[refpolicy] My take on Guido Trentalancias' mcelog changes

[refpolicy] My take on Guido Trentalancias' mcelog changes

[Guido Trentalancia]

>On Mon, 2012-08-06 at 16:30 +0200, Dominick Grift wrote:
>> From c439dc3f8dcdfb20dd35e0838df7f6555c6a90b5 Mon, 6 Aug 2012 16:26:21 +0200
>> From: Dominick Grift <dominick.grift@gmail.com>
>> Date: Mon, 6 Aug 2012 16:16:48 +0200
>> Subject: [PATCH] Run mcelog as a daemon
>> 
>
>Looks like i am missing a file context specification for the
>mcelog_etc_t content.
>
>Where is it? is it "/etc/mcelog(/.*)?"

Please double-check, it should be there.

>> I haven't tested this.
>> I left out the "term_use_all_ttys(mcelog_t)"

It's for interactive use (including printing out the help file by using --help).

>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
>> diff --git a/mcelog.fc b/mcelog.fc
>> index 56c43c0..a16de0a 100644
>> --- a/mcelog.fc
>> +++ b/mcelog.fc
>> @@ -1 +1,8 @@
>> +/etc/rc.d/init.d/mcelog	--	gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
>> +
>>  /usr/sbin/mcelog	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
>> +
>> +/var/log/mcelog.*	--	gen_context(system_u:object_r:mcelog_log_t,s0)
>> +
>> +/var/run/mcelog.pid	--	gen_context(system_u:object_r:mcelog_var_run_t,s0)
>> +/var/run/mcelog-client	-s	gen_context(system_u:object_r:mcelog_var_run_t,s0)
>> diff --git a/mcelog.te b/mcelog.te
>> index 5671977..79d5856 100644
>> --- a/mcelog.te
>> +++ b/mcelog.te
>> @@ -7,8 +7,19 @@
>>  
>>  type mcelog_t;
>>  type mcelog_exec_t;
>> -application_domain(mcelog_t, mcelog_exec_t)
>> -cron_system_entry(mcelog_t, mcelog_exec_t)
>> +init_daemon_domain(mcelog_t, mcelog_exec_t)
>> +
>> +type mcelog_initrc_exec_t;
>> +init_script_file(mcelog_initrc_exec_t)
>> +
>> +type mcelog_etc_t;
>> +files_config_file(mcelog_etc_t)
>> +
>> +type mcelog_log_t;
>> +logging_log_file(mcelog_log_t)
>> +
>> +type mcelog_var_run_t;
>> +files_pid_file(mcelog_var_run_t)
>>  
>>  ########################################
>>  #
>> @@ -16,11 +27,29 @@
>>  #
>>  
>>  allow mcelog_t self:capability sys_admin;
>> +allow mcelog_t self:unix_stream_socket create_stream_socket_perms;
>> +
>> +allow mcelog_t mcelog_etc_t:dir list_dir_perms;
>> +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
>> +
>> +create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +logging_log_filetrans(mcelog_t, mcelog_log_t, file)
>> +
>> +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
>> +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
>> +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
>>  
>>  kernel_read_system_state(mcelog_t)
>>  
>> +corecmd_exec_bin(mcelog_t)
>> +
>>  dev_read_raw_memory(mcelog_t)
>>  dev_read_kmsg(mcelog_t)
>> +dev_rw_sysfs(mcelog_t)
>> +
>> +domain_use_interactive_fds(mcelog_t)
>>  
>>  files_read_etc_files(mcelog_t)
>>  
>> @@ -30,3 +59,7 @@
>>  logging_send_syslog_msg(mcelog_t)
>>  
>>  miscfiles_read_localization(mcelog_t)
>> +
>> +optional_policy(`
>> +	cron_system_entry(mcelog_t, mcelog_exec_t)
>> +')
>
>
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy
>
> 

[refpolicy] My take on Guido Trentalancias' mcelog changes

[Dominick Grift]

On Mon, 2012-08-06 at 17:42 +0200, Guido Trentalancia wrote:
> >On Mon, 2012-08-06 at 16:30 +0200, Dominick Grift wrote:
> >> From c439dc3f8dcdfb20dd35e0838df7f6555c6a90b5 Mon, 6 Aug 2012 16:26:21 +0200
> >> From: Dominick Grift <dominick.grift@gmail.com>
> >> Date: Mon, 6 Aug 2012 16:16:48 +0200
> >> Subject: [PATCH] Run mcelog as a daemon
> >> 
> >
> >Looks like i am missing a file context specification for the
> >mcelog_etc_t content.
> >
> >Where is it? is it "/etc/mcelog(/.*)?"
> 
> Please double-check, it should be there.

OK,  must have overlooked that

> >> I haven't tested this.
> >> I left out the "term_use_all_ttys(mcelog_t)"
> 
> It's for interactive use (including printing out the help file by using --help).

probably use userdom_use_user_terminals instead.

[refpolicy] My take on Guido Trentalancias' mcelog changes

[Dominick Grift]

On Mon, 2012-08-06 at 16:30 +0200, Dominick Grift wrote:
> From c439dc3f8dcdfb20dd35e0838df7f6555c6a90b5 Mon, 6 Aug 2012 16:26:21 +0200
> From: Dominick Grift <dominick.grift@gmail.com>
> Date: Mon, 6 Aug 2012 16:16:48 +0200
> Subject: [PATCH] Run mcelog as a daemon
> 

Looks like i am missing a file context specification for the
mcelog_etc_t content.

Where is it? is it "/etc/mcelog(/.*)?"

> I haven't tested this.
> I left out the "term_use_all_ttys(mcelog_t)"
> 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> diff --git a/mcelog.fc b/mcelog.fc
> index 56c43c0..a16de0a 100644
> --- a/mcelog.fc
> +++ b/mcelog.fc
> @@ -1 +1,8 @@
> +/etc/rc\.d/init\.d/mcelog	--	gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
> +
>  /usr/sbin/mcelog	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
> +
> +/var/log/mcelog.*	--	gen_context(system_u:object_r:mcelog_log_t,s0)
> +
> +/var/run/mcelog.pid	--	gen_context(system_u:object_r:mcelog_var_run_t,s0)
> +/var/run/mcelog-client	-s	gen_context(system_u:object_r:mcelog_var_run_t,s0)
> diff --git a/mcelog.te b/mcelog.te
> index 5671977..79d5856 100644
> --- a/mcelog.te
> +++ b/mcelog.te
> @@ -7,8 +7,19 @@
>  
>  type mcelog_t;
>  type mcelog_exec_t;
> -application_domain(mcelog_t, mcelog_exec_t)
> -cron_system_entry(mcelog_t, mcelog_exec_t)
> +init_daemon_domain(mcelog_t, mcelog_exec_t)
> +
> +type mcelog_initrc_exec_t;
> +init_script_file(mcelog_initrc_exec_t)
> +
> +type mcelog_etc_t;
> +files_config_file(mcelog_etc_t)
> +
> +type mcelog_log_t;
> +logging_log_file(mcelog_log_t)
> +
> +type mcelog_var_run_t;
> +files_pid_file(mcelog_var_run_t)
>  
>  ########################################
>  #
> @@ -16,11 +27,29 @@
>  #
>  
>  allow mcelog_t self:capability sys_admin;
> +allow mcelog_t self:unix_stream_socket create_stream_socket_perms;
> +
> +allow mcelog_t mcelog_etc_t:dir list_dir_perms;
> +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
> +
> +create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +logging_log_filetrans(mcelog_t, mcelog_log_t, file)
> +
> +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
>  
>  kernel_read_system_state(mcelog_t)
>  
> +corecmd_exec_bin(mcelog_t)
> +
>  dev_read_raw_memory(mcelog_t)
>  dev_read_kmsg(mcelog_t)
> +dev_rw_sysfs(mcelog_t)
> +
> +domain_use_interactive_fds(mcelog_t)
>  
>  files_read_etc_files(mcelog_t)
>  
> @@ -30,3 +59,7 @@
>  logging_send_syslog_msg(mcelog_t)
>  
>  miscfiles_read_localization(mcelog_t)
> +
> +optional_policy(`
> +	cron_system_entry(mcelog_t, mcelog_exec_t)
> +')

[refpolicy] My take on Guido Trentalancias' mcelog changes

[Dominick Grift]

>From c439dc3f8dcdfb20dd35e0838df7f6555c6a90b5 Mon, 6 Aug 2012 16:26:21 +0200
From: Dominick Grift <dominick.grift@gmail.com>
Date: Mon, 6 Aug 2012 16:16:48 +0200
Subject: [PATCH] Run mcelog as a daemon

I haven't tested this.
I left out the "term_use_all_ttys(mcelog_t)"

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
diff --git a/mcelog.fc b/mcelog.fc
index 56c43c0..a16de0a 100644
--- a/mcelog.fc
+++ b/mcelog.fc
@@ -1 +1,8 @@
+/etc/rc\.d/init\.d/mcelog	--	gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
+
 /usr/sbin/mcelog	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
+
+/var/log/mcelog.*	--	gen_context(system_u:object_r:mcelog_log_t,s0)
+
+/var/run/mcelog.pid	--	gen_context(system_u:object_r:mcelog_var_run_t,s0)
+/var/run/mcelog-client	-s	gen_context(system_u:object_r:mcelog_var_run_t,s0)
diff --git a/mcelog.te b/mcelog.te
index 5671977..79d5856 100644
--- a/mcelog.te
+++ b/mcelog.te
@@ -7,8 +7,19 @@
 
 type mcelog_t;
 type mcelog_exec_t;
-application_domain(mcelog_t, mcelog_exec_t)
-cron_system_entry(mcelog_t, mcelog_exec_t)
+init_daemon_domain(mcelog_t, mcelog_exec_t)
+
+type mcelog_initrc_exec_t;
+init_script_file(mcelog_initrc_exec_t)
+
+type mcelog_etc_t;
+files_config_file(mcelog_etc_t)
+
+type mcelog_log_t;
+logging_log_file(mcelog_log_t)
+
+type mcelog_var_run_t;
+files_pid_file(mcelog_var_run_t)
 
 ########################################
 #
@@ -16,11 +27,29 @@
 #
 
 allow mcelog_t self:capability sys_admin;
+allow mcelog_t self:unix_stream_socket create_stream_socket_perms;
+
+allow mcelog_t mcelog_etc_t:dir list_dir_perms;
+read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
+
+create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+logging_log_filetrans(mcelog_t, mcelog_log_t, file)
+
+manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
 
 kernel_read_system_state(mcelog_t)
 
+corecmd_exec_bin(mcelog_t)
+
 dev_read_raw_memory(mcelog_t)
 dev_read_kmsg(mcelog_t)
+dev_rw_sysfs(mcelog_t)
+
+domain_use_interactive_fds(mcelog_t)
 
 files_read_etc_files(mcelog_t)
 
@@ -30,3 +59,7 @@
 logging_send_syslog_msg(mcelog_t)
 
 miscfiles_read_localization(mcelog_t)
+
+optional_policy(`
+	cron_system_entry(mcelog_t, mcelog_exec_t)
+')
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120806/3ac67ffd/attachment.bin