* [refpolicy] [PATCH v2]: mcelog module initial rewrite
@ 2012-08-06 12:45 Guido Trentalancia
2012-08-06 13:40 ` Dominick Grift
0 siblings, 1 reply; 10+ messages in thread
From: Guido Trentalancia @ 2012-08-06 12:45 UTC (permalink / raw)
To: refpolicy
Rewrite of mcelog module:
- version increment
- fix and extend file contexts (private types)
- support daemon mode and init scripting (+ deprecated and untested cron mode)
- support triggers for all distributions, while leaving
compatibility with their alternate location in Fedora (and
current policy)
- initial support for client mode (untested)
- support for sysfs (rw)
- includes several revisions from Dominick Grift
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/contrib/mcelog.fc | 15 ++++++
policy/modules/contrib/mcelog.if | 75 ++++++++++++++++++++++++++++++++++
policy/modules/contrib/mcelog.te | 54 ++++++++++++++++++++++--
policy/modules/kernel/corecommands.fc | 6 --
4 files changed, 139 insertions(+), 11 deletions(-)
diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc
--- refpolicy-04062012/policy/modules/contrib/mcelog.fc 2011-09-09 18:29:23.578610955 +0200
+++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc 2012-08-06 13:34:45.568049105 +0200
@@ -1 +1,16 @@
+/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0)
+/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+/etc/mcelog/.*.local -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0)
+/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:mcelog_exec_t,s0)
+')
+
+/etc/rc.d/init.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
+
/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+
+/var/log/mcelog -- gen_context(system_u:object_r:mcelog_log_t,s0)
+/var/run/mcelog.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0)
+/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.if refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if
--- refpolicy-04062012/policy/modules/contrib/mcelog.if 2011-09-09 18:29:23.578610955 +0200
+++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if 2012-08-06 15:37:21.714522005 +0200
@@ -18,3 +18,78 @@ interface(`mcelog_domtrans',`
domtrans_pattern($1, mcelog_exec_t, mcelog_t)
')
+########################################
+## <summary>
+## Read the mcelog configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mcelog_read_config',`
+ gen_require(`
+ type mcelog_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, mcelog_etc_t, mcelog_etc_t)
+ allow $1 mcelog_etc_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Create an mcelog unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mcelog_stream_socket_create',`
+ gen_require(`
+ type mcelog_t;
+ ')
+
+ allow $1 mcelog_t:unix_stream_socket create_socket_perms;
+')
+
+########################################
+## <summary>
+## Read from an mcelog unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mcelog_stream_socket_read',`
+ gen_require(`
+ type mcelog_t, mcelog_var_run_t;
+ ')
+
+ allow $1 mcelog_var_run_t:unix_stream_socket { read };
+')
+
+########################################
+## <summary>
+## Connect to mcelog over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mcelog_stream_socket_connect',`
+ gen_require(`
+ type mcelog_t, mcelog_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, mcelog_var_run_t, mcelog_var_run_t, mcelog_t);
+')
diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te
--- refpolicy-04062012/policy/modules/contrib/mcelog.te 2011-09-09 18:29:23.578610955 +0200
+++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te 2012-08-06 16:01:45.087746478 +0200
@@ -1,4 +1,4 @@
-policy_module(mcelog, 1.1.0)
+policy_module(mcelog, 1.1.1)
########################################
#
@@ -7,8 +7,20 @@ policy_module(mcelog, 1.1.0)
type mcelog_t;
type mcelog_exec_t;
-application_domain(mcelog_t, mcelog_exec_t)
-cron_system_entry(mcelog_t, mcelog_exec_t)
+corecmd_executable_file(mcelog_exec_t);
+init_daemon_domain(mcelog_t, mcelog_exec_t)
+
+type mcelog_initrc_exec_t;
+init_script_file(mcelog_initrc_exec_t)
+
+type mcelog_etc_t;
+files_config_file(mcelog_etc_t)
+
+type mcelog_log_t;
+logging_log_file(mcelog_log_t)
+
+type mcelog_var_run_t;
+files_pid_file(mcelog_var_run_t)
########################################
#
@@ -17,16 +29,48 @@ cron_system_entry(mcelog_t, mcelog_exec_
allow mcelog_t self:capability sys_admin;
+can_exec(mcelog_t, mcelog_exec_t)
+
kernel_read_system_state(mcelog_t)
dev_read_raw_memory(mcelog_t)
dev_read_kmsg(mcelog_t)
+dev_rw_sysfs(mcelog_t)
+
+# optional support for running it as a cron job
+optional_policy(`
+ cron_system_entry(mcelog_t, mcelog_exec_t)
+')
+
+manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
+
+# needed in daemon mode
files_read_etc_files(mcelog_t)
-# for /dev/mem access
-mls_file_read_all_levels(mcelog_t)
+locallogin_use_fds(mcelog_t)
+
+# create/append a logfile in a private log directory
+create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+logging_log_filetrans(mcelog_t, mcelog_log_t, file)
+# use syslog functionality (optional, configurable)
logging_send_syslog_msg(mcelog_t)
+# to read the standard configuration file
+mcelog_read_config(mcelog_t)
+
+mcelog_stream_socket_create(mcelog_t)
+mcelog_stream_socket_read(mcelog_t)
+mcelog_stream_socket_connect(mcelog_t)
+
miscfiles_read_localization(mcelog_t)
+
+# for /dev/mem access
+mls_file_read_all_levels(mcelog_t)
+
+term_use_all_ttys(mcelog_t)
diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc
--- refpolicy-04062012/policy/modules/kernel/corecommands.fc 2012-08-05 04:52:17.194005067 +0200
+++ refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc 2012-08-05 17:49:05.594838788 +0200
@@ -72,12 +72,6 @@ ifdef(`distro_redhat',`
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
-/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
-/etc/mcelog/.*.local -- gen_context(system_u:object_r:bin_t,s0)
-
-ifdef(`distro_redhat',`
-/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
-')
/etc/mgetty+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2]: mcelog module initial rewrite
2012-08-06 12:45 [refpolicy] [PATCH v2]: mcelog module initial rewrite Guido Trentalancia
@ 2012-08-06 13:40 ` Dominick Grift
2012-08-06 13:42 ` Dominick Grift
0 siblings, 1 reply; 10+ messages in thread
From: Dominick Grift @ 2012-08-06 13:40 UTC (permalink / raw)
To: refpolicy
On Mon, 2012-08-06 at 14:45 +0200, Guido Trentalancia wrote:
> Rewrite of mcelog module:
> - version increment
> - fix and extend file contexts (private types)
> - support daemon mode and init scripting (+ deprecated and untested cron mode)
> - support triggers for all distributions, while leaving
> compatibility with their alternate location in Fedora (and
> current policy)
> - initial support for client mode (untested)
> - support for sysfs (rw)
> - includes several revisions from Dominick Grift
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
> policy/modules/contrib/mcelog.fc | 15 ++++++
> policy/modules/contrib/mcelog.if | 75 ++++++++++++++++++++++++++++++++++
> policy/modules/contrib/mcelog.te | 54 ++++++++++++++++++++++--
> policy/modules/kernel/corecommands.fc | 6 --
> 4 files changed, 139 insertions(+), 11 deletions(-)
>
> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc
> --- refpolicy-04062012/policy/modules/contrib/mcelog.fc 2011-09-09 18:29:23.578610955 +0200
> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc 2012-08-06 13:34:45.568049105 +0200
> @@ -1 +1,16 @@
> +/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0)
> +/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:mcelog_exec_t,s0)
> +/etc/mcelog/.*.local -- gen_context(system_u:object_r:mcelog_exec_t,s0)
> +
I dont have a good argument for using bin_t but i dont have a good
argument for using mcelog_exec_t either , therefore i suggest keeping it
bin_t
> +ifdef(`distro_redhat',`
> +/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0)
> +/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:mcelog_exec_t,s0)
> +')
> +
> +/etc/rc.d/init.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
> +
Weird, i still dont see the periods escaped above.
> /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
> +
> +/var/log/mcelog -- gen_context(system_u:object_r:mcelog_log_t,s0)
> +/var/run/mcelog.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0)
> +/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.if refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if
> --- refpolicy-04062012/policy/modules/contrib/mcelog.if 2011-09-09 18:29:23.578610955 +0200
> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if 2012-08-06 15:37:21.714522005 +0200
> @@ -18,3 +18,78 @@ interface(`mcelog_domtrans',`
> domtrans_pattern($1, mcelog_exec_t, mcelog_t)
> ')
>
> +########################################
> +## <summary>
> +## Read the mcelog configuration files.
I would probably use "Read mcelog configuration files."
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`mcelog_read_config',`
I would probably call the interface "mcelog_read_config_files" or
"mcelog_read_etc_files"
> + gen_require(`
> + type mcelog_etc_t;
> + ')
> +
> + files_search_etc($1)
> + read_files_pattern($1, mcelog_etc_t, mcelog_etc_t)
> + allow $1 mcelog_etc_t:dir list_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Create an mcelog unix stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mcelog_stream_socket_create',`
> + gen_require(`
> + type mcelog_t;
> + ')
> +
> + allow $1 mcelog_t:unix_stream_socket create_socket_perms;
> +')
Not needed.
> +########################################
> +## <summary>
> +## Read from an mcelog unix stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mcelog_stream_socket_read',`
> + gen_require(`
> + type mcelog_t, mcelog_var_run_t;
> + ')
> +
> + allow $1 mcelog_var_run_t:unix_stream_socket { read };
> +')
not needed.
> +########################################
> +## <summary>
> +## Connect to mcelog over an unix stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mcelog_stream_socket_connect',`
> + gen_require(`
> + type mcelog_t, mcelog_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, mcelog_var_run_t, mcelog_var_run_t, mcelog_t);
> +')
Not needed.
> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te
> --- refpolicy-04062012/policy/modules/contrib/mcelog.te 2011-09-09 18:29:23.578610955 +0200
> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te 2012-08-06 16:01:45.087746478 +0200
> @@ -1,4 +1,4 @@
> -policy_module(mcelog, 1.1.0)
> +policy_module(mcelog, 1.1.1)
>
> ########################################
> #
> @@ -7,8 +7,20 @@ policy_module(mcelog, 1.1.0)
>
> type mcelog_t;
> type mcelog_exec_t;
> -application_domain(mcelog_t, mcelog_exec_t)
> -cron_system_entry(mcelog_t, mcelog_exec_t)
> +corecmd_executable_file(mcelog_exec_t);
I still dont think corecmd_executable_file is needed. Not sure though.
> +init_daemon_domain(mcelog_t, mcelog_exec_t)
> +
> +type mcelog_initrc_exec_t;
> +init_script_file(mcelog_initrc_exec_t)
> +
> +type mcelog_etc_t;
> +files_config_file(mcelog_etc_t)
> +
> +type mcelog_log_t;
> +logging_log_file(mcelog_log_t)
> +
> +type mcelog_var_run_t;
> +files_pid_file(mcelog_var_run_t)
>
> ########################################
> #
> @@ -17,16 +29,48 @@ cron_system_entry(mcelog_t, mcelog_exec_
>
> allow mcelog_t self:capability sys_admin;
add:
allow mcelog_t self:unix_stream_socket create_stream_socket_perms;
>
> +can_exec(mcelog_t, mcelog_exec_t)
> +
If we keep using bin_t then this isnt needed
> kernel_read_system_state(mcelog_t)
>
> dev_read_raw_memory(mcelog_t)
> dev_read_kmsg(mcelog_t)
>
> +dev_rw_sysfs(mcelog_t)
> +
> +# optional support for running it as a cron job
> +optional_policy(`
> + cron_system_entry(mcelog_t, mcelog_exec_t)
> +')
> +
> +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
> +
> +# needed in daemon mode
> files_read_etc_files(mcelog_t)
>
> -# for /dev/mem access
> -mls_file_read_all_levels(mcelog_t)
> +locallogin_use_fds(mcelog_t)
> +
> +# create/append a logfile in a private log directory
> +create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> +logging_log_filetrans(mcelog_t, mcelog_log_t, file)
>
> +# use syslog functionality (optional, configurable)
> logging_send_syslog_msg(mcelog_t)
>
> +# to read the standard configuration file
> +mcelog_read_config(mcelog_t)
use read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
Interfaces are not for internal use
> +
> +mcelog_stream_socket_create(mcelog_t)
> +mcelog_stream_socket_read(mcelog_t)
> +mcelog_stream_socket_connect(mcelog_t)
> +
none of the above are needed
> miscfiles_read_localization(mcelog_t)
> +
> +# for /dev/mem access
> +mls_file_read_all_levels(mcelog_t)
> +
> +term_use_all_ttys(mcelog_t)
> diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc
> --- refpolicy-04062012/policy/modules/kernel/corecommands.fc 2012-08-05 04:52:17.194005067 +0200
> +++ refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc 2012-08-05 17:49:05.594838788 +0200
> @@ -72,12 +72,6 @@ ifdef(`distro_redhat',`
> /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
>
> /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
> -/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
> -/etc/mcelog/.*.local -- gen_context(system_u:object_r:bin_t,s0)
> -
> -ifdef(`distro_redhat',`
> -/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
> -')
>
> /etc/mgetty+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
>
>
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2]: mcelog module initial rewrite
2012-08-06 13:40 ` Dominick Grift
@ 2012-08-06 13:42 ` Dominick Grift
2012-08-06 13:46 ` Dominick Grift
0 siblings, 1 reply; 10+ messages in thread
From: Dominick Grift @ 2012-08-06 13:42 UTC (permalink / raw)
To: refpolicy
On Mon, 2012-08-06 at 15:40 +0200, Dominick Grift wrote:
>
> On Mon, 2012-08-06 at 14:45 +0200, Guido Trentalancia wrote:
> > Rewrite of mcelog module:
> > - version increment
> > - fix and extend file contexts (private types)
> > - support daemon mode and init scripting (+ deprecated and untested cron mode)
> > - support triggers for all distributions, while leaving
> > compatibility with their alternate location in Fedora (and
> > current policy)
> > - initial support for client mode (untested)
> > - support for sysfs (rw)
> > - includes several revisions from Dominick Grift
> >
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> > ---
> > policy/modules/contrib/mcelog.fc | 15 ++++++
> > policy/modules/contrib/mcelog.if | 75 ++++++++++++++++++++++++++++++++++
> > policy/modules/contrib/mcelog.te | 54 ++++++++++++++++++++++--
> > policy/modules/kernel/corecommands.fc | 6 --
> > 4 files changed, 139 insertions(+), 11 deletions(-)
> >
> > diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc
> > --- refpolicy-04062012/policy/modules/contrib/mcelog.fc 2011-09-09 18:29:23.578610955 +0200
> > +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc 2012-08-06 13:34:45.568049105 +0200
> > @@ -1 +1,16 @@
> > +/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0)
> > +/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:mcelog_exec_t,s0)
> > +/etc/mcelog/.*.local -- gen_context(system_u:object_r:mcelog_exec_t,s0)
> > +
>
> I dont have a good argument for using bin_t but i dont have a good
> argument for using mcelog_exec_t either , therefore i suggest keeping it
> bin_t
>
> > +ifdef(`distro_redhat',`
> > +/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0)
> > +/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:mcelog_exec_t,s0)
> > +')
> > +
> > +/etc/rc.d/init.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
> > +
>
> Weird, i still dont see the periods escaped above.
>
> > /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
> > +
> > +/var/log/mcelog -- gen_context(system_u:object_r:mcelog_log_t,s0)
> > +/var/run/mcelog.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0)
> > +/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
> > diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.if refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if
> > --- refpolicy-04062012/policy/modules/contrib/mcelog.if 2011-09-09 18:29:23.578610955 +0200
> > +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if 2012-08-06 15:37:21.714522005 +0200
> > @@ -18,3 +18,78 @@ interface(`mcelog_domtrans',`
> > domtrans_pattern($1, mcelog_exec_t, mcelog_t)
> > ')
> >
> > +########################################
> > +## <summary>
> > +## Read the mcelog configuration files.
>
> I would probably use "Read mcelog configuration files."
>
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +## <rolecap/>
> > +#
> > +interface(`mcelog_read_config',`
>
> I would probably call the interface "mcelog_read_config_files" or
> "mcelog_read_etc_files"
>
> > + gen_require(`
> > + type mcelog_etc_t;
> > + ')
> > +
> > + files_search_etc($1)
> > + read_files_pattern($1, mcelog_etc_t, mcelog_etc_t)
> > + allow $1 mcelog_etc_t:dir list_dir_perms;
> > +')
Not needed. Interfaces shouldnt be used internally
> > +########################################
> > +## <summary>
> > +## Create an mcelog unix stream socket.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`mcelog_stream_socket_create',`
> > + gen_require(`
> > + type mcelog_t;
> > + ')
> > +
> > + allow $1 mcelog_t:unix_stream_socket create_socket_perms;
> > +')
>
> Not needed.
>
> > +########################################
> > +## <summary>
> > +## Read from an mcelog unix stream socket.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`mcelog_stream_socket_read',`
> > + gen_require(`
> > + type mcelog_t, mcelog_var_run_t;
> > + ')
> > +
> > + allow $1 mcelog_var_run_t:unix_stream_socket { read };
> > +')
>
> not needed.
>
> > +########################################
> > +## <summary>
> > +## Connect to mcelog over an unix stream socket.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`mcelog_stream_socket_connect',`
> > + gen_require(`
> > + type mcelog_t, mcelog_var_run_t;
> > + ')
> > +
> > + files_search_pids($1)
> > + stream_connect_pattern($1, mcelog_var_run_t, mcelog_var_run_t, mcelog_t);
> > +')
>
> Not needed.
>
> > diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te
> > --- refpolicy-04062012/policy/modules/contrib/mcelog.te 2011-09-09 18:29:23.578610955 +0200
> > +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te 2012-08-06 16:01:45.087746478 +0200
> > @@ -1,4 +1,4 @@
> > -policy_module(mcelog, 1.1.0)
> > +policy_module(mcelog, 1.1.1)
> >
> > ########################################
> > #
> > @@ -7,8 +7,20 @@ policy_module(mcelog, 1.1.0)
> >
> > type mcelog_t;
> > type mcelog_exec_t;
> > -application_domain(mcelog_t, mcelog_exec_t)
> > -cron_system_entry(mcelog_t, mcelog_exec_t)
> > +corecmd_executable_file(mcelog_exec_t);
>
> I still dont think corecmd_executable_file is needed. Not sure though.
>
> > +init_daemon_domain(mcelog_t, mcelog_exec_t)
> > +
> > +type mcelog_initrc_exec_t;
> > +init_script_file(mcelog_initrc_exec_t)
> > +
> > +type mcelog_etc_t;
> > +files_config_file(mcelog_etc_t)
> > +
> > +type mcelog_log_t;
> > +logging_log_file(mcelog_log_t)
> > +
> > +type mcelog_var_run_t;
> > +files_pid_file(mcelog_var_run_t)
> >
> > ########################################
> > #
> > @@ -17,16 +29,48 @@ cron_system_entry(mcelog_t, mcelog_exec_
> >
> > allow mcelog_t self:capability sys_admin;
>
> add:
>
> allow mcelog_t self:unix_stream_socket create_stream_socket_perms;
>
> >
> > +can_exec(mcelog_t, mcelog_exec_t)
> > +
>
> If we keep using bin_t then this isnt needed
>
> > kernel_read_system_state(mcelog_t)
> >
> > dev_read_raw_memory(mcelog_t)
> > dev_read_kmsg(mcelog_t)
> >
> > +dev_rw_sysfs(mcelog_t)
> > +
> > +# optional support for running it as a cron job
> > +optional_policy(`
> > + cron_system_entry(mcelog_t, mcelog_exec_t)
> > +')
This needs to be all the way below (tunable policy goes below : see
tresys policy writing guidelines.)
> > +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> > +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
> > +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
> > +
> > +# needed in daemon mode
> > files_read_etc_files(mcelog_t)
> >
> > -# for /dev/mem access
> > -mls_file_read_all_levels(mcelog_t)
> > +locallogin_use_fds(mcelog_t)
> > +
> > +# create/append a logfile in a private log directory
> > +create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> > +append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> > +setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
> > +logging_log_filetrans(mcelog_t, mcelog_log_t, file)
> >
> > +# use syslog functionality (optional, configurable)
> > logging_send_syslog_msg(mcelog_t)
> >
> > +# to read the standard configuration file
> > +mcelog_read_config(mcelog_t)
>
> use read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
>
> Interfaces are not for internal use
>
> > +
> > +mcelog_stream_socket_create(mcelog_t)
> > +mcelog_stream_socket_read(mcelog_t)
> > +mcelog_stream_socket_connect(mcelog_t)
> > +
>
> none of the above are needed
>
> > miscfiles_read_localization(mcelog_t)
> > +
> > +# for /dev/mem access
> > +mls_file_read_all_levels(mcelog_t)
> > +
> > +term_use_all_ttys(mcelog_t)
> > diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc
> > --- refpolicy-04062012/policy/modules/kernel/corecommands.fc 2012-08-05 04:52:17.194005067 +0200
> > +++ refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc 2012-08-05 17:49:05.594838788 +0200
> > @@ -72,12 +72,6 @@ ifdef(`distro_redhat',`
> > /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
> >
> > /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
> > -/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
> > -/etc/mcelog/.*.local -- gen_context(system_u:object_r:bin_t,s0)
> > -
> > -ifdef(`distro_redhat',`
> > -/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
> > -')
> >
> > /etc/mgetty+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
> >
> >
> >
>
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2]: mcelog module initial rewrite
2012-08-06 13:42 ` Dominick Grift
@ 2012-08-06 13:46 ` Dominick Grift
2012-08-07 17:49 ` Christopher J. PeBenito
0 siblings, 1 reply; 10+ messages in thread
From: Dominick Grift @ 2012-08-06 13:46 UTC (permalink / raw)
To: refpolicy
> >
> > On Mon, 2012-08-06 at 14:45 +0200, Guido Trentalancia wrote:
<..snip ..>
Also don't create patches on patches ( i think your v2 patch is a patch
on your initial patch?)
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2]: mcelog module initial rewrite
2012-08-06 13:46 ` Dominick Grift
@ 2012-08-07 17:49 ` Christopher J. PeBenito
2012-08-07 18:10 ` Guido Trentalancia
0 siblings, 1 reply; 10+ messages in thread
From: Christopher J. PeBenito @ 2012-08-07 17:49 UTC (permalink / raw)
To: refpolicy
On 08/06/12 09:46, Dominick Grift wrote:
>
>>>
>>> On Mon, 2012-08-06 at 14:45 +0200, Guido Trentalancia wrote:
>
> <..snip ..>
>
> Also don't create patches on patches ( i think your v2 patch is a patch
> on your initial patch?)
I'm still sorting through all the emails, but if thats the case, Guido, please resubmit as a proper patch set (no patches on patches).
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2]: mcelog module initial rewrite
2012-08-07 17:49 ` Christopher J. PeBenito
@ 2012-08-07 18:10 ` Guido Trentalancia
0 siblings, 0 replies; 10+ messages in thread
From: Guido Trentalancia @ 2012-08-07 18:10 UTC (permalink / raw)
To: refpolicy
Hello Christopher.
On 07/08/2012 19:49, Christopher J. PeBenito wrote:
> On 08/06/12 09:46, Dominick Grift wrote:
>>
>>>>
>>>> On Mon, 2012-08-06 at 14:45 +0200, Guido Trentalancia wrote:
>>
>> <..snip ..>
>>
>> Also don't create patches on patches ( i think your v2 patch is a patch
>> on your initial patch?)
>
> I'm still sorting through all the emails, but if thats the case, Guido, please resubmit as a proper patch set (no patches on patches).
It's not patches on patches: they are all the same patch in different
versions.
Increasing version numbers imply increased stability, improved style and
so on. But it was mostly working since the initial version, which
creates an advantage in terms of time, I suppose, if you consider the
actual state is basically unsupported (daemon won't start).
Since Dominick is not entirely happy with it, I suggest you apply the
latest version (v4) and then let him follow on, as I am entirely
satisfied with such version and at the same time I believe I have
followed all of his advice as applicable (except from the booleans that
I need on my system).
Regards,
Guido
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2]: mcelog module initial rewrite
2012-08-06 15:19 Guido Trentalancia
@ 2012-08-06 15:30 ` Dominick Grift
0 siblings, 0 replies; 10+ messages in thread
From: Dominick Grift @ 2012-08-06 15:30 UTC (permalink / raw)
To: refpolicy
On Mon, 2012-08-06 at 17:19 +0200, Guido Trentalancia wrote:
> If we keep bin_t, then we need to use corecmd_exec_bin() or whatever that is called, which means it can execute any script and in particular any binary.
>
> So, the good reason is restricting the type of files that mcelog can execute. In my opinion policy should always been designed that way, when the application needs to execute internal (or user-defined) scripts or binaries (as opposed to system-wide executables in /bin, /sbin, /usr/bin or /usr/sbin).
>
> Unless you give me a good reason, I won't change that.
The only good reason i can come up with right now is that if you change
this the maintainer might not accept the patch.
> Ok. I will create a third version (v3) with further changes as necessary.
This interface is not needed at all.
> >
> >Not needed.
>
> You suggested (initial review):
>
> allow mcelog_t self:unix_stream_socket create_socket_perms;
>
> I have just turned that into an interface...
>
> So, I don't get the point now.
You should not create an interface for that. Just add it to the
mcelog.te file (but use create_stream_socket_perms instead, my mistake)
> I think it gets audited as denied otherwise (possibly the client mode). If time allows, I'll double-check.
If you add: allow mcelog_t self:unix_stream_socket
create_stream_socket_perms; to mcelog.te this will be allowed i think
> In client-mode it needs to connect to the socket.
>
> Has the feature been removed in subsequent versions ? I can't find it anymore on kernel.org...
That's not my point. This is already allowed.
mcelog_t already has full access to mcelog_var_run_t sockets and if you
add allow mcelog_t self:unix_stream_socket create_stream_socket_perms;
to mcelog.te then mcelog_t will also be allowed to connect via unix
stream socket.
> Otherwise, if they are labelled differently for increased security as explained above, it should need both corecmd_executable_file() and can_exec() on the private executable type.
There is not much increased security in my view.
> >
>
> To be honest I would rather prefer not using bin_t. Perhaps, it needs to be able to transition from the private exec type ?
Assumption is bad. Until proven otherwise bin_t seems fine.
>
> As far as I know other modules are using interfaces internally. I will double-check and if neccessary remove them.
some modules are using local templates, i guess this is a exception to
the rule. Calling internal interfaces should not be done.
> term_use_all_ttys() is needed for interactive use. Do you know anything more restrictive than that ?
I would need to see the avc denial to make a judgement
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2]: mcelog module initial rewrite
@ 2012-08-06 15:19 Guido Trentalancia
2012-08-06 15:30 ` Dominick Grift
0 siblings, 1 reply; 10+ messages in thread
From: Guido Trentalancia @ 2012-08-06 15:19 UTC (permalink / raw)
To: refpolicy
Hello Dominick.
>On Mon, 2012-08-06 at 14:45 +0200, Guido Trentalancia wrote:
[cut]
>> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.fc refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc
>> --- refpolicy-04062012/policy/modules/contrib/mcelog.fc 2011-09-09 18:29:23.578610955 +0200
>> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.fc 2012-08-06 13:34:45.568049105 +0200
>> @@ -1 +1,16 @@
>> +/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0)
>> +/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:mcelog_exec_t,s0)
>> +/etc/mcelog/.*.local -- gen_context(system_u:object_r:mcelog_exec_t,s0)
>> +
>
>I dont have a good argument for using bin_t but i dont have a good
>argument for using mcelog_exec_t either , therefore i suggest keeping it
>bin_t
If we keep bin_t, then we need to use corecmd_exec_bin() or whatever that is called, which means it can execute any script and in particular any binary.
So, the good reason is restricting the type of files that mcelog can execute. In my opinion policy should always been designed that way, when the application needs to execute internal (or user-defined) scripts or binaries (as opposed to system-wide executables in /bin, /sbin, /usr/bin or /usr/sbin).
Unless you give me a good reason, I won't change that.
>> +ifdef(`distro_redhat',`
>> +/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0)
>> +/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:mcelog_exec_t,s0)
>> +')
>> +
>> +/etc/rc.d/init.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
>> +
>
>Weird, i still dont see the periods escaped above.
Unfortunately, at the moment I do not have another mail client at hand, so I suppose, it needs manual editing.
>> /usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
>> +
>> +/var/log/mcelog -- gen_context(system_u:object_r:mcelog_log_t,s0)
>> +/var/run/mcelog.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0)
>> +/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
>> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.if refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if
>> --- refpolicy-04062012/policy/modules/contrib/mcelog.if 2011-09-09 18:29:23.578610955 +0200
>> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.if 2012-08-06 15:37:21.714522005 +0200
>> @@ -18,3 +18,78 @@ interface(`mcelog_domtrans',`
>> domtrans_pattern($1, mcelog_exec_t, mcelog_t)
>> ')
>>
>> +########################################
>> +## <summary>
>> +## Read the mcelog configuration files.
>
>I would probably use "Read mcelog configuration files."
Ok. I will create a third version (v3) with further changes as necessary.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`mcelog_read_config',`
>
>I would probably call the interface "mcelog_read_config_files" or
>"mcelog_read_etc_files"
Yes, reasonable.
>> + gen_require(`
>> + type mcelog_etc_t;
>> + ')
>> +
>> + files_search_etc($1)
>> + read_files_pattern($1, mcelog_etc_t, mcelog_etc_t)
>> + allow $1 mcelog_etc_t:dir list_dir_perms;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Create an mcelog unix stream socket.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`mcelog_stream_socket_create',`
>> + gen_require(`
>> + type mcelog_t;
>> + ')
>> +
>> + allow $1 mcelog_t:unix_stream_socket create_socket_perms;
>> +')
>
>Not needed.
You suggested (initial review):
allow mcelog_t self:unix_stream_socket create_socket_perms;
I have just turned that into an interface...
So, I don't get the point now.
>> +########################################
>> +## <summary>
>> +## Read from an mcelog unix stream socket.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`mcelog_stream_socket_read',`
>> + gen_require(`
>> + type mcelog_t, mcelog_var_run_t;
>> + ')
>> +
>> + allow $1 mcelog_var_run_t:unix_stream_socket { read };
>> +')
>
>not needed.
I think it gets audited as denied otherwise (possibly the client mode). If time allows, I'll double-check.
>> +########################################
>> +## <summary>
>> +## Connect to mcelog over an unix stream socket.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`mcelog_stream_socket_connect',`
>> + gen_require(`
>> + type mcelog_t, mcelog_var_run_t;
>> + ')
>> +
>> + files_search_pids($1)
>> + stream_connect_pattern($1, mcelog_var_run_t, mcelog_var_run_t, mcelog_t);
>> +')
>
>Not needed.
In client-mode it needs to connect to the socket.
Has the feature been removed in subsequent versions ? I can't find it anymore on kernel.org...
>> diff -pruN refpolicy-04062012/policy/modules/contrib/mcelog.te refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te
>> --- refpolicy-04062012/policy/modules/contrib/mcelog.te 2011-09-09 18:29:23.578610955 +0200
>> +++ refpolicy-04062012-mcelog-support/policy/modules/contrib/mcelog.te 2012-08-06 16:01:45.087746478 +0200
>> @@ -1,4 +1,4 @@
>> -policy_module(mcelog, 1.1.0)
>> +policy_module(mcelog, 1.1.1)
>>
>> ########################################
>> #
>> @@ -7,8 +7,20 @@ policy_module(mcelog, 1.1.0)
>>
>> type mcelog_t;
>> type mcelog_exec_t;
>> -application_domain(mcelog_t, mcelog_exec_t)
>> -cron_system_entry(mcelog_t, mcelog_exec_t)
>> +corecmd_executable_file(mcelog_exec_t);
>
>I still dont think corecmd_executable_file is needed. Not sure though.
The triggers are scripts. Their execution is triggered by CPU error events.
If such scripts are labelled as bin_t, all is needed is corecmd_exec_bin() or whatever it is called.
Otherwise, if they are labelled differently for increased security as explained above, it should need both corecmd_executable_file() and can_exec() on the private executable type.
>> +init_daemon_domain(mcelog_t, mcelog_exec_t)
>> +
>> +type mcelog_initrc_exec_t;
>> +init_script_file(mcelog_initrc_exec_t)
>> +
>> +type mcelog_etc_t;
>> +files_config_file(mcelog_etc_t)
>> +
>> +type mcelog_log_t;
>> +logging_log_file(mcelog_log_t)
>> +
>> +type mcelog_var_run_t;
>> +files_pid_file(mcelog_var_run_t)
>>
>> ########################################
>> #
>> @@ -17,16 +29,48 @@ cron_system_entry(mcelog_t, mcelog_exec_
>>
>> allow mcelog_t self:capability sys_admin;
>
>add:
>
>allow mcelog_t self:unix_stream_socket create_stream_socket_perms;
>
>>
>> +can_exec(mcelog_t, mcelog_exec_t)
>> +
>
>If we keep using bin_t then this isnt needed
To be honest I would rather prefer not using bin_t. Perhaps, it needs to be able to transition from the private exec type ?
>> kernel_read_system_state(mcelog_t)
>>
>> dev_read_raw_memory(mcelog_t)
>> dev_read_kmsg(mcelog_t)
>>
>> +dev_rw_sysfs(mcelog_t)
>> +
>> +# optional support for running it as a cron job
>> +optional_policy(`
>> + cron_system_entry(mcelog_t, mcelog_exec_t)
>> +')
>> +
>> +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
>> +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
>> +files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
>> +
>> +# needed in daemon mode
>> files_read_etc_files(mcelog_t)
>>
>> -# for /dev/mem access
>> -mls_file_read_all_levels(mcelog_t)
>> +locallogin_use_fds(mcelog_t)
>> +
>> +# create/append a logfile in a private log directory
>> +create_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +append_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +setattr_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
>> +logging_log_filetrans(mcelog_t, mcelog_log_t, file)
>>
>> +# use syslog functionality (optional, configurable)
>> logging_send_syslog_msg(mcelog_t)
>>
>> +# to read the standard configuration file
>> +mcelog_read_config(mcelog_t)
>
>use read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
>
>Interfaces are not for internal use
As far as I know other modules are using interfaces internally. I will double-check and if neccessary remove them.
>> +
>> +mcelog_stream_socket_create(mcelog_t)
>> +mcelog_stream_socket_read(mcelog_t)
>> +mcelog_stream_socket_connect(mcelog_t)
>> +
>
>none of the above are needed
>
>> miscfiles_read_localization(mcelog_t)
>> +
>> +# for /dev/mem access
>> +mls_file_read_all_levels(mcelog_t)
>> +
>> +term_use_all_ttys(mcelog_t)
term_use_all_ttys() is needed for interactive use. Do you know anything more restrictive than that ?
>> diff -pruN refpolicy-04062012/policy/modules/kernel/corecommands.fc refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc
>> --- refpolicy-04062012/policy/modules/kernel/corecommands.fc 2012-08-05 04:52:17.194005067 +0200
>> +++ refpolicy-04062012-mcelog-support/policy/modules/kernel/corecommands.fc 2012-08-05 17:49:05.594838788 +0200
>> @@ -72,12 +72,6 @@ ifdef(`distro_redhat',`
>> /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
>>
>> /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
>> -/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
>> -/etc/mcelog/.*.local -- gen_context(system_u:object_r:bin_t,s0)
>> -
>> -ifdef(`distro_redhat',`
>> -/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
>> -')
>>
>> /etc/mgetty+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
Regards,
Guido
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2]: mcelog module initial rewrite
2012-08-06 14:49 Guido Trentalancia
@ 2012-08-06 14:56 ` Dominick Grift
0 siblings, 0 replies; 10+ messages in thread
From: Dominick Grift @ 2012-08-06 14:56 UTC (permalink / raw)
To: refpolicy
On Mon, 2012-08-06 at 16:49 +0200, Guido Trentalancia wrote:
> Hello Dominick.
Hi can you review (and maybe test) my take on this?
See http://oss.tresys.com/pipermail/refpolicy/2012-August/005358.html
Thank you
>
> >> > On Mon, 2012-08-06 at 14:45 +0200, Guido Trentalancia wrote:
> >
> ><..snip ..>
> >
> >Also don't create patches on patches ( i think your v2 patch is a patch
> >on your initial patch?)
>
> No v2 is the second version of the initial patch bringing the same name.
>
> So, it's a subsequent, usually revised, corrected and updated version of the initial patch which aims to tackle the same problem in a better manner and which obsoletes any previous version.
>
> Only occasionally I think I have submitted different versions as alternatives.
>
> Regards,
>
> Guido
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2]: mcelog module initial rewrite
@ 2012-08-06 14:49 Guido Trentalancia
2012-08-06 14:56 ` Dominick Grift
0 siblings, 1 reply; 10+ messages in thread
From: Guido Trentalancia @ 2012-08-06 14:49 UTC (permalink / raw)
To: refpolicy
Hello Dominick.
>> > On Mon, 2012-08-06 at 14:45 +0200, Guido Trentalancia wrote:
>
><..snip ..>
>
>Also don't create patches on patches ( i think your v2 patch is a patch
>on your initial patch?)
No v2 is the second version of the initial patch bringing the same name.
So, it's a subsequent, usually revised, corrected and updated version of the initial patch which aims to tackle the same problem in a better manner and which obsoletes any previous version.
Only occasionally I think I have submitted different versions as alternatives.
Regards,
Guido
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2012-08-07 18:10 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-08-06 12:45 [refpolicy] [PATCH v2]: mcelog module initial rewrite Guido Trentalancia
2012-08-06 13:40 ` Dominick Grift
2012-08-06 13:42 ` Dominick Grift
2012-08-06 13:46 ` Dominick Grift
2012-08-07 17:49 ` Christopher J. PeBenito
2012-08-07 18:10 ` Guido Trentalancia
2012-08-06 14:49 Guido Trentalancia
2012-08-06 14:56 ` Dominick Grift
2012-08-06 15:19 Guido Trentalancia
2012-08-06 15:30 ` Dominick Grift
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.