From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [Patch V2 1/1] Add hwloc-dump-hwdata SELinux policy
Date: Wed, 27 Apr 2016 13:33:50 -0400 [thread overview]
Message-ID: <5720F7FE.80603@tresys.com> (raw)
In-Reply-To: <1461770515-13153-2-git-send-email-grzegorz.andrejczuk@intel.com>
On 4/27/2016 11:21 AM, gandrejc wrote:
> --- /dev/null
> +++ b/hwloc.if
> @@ -0,0 +1,103 @@
> +## <summary>Dump topology and locality information from hardware tables.</summary>
> +
> +########################################
> +## <summary>
> +## Execute hwloc dhwd in the hwloc dhwd domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`hwloc_domtrans_hwloc_dhwd',`
I would name this hwloc_domtrans_dhwd.
> +########################################
> +## <summary>
> +## Manage hwloc runtime.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`hwloc_manage_runtime',`
> + gen_require(`
> + type hwloc_var_run_t;
> + ')
> +
> + files_rw_pid_dirs($1)
> + allow $1 hwloc_var_run_t:dir manage_dir_perms;
> + allow $1 hwloc_var_run_t:file manage_file_perms;
> + allow $1 hwloc_var_run_t:lnk_file manage_lnk_file_perms;
> +')
Are there subdirectories under /var/run/hwloc? If not, I would reduce
the access to rw_dir_perms on hwloc_var_run_t dirs.
Additionally, since the tool itself seems to create the top level dir
(based on the below filetrans in the .te), it doesn't seem appropriate
for this interface allow the caller files_rw_pid_dirs(), but to simply
search pid dirs. The rw_pid_dirs would more likely fall under a
filetrans interface.
> diff --git a/hwloc.te b/hwloc.te
> new file mode 100644
> index 0000000..3465e3a
> --- /dev/null
> +++ b/hwloc.te
> @@ -0,0 +1,28 @@
> +policy_module(hwloc, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role hwloc_dhwd_roles;
> +roleattribute system_r hwloc_dhwd_roles;
> +
> +type hwloc_dhwd_t;
> +type hwloc_dhwd_exec_t;
> +init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t)
> +role hwloc_dhwd_roles types hwloc_dhwd_t;
> +
> +type hwloc_var_run_t;
> +files_pid_file(hwloc_var_run_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms;
> +allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms;
> +files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
> +
> +dev_read_sysfs(hwloc_dhwd_t)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2016-04-27 17:33 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-27 8:25 [refpolicy] [PATCH 1/1] Add hwloc-dump-hwdata SELinux policy gandrejc
2016-04-27 9:40 ` Dominick Grift
2016-04-27 9:42 ` Dominick Grift
2016-04-27 10:35 ` [refpolicy] [PATCH] Add hwloc skel Dominick Grift
2016-04-27 10:36 ` [refpolicy] [PATCH] Add support for hwloc Dominick Grift
2016-04-27 10:59 ` [refpolicy] [PATCH 1/1] Add hwloc-dump-hwdata SELinux policy Dominick Grift
2016-04-27 13:07 ` Andrejczuk, Grzegorz
2016-04-27 13:12 ` Dominick Grift
2016-04-27 15:21 ` [refpolicy] [Patch V2 1/1] Update refpolicy to handle hwloc gandrejc
2016-04-27 15:21 ` [refpolicy] [Patch V2 1/1] Add hwloc-dump-hwdata SELinux policy gandrejc
2016-04-27 16:47 ` Jason Zaman
2016-04-27 16:51 ` Dominick Grift
2016-04-27 16:56 ` Dominick Grift
2016-04-27 17:33 ` Christopher J. PeBenito [this message]
2016-04-27 17:42 ` Dominick Grift
2016-04-27 18:09 ` Christopher J. PeBenito
2016-04-27 18:12 ` Dominick Grift
2016-04-27 18:30 ` Dominick Grift
2016-04-27 18:39 ` Christopher J. PeBenito
2016-04-27 18:44 ` Dominick Grift
2016-04-28 10:02 ` [refpolicy] [PATCH V3] " Dominick Grift
2016-04-27 19:17 ` [refpolicy] [Patch V2 1/1] Update refpolicy to handle hwloc Dominick Grift
2016-04-28 8:24 ` Andrejczuk, Grzegorz
2016-04-28 8:56 ` Dominick Grift
2016-05-02 8:33 ` Andrejczuk, Grzegorz
2016-04-28 10:04 ` [refpolicy] [PATCH] " Dominick Grift
2016-05-02 12:33 ` Christopher J. PeBenito
2016-04-28 10:06 ` [refpolicy] [PATCH V3 RESENT] " Dominick Grift
2016-05-02 12:33 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5720F7FE.80603@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.