* [refpolicy] My take on Guido Trentalancias' mcelog changes
@ 2012-08-06 15:42 Guido Trentalancia
2012-08-06 15:51 ` Dominick Grift
0 siblings, 1 reply; 4+ messages in thread
From: Guido Trentalancia @ 2012-08-06 15:42 UTC (permalink / raw)
To: refpolicy
>On Mon, 2012-08-06 at 16:30 +0200, Dominick Grift wrote:
>> From c439dc3f8dcdfb20dd35e0838df7f6555c6a90b5 Mon, 6 Aug 2012 16:26:21 +0200
>> From: Dominick Grift <dominick.grift@gmail.com>
>> Date: Mon, 6 Aug 2012 16:16:48 +0200
>> Subject: [PATCH] Run mcelog as a daemon
>>
>
>Looks like i am missing a file context specification for the
>mcelog_etc_t content.
>
>Where is it? is it "/etc/mcelog(/.*)?"
Please double-check, it should be there.
>> I haven't tested this.
>> I left out the "term_use_all_ttys(mcelog_t)"
It's for interactive use (including printing out the help file by using --help).
>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
>> diff --git a/mcelog.fc b/mcelog.fc
>> index 56c43c0..a16de0a 100644
>> --- a/mcelog.fc
>> +++ b/mcelog.fc
>> @@ -1 +1,8 @@
>> +/etc/rc.d/init.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
>> +
>> /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
>> +
>> +/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
>> +
>> +/var/run/mcelog.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0)
>> +/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
>> diff --git a/mcelog.te b/mcelog.te
>> index 5671977..79d5856 100644
>> --- a/mcelog.te
>> +++ b/mcelog.te
>> @@ -7,8 +7,19 @@
>>
>> type mcelog_t;
>> type mcelog_exec_t;
>> -application_domain(mcelog_t, mcelog_exec_t)
>> -cron_system_entry(mcelog_t, mcelog_exec_t)
>> +init_daemon_domain(mcelog_t, mcelog_exec_t)
>> +
>> +type mcelog_initrc_exec_t;
>> +init_script_file(mcelog_initrc_exec_t)
>> +
>> +type mcelog_etc_t;
>> +files_config_file(mcelog_etc_t)
>> +
>> +type mcelog_log_t;
>> +logging_log_file(mcelog_log_t)
>> +
>> +type mcelog_var_run_t;
>> +files_pid_file(mcelog_var_run_t)
>>
>> ########################################
>> #
>> @@ -16,11 +27,29 @@
>> #
>>
>> allow mcelog_t self:capability sys_admin;
>> +allow mcelog_t self:unix_stream_socket create_stream_socket_perms;
>> +
>> +allow mcelog_t mcelog_etc_t:dir list_dir_perms;
>> +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
>> +
>> +create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +logging_log_filetrans(mcelog_t, mcelog_log_t, file)
>> +
>> +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
>> +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
>> +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
>>
>> kernel_read_system_state(mcelog_t)
>>
>> +corecmd_exec_bin(mcelog_t)
>> +
>> dev_read_raw_memory(mcelog_t)
>> dev_read_kmsg(mcelog_t)
>> +dev_rw_sysfs(mcelog_t)
>> +
>> +domain_use_interactive_fds(mcelog_t)
>>
>> files_read_etc_files(mcelog_t)
>>
>> @@ -30,3 +59,7 @@
>> logging_send_syslog_msg(mcelog_t)
>>
>> miscfiles_read_localization(mcelog_t)
>> +
>> +optional_policy(`
>> + cron_system_entry(mcelog_t, mcelog_exec_t)
>> +')
>
>
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] My take on Guido Trentalancias' mcelog changes
2012-08-06 15:42 [refpolicy] My take on Guido Trentalancias' mcelog changes Guido Trentalancia
@ 2012-08-06 15:51 ` Dominick Grift
0 siblings, 0 replies; 4+ messages in thread
From: Dominick Grift @ 2012-08-06 15:51 UTC (permalink / raw)
To: refpolicy
On Mon, 2012-08-06 at 17:42 +0200, Guido Trentalancia wrote:
> >On Mon, 2012-08-06 at 16:30 +0200, Dominick Grift wrote:
> >> From c439dc3f8dcdfb20dd35e0838df7f6555c6a90b5 Mon, 6 Aug 2012 16:26:21 +0200
> >> From: Dominick Grift <dominick.grift@gmail.com>
> >> Date: Mon, 6 Aug 2012 16:16:48 +0200
> >> Subject: [PATCH] Run mcelog as a daemon
> >>
> >
> >Looks like i am missing a file context specification for the
> >mcelog_etc_t content.
> >
> >Where is it? is it "/etc/mcelog(/.*)?"
>
> Please double-check, it should be there.
OK, must have overlooked that
> >> I haven't tested this.
> >> I left out the "term_use_all_ttys(mcelog_t)"
>
> It's for interactive use (including printing out the help file by using --help).
probably use userdom_use_user_terminals instead.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] My take on Guido Trentalancias' mcelog changes
2012-08-06 14:30 Dominick Grift
@ 2012-08-06 14:54 ` Dominick Grift
0 siblings, 0 replies; 4+ messages in thread
From: Dominick Grift @ 2012-08-06 14:54 UTC (permalink / raw)
To: refpolicy
On Mon, 2012-08-06 at 16:30 +0200, Dominick Grift wrote:
> From c439dc3f8dcdfb20dd35e0838df7f6555c6a90b5 Mon, 6 Aug 2012 16:26:21 +0200
> From: Dominick Grift <dominick.grift@gmail.com>
> Date: Mon, 6 Aug 2012 16:16:48 +0200
> Subject: [PATCH] Run mcelog as a daemon
>
Looks like i am missing a file context specification for the
mcelog_etc_t content.
Where is it? is it "/etc/mcelog(/.*)?"
> I haven't tested this.
> I left out the "term_use_all_ttys(mcelog_t)"
>
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> diff --git a/mcelog.fc b/mcelog.fc
> index 56c43c0..a16de0a 100644
> --- a/mcelog.fc
> +++ b/mcelog.fc
> @@ -1 +1,8 @@
> +/etc/rc\.d/init\.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
> +
> /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
> +
> +/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
> +
> +/var/run/mcelog.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0)
> +/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
> diff --git a/mcelog.te b/mcelog.te
> index 5671977..79d5856 100644
> --- a/mcelog.te
> +++ b/mcelog.te
> @@ -7,8 +7,19 @@
>
> type mcelog_t;
> type mcelog_exec_t;
> -application_domain(mcelog_t, mcelog_exec_t)
> -cron_system_entry(mcelog_t, mcelog_exec_t)
> +init_daemon_domain(mcelog_t, mcelog_exec_t)
> +
> +type mcelog_initrc_exec_t;
> +init_script_file(mcelog_initrc_exec_t)
> +
> +type mcelog_etc_t;
> +files_config_file(mcelog_etc_t)
> +
> +type mcelog_log_t;
> +logging_log_file(mcelog_log_t)
> +
> +type mcelog_var_run_t;
> +files_pid_file(mcelog_var_run_t)
>
> ########################################
> #
> @@ -16,11 +27,29 @@
> #
>
> allow mcelog_t self:capability sys_admin;
> +allow mcelog_t self:unix_stream_socket create_stream_socket_perms;
> +
> +allow mcelog_t mcelog_etc_t:dir list_dir_perms;
> +read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
> +
> +create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +logging_log_filetrans(mcelog_t, mcelog_log_t, file)
> +
> +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
>
> kernel_read_system_state(mcelog_t)
>
> +corecmd_exec_bin(mcelog_t)
> +
> dev_read_raw_memory(mcelog_t)
> dev_read_kmsg(mcelog_t)
> +dev_rw_sysfs(mcelog_t)
> +
> +domain_use_interactive_fds(mcelog_t)
>
> files_read_etc_files(mcelog_t)
>
> @@ -30,3 +59,7 @@
> logging_send_syslog_msg(mcelog_t)
>
> miscfiles_read_localization(mcelog_t)
> +
> +optional_policy(`
> + cron_system_entry(mcelog_t, mcelog_exec_t)
> +')
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] My take on Guido Trentalancias' mcelog changes
@ 2012-08-06 14:30 Dominick Grift
2012-08-06 14:54 ` Dominick Grift
0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2012-08-06 14:30 UTC (permalink / raw)
To: refpolicy
>From c439dc3f8dcdfb20dd35e0838df7f6555c6a90b5 Mon, 6 Aug 2012 16:26:21 +0200
From: Dominick Grift <dominick.grift@gmail.com>
Date: Mon, 6 Aug 2012 16:16:48 +0200
Subject: [PATCH] Run mcelog as a daemon
I haven't tested this.
I left out the "term_use_all_ttys(mcelog_t)"
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
diff --git a/mcelog.fc b/mcelog.fc
index 56c43c0..a16de0a 100644
--- a/mcelog.fc
+++ b/mcelog.fc
@@ -1 +1,8 @@
+/etc/rc\.d/init\.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
+
/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
+
+/var/run/mcelog.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0)
+/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
diff --git a/mcelog.te b/mcelog.te
index 5671977..79d5856 100644
--- a/mcelog.te
+++ b/mcelog.te
@@ -7,8 +7,19 @@
type mcelog_t;
type mcelog_exec_t;
-application_domain(mcelog_t, mcelog_exec_t)
-cron_system_entry(mcelog_t, mcelog_exec_t)
+init_daemon_domain(mcelog_t, mcelog_exec_t)
+
+type mcelog_initrc_exec_t;
+init_script_file(mcelog_initrc_exec_t)
+
+type mcelog_etc_t;
+files_config_file(mcelog_etc_t)
+
+type mcelog_log_t;
+logging_log_file(mcelog_log_t)
+
+type mcelog_var_run_t;
+files_pid_file(mcelog_var_run_t)
########################################
#
@@ -16,11 +27,29 @@
#
allow mcelog_t self:capability sys_admin;
+allow mcelog_t self:unix_stream_socket create_stream_socket_perms;
+
+allow mcelog_t mcelog_etc_t:dir list_dir_perms;
+read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
+
+create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+logging_log_filetrans(mcelog_t, mcelog_log_t, file)
+
+manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
kernel_read_system_state(mcelog_t)
+corecmd_exec_bin(mcelog_t)
+
dev_read_raw_memory(mcelog_t)
dev_read_kmsg(mcelog_t)
+dev_rw_sysfs(mcelog_t)
+
+domain_use_interactive_fds(mcelog_t)
files_read_etc_files(mcelog_t)
@@ -30,3 +59,7 @@
logging_send_syslog_msg(mcelog_t)
miscfiles_read_localization(mcelog_t)
+
+optional_policy(`
+ cron_system_entry(mcelog_t, mcelog_exec_t)
+')
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120806/3ac67ffd/attachment.bin
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-08-06 15:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-08-06 15:42 [refpolicy] My take on Guido Trentalancias' mcelog changes Guido Trentalancia
2012-08-06 15:51 ` Dominick Grift
-- strict thread matches above, loose matches on Subject: below --
2012-08-06 14:30 Dominick Grift
2012-08-06 14:54 ` Dominick Grift
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.