> +## <p>
> +## Allow mcelog to use syslog.
> +## Required to use the configurable
> +## syslog option.
> +## </p>
> +## </desc>
> +gen_tunable(mcelog_syslog, true)
> +
> type mcelog_t;
> type mcelog_exec_t;
> -application_domain(mcelog_t, mcelog_exec_t)
> -cron_system_entry(mcelog_t, mcelog_exec_t)
> +init_daemon_domain(mcelog_t, mcelog_exec_t)
> +
> +type mcelog_initrc_exec_t;
> +init_script_file(mcelog_initrc_exec_t)
> +
> +type mcelog_etc_t;
> +files_config_file(mcelog_etc_t)
> +
> +type mcelog_log_t;
> +logging_log_file(mcelog_log_t)
> +
> +type mcelog_var_run_t;
> +files_pid_file(mcelog_var_run_t)
>
> ########################################
> #
> @@ -16,17 +72,67 @@ cron_system_entry(mcelog_t, mcelog_exec_
> #
>
> allow mcelog_t self:capability sys_admin;
> +allow mcelog_t self:unix_stream_socket connected_socket_perms;
> +allow mcelog_t mcelog_etc_t:dir list_dir_perms;
> +
> +files_search_pids(mcelog_t)
> +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
> +
> +# manage a logfile in a generic or private log directory
> +manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +logging_log_filetrans(mcelog_t, mcelog_log_t, file)
> +
> +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
>
> kernel_read_system_state(mcelog_t)
>
> dev_read_raw_memory(mcelog_t)
> dev_read_kmsg(mcelog_t)
> +dev_rw_sysfs(mcelog_t)
>
> files_read_etc_files(mcelog_t)
> +files_search_pids(mcelog_t)
> +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
> +
> +locallogin_use_fds(mcelog_t)
> +
> +miscfiles_read_localization(mcelog_t)
>
> # for /dev/mem access
> mls_file_read_all_levels(mcelog_t)
>
> -logging_send_syslog_msg(mcelog_t)
> -
> -miscfiles_read_localization(mcelog_t)
> +# needed in client-mode
> +tunable_policy(`mcelog_client',`
> + allow mcelog_t self:unix_stream_socket connectto;
> +')
> +
> +# required for executing optional triggers and scripts
> +tunable_policy(`mcelog_exec_scripts',`
> + allow mcelog_t self:fifo_file { read getattr write };
> + corecmd_exec_bin(mcelog_t)
> + corecmd_exec_shell(mcelog_t)
> +')
> +
> +# required for optional foreground mode and
> +# console output
> +tunable_policy(`mcelog_foreground',`
> + userdom_use_user_terminals(mcelog_t)
> +')
> +
> +# required for the optional server functionality
> +tunable_policy(`mcelog_server',`
> + allow mcelog_t self:unix_stream_socket { listen accept };
> +')
> +
> +# use syslog functionality (optional, configurable)
> +tunable_policy(`mcelog_syslog',`
> + logging_send_syslog_msg(mcelog_t)
> +')
> +
> +# optional support for running it as a cron job
> +optional_policy(`
> + cron_system_entry(mcelog_t, mcelog_exec_t)
> +')
> diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc
> refpolicy-04062012-mcelog-support-v6/policy/modules/kernel/corecommands.fc
> --- refpolicy-04062012/policy/modules/kernel/corecommands.fc 2012-08-07
> 18:38:05.323569047 +0200
> +++
> refpolicy-04062012-mcelog-support-v6/policy/modules/kernel/corecommands.fc
> 2012-08-07 15:54:20.796905090 +0200
> @@ -72,8 +72,14 @@ ifdef(`distro_redhat',`
> /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
>
> /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
> -/etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
> +
> +/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
> +/etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0)
> +
> +ifdef(`distro_redhat',`
> /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
> +')
> +
> /etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
>
> /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2012-08-08 13:02 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-06 15:19 [refpolicy] [PATCH v2]: mcelog module initial rewrite Guido Trentalancia
2012-08-06 15:30 ` Dominick Grift
2012-08-06 18:43 ` [refpolicy] [PATCH v3]: " Guido Trentalancia
2012-08-06 19:44 ` Dominick Grift
2012-08-07 17:34 ` [refpolicy] [PATCH v4]: " Guido Trentalancia
2012-08-07 17:43 ` Dominick Grift
2012-08-07 17:57 ` Guido Trentalancia
2012-08-07 19:35 ` Guido Trentalancia
2012-08-07 19:48 ` Dominick Grift
2012-08-07 20:20 ` Guido Trentalancia
2012-08-07 20:27 ` Dominick Grift
2012-08-07 22:04 ` [refpolicy] [PATCH v6]: " Guido Trentalancia
2012-08-08 13:02 ` Christopher J. PeBenito [this message]
2012-08-08 14:34 ` Guido Trentalancia
2012-08-08 14:41 ` Christopher J. PeBenito
2012-08-08 19:33 ` Guido Trentalancia
2012-08-09 16:34 ` Christopher J. PeBenito
2012-08-09 21:54 ` Guido Trentalancia
2012-08-10 14:47 ` Christopher J. PeBenito
2012-08-10 19:27 ` Guido Trentalancia
2012-08-14 12:23 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50226348.5020303@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.