From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-20.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28D0FC433E0 for ; Mon, 8 Mar 2021 02:38:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E0D5964F1D for ; Mon, 8 Mar 2021 02:38:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232230AbhCHChn (ORCPT ); Sun, 7 Mar 2021 21:37:43 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:50702 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232167AbhCHChE (ORCPT ); Sun, 7 Mar 2021 21:37:04 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 9339FF9B5 for ; Mon, 8 Mar 2021 13:37:00 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1615171020; bh=UN5xFQHky0D2M5xb+k6ZtepiMc70q9UgEwRfRt5yY98=; l=3714; h=Date:From:To:Subject:From; b=2bEHJaQwmqtTgh+0/Lo9hrClkkjMV0djC63GJg2Pzxvy8154GQ8Ym1rpIhkukJfAw R/xesj0HiQAyFzl6iHe0glkC2BkiSADNyf0FBchNNh2X4ir0LaXz/NRNqLE9PUemJy z8w6O1S73xcA80fIN1r/TlGr/sleIsdCo0MDUwkY= Received: by xev.coker.com.au (Postfix, from userid 1001) id 1105413A2C3C; Mon, 8 Mar 2021 13:36:56 +1100 (AEDT) Date: Mon, 8 Mar 2021 13:36:56 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] rasdaemon (replacement for mcelog) Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This is policy for rasdaemon, the new replacement for mcelog. The /dev/mcelog device is now an obsolete kernel feature that can be enabled for backward compatibility and rasdaeon with tracefs is the new way. I've tested this and it seems to work OK, but all my servers are working well so I haven't been able to test the case of actually detecting an error. It would be good if someone with a known damaged server could give it a go. I think this is ready for merging. Signed-off-by: Russell Coker Index: refpolicy-2.20210203/policy/modules/kernel/filesystem.if =================================================================== --- refpolicy-2.20210203.orig/policy/modules/kernel/filesystem.if +++ refpolicy-2.20210203/policy/modules/kernel/filesystem.if @@ -5302,6 +5302,25 @@ interface(`fs_getattr_tracefs_files',` ######################################## ## +## Read/write trace filesystem files +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_write_tracefs_files',` + gen_require(` + type tracefs_t; + ') + + allow $1 tracefs_t:dir list_dir_perms; + allow $1 tracefs_t:file rw_file_perms; +') + +######################################## +## ## Mount a XENFS filesystem. ## ## Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.fc =================================================================== --- /dev/null +++ refpolicy-2.20210203/policy/modules/services/rasdaemon.fc @@ -0,0 +1,3 @@ +/usr/sbin/rasdaemon -- gen_context(system_u:object_r:rasdaemon_exec_t,s0) +/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_t,s0) + Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.if =================================================================== --- /dev/null +++ refpolicy-2.20210203/policy/modules/services/rasdaemon.if @@ -0,0 +1 @@ +## Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.te =================================================================== --- /dev/null +++ refpolicy-2.20210203/policy/modules/services/rasdaemon.te @@ -0,0 +1,49 @@ +policy_module(rasdaemon, 1.0.0) + +# rasdaemon is a RAS (Reliability, Availability and Serviceability) logging +# tool. It currently records memory errors, using the EDAC tracing events. +# EDAC are drivers in the Linux kernel that handle detection of ECC errors +# from memory controllers for most chipsets on x86 and ARM architectures. +# +# https://git.infradead.org/users/mchehab/rasdaemon.git + +######################################## +# +# Declarations +# + +type rasdaemon_t; +type rasdaemon_exec_t; +init_daemon_domain(rasdaemon_t, rasdaemon_exec_t) + +type rasdaemon_var_t; +files_type(rasdaemon_var_t) + +######################################## +# +# Local policy +# + +allow rasdaemon_t self:unix_dgram_socket create_socket_perms; + +# confidentiality for tracefs and integrity for debugfs +allow rasdaemon_t self:lockdown { confidentiality integrity }; + +allow rasdaemon_t rasdaemon_var_t:dir manage_dir_perms; +allow rasdaemon_t rasdaemon_var_t:file manage_file_perms; + +kernel_read_debugfs(rasdaemon_t) +kernel_read_system_state(rasdaemon_t) +kernel_read_vm_overcommit_sysctl(rasdaemon_t) +kernel_search_fs_sysctls(rasdaemon_t) + +dev_list_sysfs(rasdaemon_t) +dev_read_urand(rasdaemon_t) + +files_read_etc_symlinks(rasdaemon_t) +files_search_var_lib(rasdaemon_t) +fs_write_tracefs_files(rasdaemon_t) + +logging_send_syslog_msg(rasdaemon_t) +miscfiles_read_localization(rasdaemon_t) +