[refpolicy] [PATCH 1/1] Add hwloc-dump-hwdata SELinux policy

[refpolicy] [PATCH 1/1] Add hwloc-dump-hwdata SELinux policy

[gandrejc]

From: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>

New hwloc utility (hwloc-dump-hwdata) reads firmware entries and generates
intermediate files to be used later by hwloc utils.

This cannot be done when MLS is in enforicing mode because SELinux blocks
access to var_run_t for user_t.

The policy does the following:
    - adds hwloc_dhwd_exec_t type for hwloc-dump-hwdata executable
    - adds hwloc_dhwd_t system domain with entry point in
      hwloc_dhwd_exec_t
    - allows hwloc_dhwd_exec_t to be run as application
    - allows hwloc_dhwd_t access sysfs
    - allows hwloc_dhwd_t to create dir and file in /var/run
    - makes transition for hwloc-dump-hwdata output file from var_run_t to
      var_t.

The data is derived from proprietary SMBIOS entries containing MCDRAM memory
side cache configuration : cache size, associativity, inclusiveness and
line size.

Signed-off-by: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
---
 hwloc.fc |  3 +++
 hwloc.if |  0
 hwloc.te | 27 +++++++++++++++++++++++++++
 3 files changed, 30 insertions(+)
 create mode 100644 hwloc.fc
 create mode 100644 hwloc.if
 create mode 100644 hwloc.te

diff --git a/hwloc.fc b/hwloc.fc
new file mode 100644
index 0000000..3d31d96
--- /dev/null
+++ b/hwloc.fc
@@ -0,0 +1,3 @@
+/var/run/hwloc				-d	gen_context(system_u:object_r:var_run_t,s0)
+/var/run/hwloc/knl_memoryside_cache	--	gen_context(system_u:object_r:var_t,s0)
+/usr/sbin/hwloc-dump-hwdata		--	gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
diff --git a/hwloc.if b/hwloc.if
new file mode 100644
index 0000000..e69de29
diff --git a/hwloc.te b/hwloc.te
new file mode 100644
index 0000000..292fd8c
--- /dev/null
+++ b/hwloc.te
@@ -0,0 +1,27 @@
+policy_module(hwloc, 1.0)
+
+gen_require(`
+  type sysfs_t;
+  type var_run_t;
+  type var_t;
+')
+
+type hwloc_dhwd_t;
+type hwloc_dhwd_exec_t;
+
+init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t)
+
+dev_read_sysfs(hwloc_dhwd_t)
+
+# Allow for interactive use, no transition
+application_executable_file(hwloc_dhwd_exec_t)
+
+# Allow read access to SMBIOS entries in /sys/firmware/dmi/entries
+dev_read_sysfs(hwloc_dhwd_t)
+
+# Allow write access to var run, for /var/run/hwloc/ and knl_memoryside_cache
+allow hwloc_dhwd_t var_run_t:dir { write create add_name };
+allow hwloc_dhwd_t var_t:file { write create open getattr };
+
+# Transition knl_memory_side_cache to var_t, to allow broad access
+filetrans_pattern(hwloc_dhwd_t, var_run_t, var_t, file, "knl_memoryside_cache")
-- 
2.5.1

--------------------------------------------------------------------

Intel Technology Poland sp. z o.o.
ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 | Kapital zakladowy 200.000 PLN.

Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata i moze zawierac informacje poufne. W razie przypadkowego otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie; jakiekolwiek
przegladanie lub rozpowszechnianie jest zabronione.
This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). If you are not the intended recipient, please contact the sender and delete all copies; any review or distribution by
others is strictly prohibited.

[refpolicy] [PATCH 1/1] Add hwloc-dump-hwdata SELinux policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/27/2016 10:25 AM, gandrejc wrote:
> From: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
> 
> New hwloc utility (hwloc-dump-hwdata) reads firmware entries and
> generates intermediate files to be used later by hwloc utils.
> 
> This cannot be done when MLS is in enforicing mode because SELinux
> blocks access to var_run_t for user_t.

See below how i think this should be implemented. If any questions,
let me know.

> /var/run/hwloc/knl_memoryside_cache The policy does the following: 
> - adds hwloc_dhwd_exec_t type for hwloc-dump-hwdata executable -
> adds hwloc_dhwd_t system domain with entry point in 
> hwloc_dhwd_exec_t - allows hwloc_dhwd_exec_t to be run as
> application - allows hwloc_dhwd_t access sysfs - allows
> hwloc_dhwd_t to create dir and file in /var/run - makes transition
> for hwloc-dump-hwdata output file from var_run_t to var_t.
> 
> The data is derived from proprietary SMBIOS entries containing
> MCDRAM memory side cache configuration : cache size, associativity,
> inclusiveness and line size.
> 
> Signed-off-by: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com> 
> ---

<snip>

Here is how it should, probably, look instead:

system/hwloc.fc:

> /usr/sbin/hwloc-dump-hwdata	--
> gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)

> /var/run/hwloc(/.*)?
> gen_context(system_u:object_r:hwloc_var_run_t,s0)

system/hwloc.te:

> policy_module(hwloc,1.0.0)
> 
> attribute_role hwloc_roles; roleattribute system_r hwloc_roles;
> 
> type hwloc_dhwd_t; type hwloc_dhwd_exec_t; 
> init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t) role
> hwloc_roles types hwloc_dhwd_t;
> 
> type hwloc_var_run_t; files_pid_file(hwloc_var_run_t)
> 
> allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms; allow
> hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms; 
> files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
> 
> dev_read_sysfs(hwloc_dhwd_t)

system/hwloc.if

> ## <summary>Dump topology and locality information from hardware
> tables.</summary>
> 
> ######################################## ## <summary> ##	Execute
> hwloc dhwd in the mount hwloc dhwd domain. ## </summary> ## <param
> name="domain"> ##	<summary> ##	Domain allowed to transition. ##
> </summary> ## </param> # interface(`hwloc_domtrans_hwloc_dhwd',` 
> gen_require(` type hwloc_dhwd_t, hwloc_dhwd_exec_t; ')
> 
> domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t) ')
> 
> ######################################## ## <summary> ##	Execute
> hwloc dhwd in the hwloc dhwd domain, and ##	allow the specified
> role the hwloc dhwd domain. ## </summary> ## <param name="domain"> 
> ##	<summary> ##	Domain allowed to transition. ##	</summary> ##
> </param> ## <param name="role"> ##	<summary> ##	Role allowed
> access. ##	</summary> ## </param> ## <rolecap/> # 
> interface(`hwloc_run_hwloc_dhwd',` gen_require(` attribute_role
> hwloc_roles; ')
> 
> hwloc_domtrans_hwloc_dhwd($1) roleattribute $2 hwloc_roles; ')
> 
> ######################################## ## <summary> ##	Execute
> hwloc dhwd in the caller domain. ## </summary> ## <param
> name="domain"> ##	<summary> ##	Domain allowed access. ##
> </summary> ## </param> # interface(`hwloc_exec_hwloc_dhwd',` 
> gen_require(` type hwloc_dhwd_exec_t; ')
> 
> can_exec($1, hwloc_hdwd_exec_t) ')
> 
> ######################################## ## <summary> ##	Read
> runtime files. ## </summary> ## <param name="domain"> ##	<summary> 
> ##	Domain allowed access. ##	</summary> ## </param> # 
> interface(`hwloc_read_runtime_files',` gen_require(` type
> hwloc_var_run_t; ')
> 
> files_search_pids($1) read_files_pattern($1, hwloc_var_run_t,
> hwloc_var_run_t) ')
> 
> ######################################## ## <summary> ##	Manage
> runtime. ## </summary> ## <param name="domain"> ##	<summary> ##
> Domain allowed access. ##	</summary> ## </param> # 
> interface(`hwloc_manage_runtime',` gen_require(` type
> hwloc_var_run_t; ')
> 
> files_rw_pid_dirs($1) allow $1 hwloc_var_run_t:dir
> manage_dir_perms; allow $1 hwloc_var_run_t:file manage_file_perms; 
> allow $1 hwloc_var_run_t:lnk_file manage_lnk_file_perms; ')

Then you would call the interfaces in the respective modules to allow
shells to run or execute it, For example

roles/sysadm.te:

> 
> optional_policy(` hwloc_run_hwloc_dhwd(sysadm_t, sysadm_r) 
> hwloc_manage_runtime(sysadm_t) ')

roles/user.te:

> optional_policy(` hwloc_exec_hwloc_dhwd(user_t) 
> hwloc_read_runtime_files(user_t) ')

roles/staff.te:

> optional_policy(` hwloc_exec_hwloc_dhwd(staff_t) 
> hwloc_read_runtime_files(staff_t) ')

- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXIIkFAAoJECV0jlU3+Udpon8L/1yoJqFL0XFh/j43lrpIoA1+
qFPiKlxw9icqcITYrnaepf7AKeag3h04neHgVIzdZBdVZ2+6W0fmORtBRcsu6aaH
d8wtT44/Fw4ZJobrU6fmuxWbzABqFyaR1qGD+IynT3F/WOE4WWqwC929dT7kglHL
NTbJlFqhlIwaN1XEU8Be7AlBGiU1tuo9nqAZ4dEuxbNPUGduP5LMV2GQ6cusG9xm
vsxWgTHyD3HLs6ySNxsqHXmk8oZfy30Y/Ob7rOqi39mE1BeTcdJzcR0p6m2Gl0Du
+o0vEb7DnUHLu8r3uHLUw52TO1dPi4MDKdraZn3sNyyixbf88RAKcgpadSKvjR0e
L17dqdaqCU3ulF5k6Bt7huCBg3ItAtd+SJ7VL7T7B4Ek/Bb8ufYExHSfJ0kmNhMW
gzd3kj+Um9u58z9iUyQ0V7/eu4dh853eyMStmY0CDhw20XNkgTZKMurzKiadnR/i
+6cyu3bJgQKVZwzFHTNFVfcOoTMe73KS0QAgcVPfZw==
=A2Cm
-----END PGP SIGNATURE-----

[refpolicy] [PATCH 1/1] Add hwloc-dump-hwdata SELinux policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/27/2016 11:40 AM, Dominick Grift wrote:
> On 04/27/2016 10:25 AM, gandrejc wrote:
>> From: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
> 
>> New hwloc utility (hwloc-dump-hwdata) reads firmware entries and 
>> generates intermediate files to be used later by hwloc utils.
> 
>> This cannot be done when MLS is in enforicing mode because
>> SELinux blocks access to var_run_t for user_t.
> 
> See below how i think this should be implemented. If any
> questions, let me know.
> 

Looks like my mail client managed to mess up the lay-out...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXIIlvAAoJECV0jlU3+UdpidIL/RViVKgZyhpolEw60PfRBt8g
MBXVb7bB5rHOojSI89581LWSerAsuWqRf2d+lwOEBaXyamlhMZ7JtTkUZkRukngL
ZsOxZ+eNAd2WUAkRb9Yufn3NDt/UDV+nzcTUjqz68OLAtxhrgbBVsv90XYP3rvAw
aPy5AQOG60Y8XiYWj4KAmgJri8Kvv+g2ClEXarKdXiMjKERXgZIBX8nvdmllRMP4
Zl/9cLp6IQRHoio7vSvCugK0QvSnlcQBcHR1c+RyQd7h+9izDDuF2urRXl2Y+QA1
15M/ma/67uMR7IfQsGaczY8/hdT0Tl8qRbSBRsRtWch8NSe4frtEJJn1k1r3tFvJ
fDXM92c67ihvKLgSW3oEod1urgtnmiOUFEBT82eixmitPr3xoLtIebRVFSWE0pV/
vbfwrDOwHBYm9BsJk6gcACFShh0y8iGuiUZzEdb9FQE8H1RHKU117QTOIY+mMuoi
XMzt1gFt+gQQztlLcTt73AH5SXvig4lZhWFxW4ikDw==
=8FjL
-----END PGP SIGNATURE-----

[refpolicy] [PATCH] Add hwloc skel

[Dominick Grift]

Signed-off-by: Dominick Grift <dac.override@gmail.com>
---
 hwloc.fc |   3 ++
 hwloc.if | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 hwloc.te |  28 +++++++++++++++++
 3 files changed, 134 insertions(+)
 create mode 100644 hwloc.fc
 create mode 100644 hwloc.if
 create mode 100644 hwloc.te

diff --git a/hwloc.fc b/hwloc.fc
new file mode 100644
index 0000000..81c6451
--- /dev/null
+++ b/hwloc.fc
@@ -0,0 +1,3 @@
+/usr/sbin/hwloc-dump-hwdata	--	gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
+
+/var/run/hwloc(/.*)?	gen_context(system_u:object_r:hwloc_var_run_t,s0)
diff --git a/hwloc.if b/hwloc.if
new file mode 100644
index 0000000..f0a5217
--- /dev/null
+++ b/hwloc.if
@@ -0,0 +1,103 @@
+## <summary>Dump topology and locality information from hardware tables.</summary>
+
+########################################
+## <summary>
+##	Execute hwloc dhwd in the hwloc dhwd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`hwloc_domtrans_hwloc_dhwd',`
+	gen_require(`
+		type hwloc_dhwd_t, hwloc_dhwd_exec_t;
+	')
+
+	domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t)
+')
+
+########################################
+## <summary>
+##	Execute hwloc dhwd in the hwloc dhwd domain, and
+##	allow the specified role the hwloc dhwd domain,
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`hwloc_run_hwloc_dhwd',`
+	gen_require(`
+		attribute_role hwloc_dhwd_roles;
+	')
+
+	hwloc_domtrans_hwloc_dhwd($1)
+	roleattribute $2 hwloc_dhwd_roles;
+')
+
+########################################
+## <summary>
+##	Execute hwloc dhwd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hwloc_exec_hwloc_dhwd',`
+	gen_require(`
+		type hwloc_dhwd_exec_t;
+	')
+
+	can_exec($1, hwloc_dhwd_exec_t)
+')
+
+########################################
+## <summary>
+##	Manage hwloc runtime.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hwloc_manage_runtime',`
+	gen_require(`
+		type hwloc_var_run_t;
+	')
+
+	files_rw_pid_dirs($1)
+	allow $1 hwloc_var_run_t:dir manage_dir_perms;
+	allow $1 hwloc_var_run_t:file manage_file_perms;
+	allow $1 hwloc_var_run_t:lnk_file manage_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Read hwloc runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hwloc_read_runtime_files',`
+	gen_require(`
+		type hwloc_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t)
+')
diff --git a/hwloc.te b/hwloc.te
new file mode 100644
index 0000000..3465e3a
--- /dev/null
+++ b/hwloc.te
@@ -0,0 +1,28 @@
+policy_module(hwloc, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role hwloc_dhwd_roles;
+roleattribute system_r hwloc_dhwd_roles;
+
+type hwloc_dhwd_t;
+type hwloc_dhwd_exec_t;
+init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t)
+role hwloc_dhwd_roles types hwloc_dhwd_t;
+
+type hwloc_var_run_t;
+files_pid_file(hwloc_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms;
+allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms;
+files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
+
+dev_read_sysfs(hwloc_dhwd_t)
-- 
2.5.5

[refpolicy] [PATCH] Add support for hwloc

[Dominick Grift]

Signed-off-by: Dominick Grift <dac.override@gmail.com>
---
 policy/modules/kernel/files.if      | 19 +++++++++++++++++++
 policy/modules/roles/sysadm.te      |  5 +++++
 policy/modules/system/userdomain.if |  5 +++++
 3 files changed, 29 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index fc007b4..d942d8a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6077,6 +6077,25 @@ interface(`files_dontaudit_getattr_pid_dirs',`
 
 ########################################
 ## <summary>
+##	Read and write generic runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_pid_dirs',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	files_search_var($1)
+	rw_dirs_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
 ##	Set the attributes of the /var/run directory.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index ceaa4cb..265beb6 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -462,6 +462,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	hwloc_manage_runtime(sysadm_t)
+	hwloc_run_hwloc_dhwd(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	hypervkvp_admin(sysadm_t, sysadm_r)
 ')
 
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index cbb6e09..0a46fda 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -619,6 +619,11 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
+		hwloc_exec_hwloc_dhwd($1_t)
+		hwloc_read_runtime_files($1_t)
+	')
+
+	optional_policy(`
 		inetd_use_fds($1_t)
 		inetd_rw_tcp_sockets($1_t)
 	')
-- 
2.5.5

[refpolicy] [PATCH 1/1] Add hwloc-dump-hwdata SELinux policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/27/2016 10:25 AM, gandrejc wrote:
> From: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
> 
> New hwloc utility (hwloc-dump-hwdata) reads firmware entries and
> generates intermediate files to be used later by hwloc utils.

Do these do what you want them to do?

http://oss.tresys.com/pipermail/refpolicy/2016-April/007935.html
http://oss.tresys.com/pipermail/refpolicy/2016-April/007936.html

The description is not accurate though. It should probably be:

"Provides a portable abstraction of the hierarchical topology of
modern architectures."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXIJujAAoJECV0jlU3+UdpVYUL/Ru9I6fG2wb/03d7HPWDclgp
eqLvfMI9cFSZSsRrwsz0kneS3slkqBqxtvaZA37wzP/wcn9J86ytVXLbTD5amlQW
/x70iWlcUTf26FBPL48Be2/OZvYgl2fYZ3hplt0i2nqutLF7shOXGHYcJzSOifLl
ZnRJO8BzKLkwIrrtrjLP0cqfxkv4666h6uYqHEq7rQt4NPH7I1IJu3i2Oqvq8wcH
ckB07D3fnUlQwL+7eng9eWWwuljruO0Vz7CXISd5ZnW5ixlTBxcuVwmzs2YrRKQr
mXL6rixUt9AbNmJ2vMoDQOcwXh3K2EpIMxgKGE1VkUeo/JkyT/Er44FMt2GI51Su
yGbfst3NAn/A3VjZ12SNrCIM8oguAp7q8g+MRCKz+fQ7N3aQCQmOPDrABrl1RlBS
8L9FXxQ54yhU9E89/wz2ER9Vx2GXQDzKgCEr8GS6d40zCpJJmze2drPyOQsKh0Iq
ndF3Anz+rMuINj1tQnifFhAcOMvCcbvIGvdEwQANIw==
=HAKy
-----END PGP SIGNATURE-----

[refpolicy] [PATCH 1/1] Add hwloc-dump-hwdata SELinux policy

[Andrejczuk, Grzegorz]

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 04/27/2016 10:25 AM, gandrejc wrote:
> > From: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>>
> > 
> > New hwloc utility (hwloc-dump-hwdata) reads firmware entries and 
> > generates intermediate files to be used later by hwloc utils.
>
> Do these do what you want them to do?
>
> http://oss.tresys.com/pipermail/refpolicy/2016-April/007935.html
> http://oss.tresys.com/pipermail/refpolicy/2016-April/007936.html

Yes, thanks. Although we merged both changes in single policy module because 
we would not like to apply patches to RHEL MLS policy. 

> The description is not accurate though. It should probably be:
>
> "Provides a portable abstraction of the hierarchical topology of modern architectures."

Policy is required for the part of the hwloc but general hwloc description could be added.
Shall I post updated patch? 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXIJujAAoJECV0jlU3+UdpVYUL/Ru9I6fG2wb/03d7HPWDclgp
eqLvfMI9cFSZSsRrwsz0kneS3slkqBqxtvaZA37wzP/wcn9J86ytVXLbTD5amlQW
/x70iWlcUTf26FBPL48Be2/OZvYgl2fYZ3hplt0i2nqutLF7shOXGHYcJzSOifLl
ZnRJO8BzKLkwIrrtrjLP0cqfxkv4666h6uYqHEq7rQt4NPH7I1IJu3i2Oqvq8wcH
ckB07D3fnUlQwL+7eng9eWWwuljruO0Vz7CXISd5ZnW5ixlTBxcuVwmzs2YrRKQr
mXL6rixUt9AbNmJ2vMoDQOcwXh3K2EpIMxgKGE1VkUeo/JkyT/Er44FMt2GI51Su
yGbfst3NAn/A3VjZ12SNrCIM8oguAp7q8g+MRCKz+fQ7N3aQCQmOPDrABrl1RlBS
8L9FXxQ54yhU9E89/wz2ER9Vx2GXQDzKgCEr8GS6d40zCpJJmze2drPyOQsKh0Iq
ndF3Anz+rMuINj1tQnifFhAcOMvCcbvIGvdEwQANIw==
=HAKy
-----END PGP SIGNATURE-----
--------------------------------------------------------------------

Intel Technology Poland sp. z o.o.
ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 | Kapital zakladowy 200.000 PLN.

Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata i moze zawierac informacje poufne. W razie przypadkowego otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie; jakiekolwiek
przegladanie lub rozpowszechnianie jest zabronione.
This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). If you are not the intended recipient, please contact the sender and delete all copies; any review or distribution by
others is strictly prohibited.

[refpolicy] [PATCH 1/1] Add hwloc-dump-hwdata SELinux policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/27/2016 03:07 PM, Andrejczuk, Grzegorz wrote:

>> 
>> Do these do what you want them to do?
>> 
>> http://oss.tresys.com/pipermail/refpolicy/2016-April/007935.html 
>> http://oss.tresys.com/pipermail/refpolicy/2016-April/007936.html
> 
> Yes, thanks. Although we merged both changes in single policy
> module because we would not like to apply patches to RHEL MLS
> policy.
> 
>> The description is not accurate though. It should probably be:
>> 
>> "Provides a portable abstraction of the hierarchical topology of
>> modern architectures."
> 
> Policy is required for the part of the hwloc but general hwloc
> description could be added. Shall I post updated patch?

I made it a generic hwloc module so that any future additional
components that might need policy could then be added. So yes the
description should be generic.

Would appreciate it if you could post an updated patch




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXILq2AAoJECV0jlU3+UdppwwL/0jPHheOUJPG0yuCGisqsHZs
7iv7EtNLmu7F7OmDyx5cJNVxipjfgN7fzU7FJ6POHV5f4BEbtR2Ghx75EMaHohBU
xvQGtpMintNNHhK9Pg20ylQ8UX4Hk9gUGztCBpa5E04b+HiGF3FumfsUUcwG5eh+
ePkoLe4qys3bIv/pUU2T+GgdPtghJ3sE5QOrgV/yR6A6QvDHW5a6tulCxZL8+INF
NqyTfkfbAsOJgJO3GiytEU7fEBl4FfOb+JGDOZVxmwvDSWQUsL86Xigf8n1wtO0E
M6XPXr4BsY+7r00aVYcLhnZMmNEinw2Dnk3uK381GSQg59tdaUrUX6GtV7A9Ye2T
5DDTob7vqQKdWdQFOVI4wXgFViIRFDmdUjqKwE0+JtFD/gx1VUuIHJlBeC007TP5
lEy//0b63REPhg1YHIQeVtN5dOEsuF8luaPG96H9w64Yht1/ZaflW9w+cm55gXQV
J/kP/bFsZmqvqZ9z4mUAgOtu4WyiSaQHYL5iMuW5zg==
=EzwG
-----END PGP SIGNATURE-----

[refpolicy] [Patch V2 1/1] Update refpolicy to handle hwloc

[gandrejc]

The Portable Hardware Locality (hwloc) software package provides a
portable abstraction (across OS, versions, architectures, ...) of the
hierarchical topology of modern architectures, including NUMA memory
nodes, sockets, shared caches, cores and simultaneous multithreading. It
also gathers various system attributes such as cache and memory
information as well as the locality of I/O devices such as network
interfaces, InfiniBand HCAs or GPUs.

Following changes enable:
- add interface to change dirs in /var/run
- add optional policies for hwloc-dump-hwdata

Signed-off-by: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
---
 policy/modules/kernel/files.if      | 19 +++++++++++++++++++
 policy/modules/roles/sysadm.te      |  5 +++++
 policy/modules/system/userdomain.if |  5 +++++
 3 files changed, 29 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index fc007b4..d942d8a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6077,6 +6077,25 @@ interface(`files_dontaudit_getattr_pid_dirs',`
 
 ########################################
 ## <summary>
+##	Read and write generic runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_pid_dirs',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	files_search_var($1)
+	rw_dirs_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
 ##	Set the attributes of the /var/run directory.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index ceaa4cb..807c139 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -458,6 +458,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	hwloc_manage_runtime(sysadm_t)
+	hwloc_run_hwloc_dhwd(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	howl_admin(sysadm_t, sysadm_r)
 ')
 
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index cbb6e09..0a46fda 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -619,6 +619,11 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
+		hwloc_exec_hwloc_dhwd($1_t)
+		hwloc_read_runtime_files($1_t)
+	')
+
+	optional_policy(`
 		inetd_use_fds($1_t)
 		inetd_rw_tcp_sockets($1_t)
 	')
-- 
2.5.1

--------------------------------------------------------------------

Intel Technology Poland sp. z o.o.
ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 | Kapital zakladowy 200.000 PLN.

Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata i moze zawierac informacje poufne. W razie przypadkowego otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie; jakiekolwiek
przegladanie lub rozpowszechnianie jest zabronione.
This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). If you are not the intended recipient, please contact the sender and delete all copies; any review or distribution by
others is strictly prohibited.

[refpolicy] [Patch V2 1/1] Add hwloc-dump-hwdata SELinux policy

[gandrejc]

The Portable Hardware Locality (hwloc) software package
provides a portable abstraction (across OS, versions, architectures, ...)
of the hierarchical topology of modern architectures,
including NUMA memory nodes, sockets, shared caches,
cores and simultaneous multithreading.
It also gathers various system attributes such as cache and memory information
as well as the locality of I/O devices such as network interfaces,
InfiniBand HCAs or GPUs.

New hwloc utility (hwloc-dump-hwdata) reads firmware entries and generates
intermediate files to be used later by hwloc utils.

This cannot be done when MLS is in enforicing mode because SELinux blocks
access to var_run_t for user_t.

The policy does the following:
- adds hwloc_dhwd_exec_t type for hwloc-dump-hwdata executable
- adds hwloc_dhwd_t system domain with entry point in
hwloc_dhwd_exec_t
- allows hwloc_dhwd_exec_t to be run as application
- allows hwloc_dhwd_t access sysfs
- allows hwloc_dhwd_t to create dir and file in /var/run
- makes transition for hwloc-dump-hwdata output file from var_run_t to
var_t.

The data is derived from proprietary SMBIOS entries containing MCDRAM memory
side cache configuration : cache size, associativity, inclusiveness and
line size.

Signed-off-by: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
---
 hwloc.fc |   3 ++
 hwloc.if | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 hwloc.te |  28 +++++++++++++++++
 3 files changed, 134 insertions(+)
 create mode 100644 hwloc.fc
 create mode 100644 hwloc.if
 create mode 100644 hwloc.te

diff --git a/hwloc.fc b/hwloc.fc
new file mode 100644
index 0000000..81c6451
--- /dev/null
+++ b/hwloc.fc
@@ -0,0 +1,3 @@
+/usr/sbin/hwloc-dump-hwdata	--	gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
+
+/var/run/hwloc(/.*)?	gen_context(system_u:object_r:hwloc_var_run_t,s0)
diff --git a/hwloc.if b/hwloc.if
new file mode 100644
index 0000000..f0a5217
--- /dev/null
+++ b/hwloc.if
@@ -0,0 +1,103 @@
+## <summary>Dump topology and locality information from hardware tables.</summary>
+
+########################################
+## <summary>
+##	Execute hwloc dhwd in the hwloc dhwd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`hwloc_domtrans_hwloc_dhwd',`
+	gen_require(`
+		type hwloc_dhwd_t, hwloc_dhwd_exec_t;
+	')
+
+	domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t)
+')
+
+########################################
+## <summary>
+##	Execute hwloc dhwd in the hwloc dhwd domain, and
+##	allow the specified role the hwloc dhwd domain,
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`hwloc_run_hwloc_dhwd',`
+	gen_require(`
+		attribute_role hwloc_dhwd_roles;
+	')
+
+	hwloc_domtrans_hwloc_dhwd($1)
+	roleattribute $2 hwloc_dhwd_roles;
+')
+
+########################################
+## <summary>
+##	Execute hwloc dhwd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hwloc_exec_hwloc_dhwd',`
+	gen_require(`
+		type hwloc_dhwd_exec_t;
+	')
+
+	can_exec($1, hwloc_dhwd_exec_t)
+')
+
+########################################
+## <summary>
+##	Manage hwloc runtime.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hwloc_manage_runtime',`
+	gen_require(`
+		type hwloc_var_run_t;
+	')
+
+	files_rw_pid_dirs($1)
+	allow $1 hwloc_var_run_t:dir manage_dir_perms;
+	allow $1 hwloc_var_run_t:file manage_file_perms;
+	allow $1 hwloc_var_run_t:lnk_file manage_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Read hwloc runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hwloc_read_runtime_files',`
+	gen_require(`
+		type hwloc_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t)
+')
diff --git a/hwloc.te b/hwloc.te
new file mode 100644
index 0000000..3465e3a
--- /dev/null
+++ b/hwloc.te
@@ -0,0 +1,28 @@
+policy_module(hwloc, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role hwloc_dhwd_roles;
+roleattribute system_r hwloc_dhwd_roles;
+
+type hwloc_dhwd_t;
+type hwloc_dhwd_exec_t;
+init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t)
+role hwloc_dhwd_roles types hwloc_dhwd_t;
+
+type hwloc_var_run_t;
+files_pid_file(hwloc_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms;
+allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms;
+files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
+
+dev_read_sysfs(hwloc_dhwd_t)
-- 
2.5.1

--------------------------------------------------------------------

Intel Technology Poland sp. z o.o.
ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 | Kapital zakladowy 200.000 PLN.

Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata i moze zawierac informacje poufne. W razie przypadkowego otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie; jakiekolwiek
przegladanie lub rozpowszechnianie jest zabronione.
This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). If you are not the intended recipient, please contact the sender and delete all copies; any review or distribution by
others is strictly prohibited.

[refpolicy] [Patch V2 1/1] Add hwloc-dump-hwdata SELinux policy

[Jason Zaman]

On 27 Apr 2016 23:22, "gandrejc" <grzegorz.andrejczuk@intel.com> wrote:
>
> The Portable Hardware Locality (hwloc) software package
> provides a portable abstraction (across OS, versions, architectures, ...)
> of the hierarchical topology of modern architectures,
> including NUMA memory nodes, sockets, shared caches,
> cores and simultaneous multithreading.
> It also gathers various system attributes such as cache and memory
information
> as well as the locality of I/O devices such as network interfaces,
> InfiniBand HCAs or GPUs.
>
> New hwloc utility (hwloc-dump-hwdata) reads firmware entries and generates
> intermediate files to be used later by hwloc utils.
>
> This cannot be done when MLS is in enforicing mode because SELinux blocks
> access to var_run_t for user_t.
>
> The policy does the following:
> - adds hwloc_dhwd_exec_t type for hwloc-dump-hwdata executable
> - adds hwloc_dhwd_t system domain with entry point in
> hwloc_dhwd_exec_t
> - allows hwloc_dhwd_exec_t to be run as application
> - allows hwloc_dhwd_t access sysfs
> - allows hwloc_dhwd_t to create dir and file in /var/run
> - makes transition for hwloc-dump-hwdata output file from var_run_t to
> var_t.
>
> The data is derived from proprietary SMBIOS entries containing MCDRAM
memory
> side cache configuration : cache size, associativity, inclusiveness and
> line size.
>
> Signed-off-by: Grzegorz Andrejczuk <grzegorz.andrejczuk@intel.com>
> ---
>  hwloc.fc |   3 ++
>  hwloc.if | 103
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  hwloc.te |  28 +++++++++++++++++
>  3 files changed, 134 insertions(+)
>  create mode 100644 hwloc.fc
>  create mode 100644 hwloc.if
>  create mode 100644 hwloc.te
>
> diff --git a/hwloc.fc b/hwloc.fc
> new file mode 100644
> index 0000000..81c6451
> --- /dev/null
> +++ b/hwloc.fc
> @@ -0,0 +1,3 @@
> +/usr/sbin/hwloc-dump-hwdata    --
gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
> +
> +/var/run/hwloc(/.*)?   gen_context(system_u:object_r:hwloc_var_run_t,s0)
> diff --git a/hwloc.if b/hwloc.if
> new file mode 100644
> index 0000000..f0a5217
> --- /dev/null
> +++ b/hwloc.if
> @@ -0,0 +1,103 @@
> +## <summary>Dump topology and locality information from hardware
tables.</summary>
> +
> +########################################
> +## <summary>
> +##     Execute hwloc dhwd in the hwloc dhwd domain.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed to transition.
> +##     </summary>
> +## </param>
> +#
> +interface(`hwloc_domtrans_hwloc_dhwd',`
> +       gen_require(`
> +               type hwloc_dhwd_t, hwloc_dhwd_exec_t;
> +       ')
> +
> +       domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t)
> +')
> +
> +########################################
> +## <summary>
> +##     Execute hwloc dhwd in the hwloc dhwd domain, and
> +##     allow the specified role the hwloc dhwd domain,
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed to transition.
> +##     </summary>
> +## </param>
> +## <param name="role">
> +##     <summary>
> +##     Role allowed access.
> +##     </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`hwloc_run_hwloc_dhwd',`
> +       gen_require(`
> +               attribute_role hwloc_dhwd_roles;
> +       ')
> +
> +       hwloc_domtrans_hwloc_dhwd($1)
> +       roleattribute $2 hwloc_dhwd_roles;
> +')
> +
> +########################################
> +## <summary>
> +##     Execute hwloc dhwd in the caller domain.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`hwloc_exec_hwloc_dhwd',`
> +       gen_require(`
> +               type hwloc_dhwd_exec_t;
> +       ')
> +
> +       can_exec($1, hwloc_dhwd_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +##     Manage hwloc runtime.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`hwloc_manage_runtime',`
> +       gen_require(`
> +               type hwloc_var_run_t;
> +       ')
> +
> +       files_rw_pid_dirs($1)
This seems wrong. Shouldn't it be a pid filetrans on 'hwloc'? There is no
reason to give rw perms on everything in /run.

-- Jason

> +       allow $1 hwloc_var_run_t:dir manage_dir_perms;
> +       allow $1 hwloc_var_run_t:file manage_file_perms;
> +       allow $1 hwloc_var_run_t:lnk_file manage_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##     Read hwloc runtime files.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`hwloc_read_runtime_files',`
> +       gen_require(`
> +               type hwloc_var_run_t;
> +       ')
> +
> +       files_search_pids($1)
> +       read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t)
> +')
> diff --git a/hwloc.te b/hwloc.te
> new file mode 100644
> index 0000000..3465e3a
> --- /dev/null
> +++ b/hwloc.te
> @@ -0,0 +1,28 @@
> +policy_module(hwloc, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role hwloc_dhwd_roles;
> +roleattribute system_r hwloc_dhwd_roles;
> +
> +type hwloc_dhwd_t;
> +type hwloc_dhwd_exec_t;
> +init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t)
> +role hwloc_dhwd_roles types hwloc_dhwd_t;
> +
> +type hwloc_var_run_t;
> +files_pid_file(hwloc_var_run_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms;
> +allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms;
> +files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
> +
> +dev_read_sysfs(hwloc_dhwd_t)
> --
> 2.5.1
>
> --------------------------------------------------------------------
>
> Intel Technology Poland sp. z o.o.
> ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII
Wydzial Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP
957-07-52-316 | Kapital zakladowy 200.000 PLN.
>
> Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego
adresata i moze zawierac informacje poufne. W razie przypadkowego
otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej
usuniecie; jakiekolwiek
> przegladanie lub rozpowszechnianie jest zabronione.
> This e-mail and any attachments may contain confidential material for the
sole use of the intended recipient(s). If you are not the intended
recipient, please contact the sender and delete all copies; any review or
distribution by
> others is strictly prohibited.
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20160428/474dd194/attachment-0001.html 

[refpolicy] [Patch V2 1/1] Add hwloc-dump-hwdata SELinux policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/27/2016 06:47 PM, Jason Zaman wrote:

>> + +######################################## +## <summary> +##
>> Manage hwloc runtime. +## </summary> +## <param name="domain"> 
>> +##     <summary> +##     Domain allowed access. +##
>> </summary> +## </param> +# +interface(`hwloc_manage_runtime',` +
>> gen_require(` +               type hwloc_var_run_t; +       ') + 
>> +       files_rw_pid_dirs($1)
> This seems wrong. Shouldn't it be a pid filetrans on 'hwloc'? There
> is no reason to give rw perms on everything in /run.
> 

This is suitable for use with manual type transition

Example: mkdir -Z /var/run/hwloc

Mainly for sysadm

- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXIO3xAAoJECV0jlU3+Udp31gL/3C/e2aUhW7WGth1Gs8epSIm
BacwwYY0hY2sCQdfDJQuITvyv9M5P2YrWwlW7/YwpSt940mRmFIO376LqaRYd0H4
LRDES3+hsO+m+78qenzrpjTJC4ZpwFAlvqEpA/325mEd5/Kz6P0jkIK5KiXh/lDJ
P2vKJqmzMWSzPu4mXGEhjXBdITKV5Y6LtJDCdlkSk7xqSrYi+J4ANldExIDc+hE8
FF50VnlMZekfHSRnpMWvKTW4f0zbFcNmqCDBEXq4tQm4YLfz2Q1BqgQ2IxU93Qn4
4Xo3dzVGudM7zF+N2kS1sy/BlYnkrDiX4ArQMC83AOwwLf0WXLMysJ3SrvX/Gx6e
uTzIVrsaHMRUo0tYrgdtDSeSMPwBW5Zyc+yrBf6xt+7Lr+WNbRo9TBbJJBxvAxdV
9rzxkDgRqNo00BTlxE1YUVDNaYaWBTNlJQoNCeydb0CET2M9ZFjIbOkjbyQLGhPE
+ro+tneeggcgnVsrGXK2LPbe51dKuZFAHtsbnUdHgA==
=kFAr
-----END PGP SIGNATURE-----

[refpolicy] [Patch V2 1/1] Add hwloc-dump-hwdata SELinux policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/27/2016 06:51 PM, Dominick Grift wrote:
> On 04/27/2016 06:47 PM, Jason Zaman wrote:
> 
>>> + +######################################## +## <summary> +## 
>>> Manage hwloc runtime. +## </summary> +## <param name="domain">
>>>  +##     <summary> +##     Domain allowed access. +## 
>>> </summary> +## </param> +# +interface(`hwloc_manage_runtime',`
>>> + gen_require(` +               type hwloc_var_run_t; +
>>> ') + +       files_rw_pid_dirs($1)
>> This seems wrong. Shouldn't it be a pid filetrans on 'hwloc'?
>> There is no reason to give rw perms on everything in /run.
> 
> 
> This is suitable for use with manual type transition
> 
> Example: mkdir -Z /var/run/hwloc
> 
> Mainly for sysadm
> 

Also you do realize that files_pid_filetrans() provides similar access?

All it does is it allows one to read/write generic runtime dirs.

- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXIO9RAAoJECV0jlU3+UdpA+oL/0Pk9t2xVCoB3OoXlrXRk41V
EXQf0/CXhTANOMjDal2ePoouNbXo2/L57xdFYyRn4B+6prW0+Oww+ffj9KalT40d
e1bT1uTyeCrV26Y161DRmCFROpYEIiZozS9+OZxqRmRJTKQbYFSQpcUXlfiVCqQa
ui5RD6ysirHa5U+RXQMYVgSc4uxNArVw6x8kbb7aAT62cyxnDkCRwptktf8VP7k8
wXz8Z0d/WQjspCSv/2Adosm8Y/LS+16kqxk5rh2Ivi6AhbdzZ2B6Va6mC5AEiXDm
uG2zoox/OSTK1sumO1lx0f5CAmoGu/03U8cSwBxCG8wKnoSdcSAQABxXVTUSHhMB
mH2/ssk8HgXBRUMMZ1DTzFqi3Tij40V94NUwwqqfbqwm+V6n1gB2kpeDNpXd2tDK
G3AbV4sHI/yhOjhJNHCo61g60sX7DVDmLtC2pYzKzy7kd/lwbb2N5weBr79VUy9e
nDNKtLHsBZKZUbs7gmTf+wT89uca+gu28GiSghokTQ==
=a4Ap
-----END PGP SIGNATURE-----

[refpolicy] [Patch V2 1/1] Add hwloc-dump-hwdata SELinux policy

[Christopher J. PeBenito]

On 4/27/2016 11:21 AM, gandrejc wrote:

> --- /dev/null
> +++ b/hwloc.if
> @@ -0,0 +1,103 @@
> +## <summary>Dump topology and locality information from hardware tables.</summary>
> +
> +########################################
> +## <summary>
> +##	Execute hwloc dhwd in the hwloc dhwd domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`hwloc_domtrans_hwloc_dhwd',`

I would name this hwloc_domtrans_dhwd.


> +########################################
> +## <summary>
> +##	Manage hwloc runtime.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`hwloc_manage_runtime',`
> +	gen_require(`
> +		type hwloc_var_run_t;
> +	')
> +
> +	files_rw_pid_dirs($1)
> +	allow $1 hwloc_var_run_t:dir manage_dir_perms;
> +	allow $1 hwloc_var_run_t:file manage_file_perms;
> +	allow $1 hwloc_var_run_t:lnk_file manage_lnk_file_perms;
> +')

Are there subdirectories under /var/run/hwloc?  If not, I would reduce
the access to rw_dir_perms on hwloc_var_run_t dirs.

Additionally, since the tool itself seems to create the top level dir
(based on the below filetrans in the .te), it doesn't seem appropriate
for this interface allow the caller files_rw_pid_dirs(), but to simply
search pid dirs.  The rw_pid_dirs would more likely fall under a
filetrans interface.


> diff --git a/hwloc.te b/hwloc.te
> new file mode 100644
> index 0000000..3465e3a
> --- /dev/null
> +++ b/hwloc.te
> @@ -0,0 +1,28 @@
> +policy_module(hwloc, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role hwloc_dhwd_roles;
> +roleattribute system_r hwloc_dhwd_roles;
> +
> +type hwloc_dhwd_t;
> +type hwloc_dhwd_exec_t;
> +init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t)
> +role hwloc_dhwd_roles types hwloc_dhwd_t;
> +
> +type hwloc_var_run_t;
> +files_pid_file(hwloc_var_run_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms;
> +allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms;
> +files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
> +
> +dev_read_sysfs(hwloc_dhwd_t)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [Patch V2 1/1] Add hwloc-dump-hwdata SELinux policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/27/2016 07:33 PM, Christopher J. PeBenito wrote:
> On 4/27/2016 11:21 AM, gandrejc wrote:
> 
>> --- /dev/null +++ b/hwloc.if @@ -0,0 +1,103 @@ +## <summary>Dump
>> topology and locality information from hardware
>> tables.</summary> + +######################################## +##
>> <summary> +##	Execute hwloc dhwd in the hwloc dhwd domain. +##
>> </summary> +## <param name="domain"> +##	<summary> +##	Domain
>> allowed to transition. +##	</summary> +## </param> +# 
>> +interface(`hwloc_domtrans_hwloc_dhwd',`
> 
> I would name this hwloc_domtrans_dhwd.

fair enough
> 
> 
>> +######################################## +## <summary> +##
>> Manage hwloc runtime. +## </summary> +## <param name="domain"> 
>> +##	<summary> +##	Domain allowed access. +##	</summary> +##
>> </param> +# +interface(`hwloc_manage_runtime',` +	gen_require(` +
>> type hwloc_var_run_t; +	') + +	files_rw_pid_dirs($1) +	allow $1
>> hwloc_var_run_t:dir manage_dir_perms; +	allow $1
>> hwloc_var_run_t:file manage_file_perms; +	allow $1
>> hwloc_var_run_t:lnk_file manage_lnk_file_perms; +')
> 
> Are there subdirectories under /var/run/hwloc?  If not, I would
> reduce the access to rw_dir_perms on hwloc_var_run_t dirs.
> 

Not that i am aware of but I would keep it atleast a little flexible.
That is also why i added the lnk_file permissions.

> Additionally, since the tool itself seems to create the top level
> dir (based on the below filetrans in the .te), it doesn't seem
> appropriate for this interface allow the caller
> files_rw_pid_dirs(), but to simply search pid dirs.  The
> rw_pid_dirs would more likely fall under a filetrans interface.
> 

By default the app probably creates /var/run/hwloc. However In my view
callers of the interface should be able to create /var/run/hwloc as
well with a manual type transition with mkdir -Z /var/run/hwloc if
that is ever needed for whatever reason.

If the hwloc_manage_runtime() is used together with
files_pid_filetrans($1, hwloc_var_run_t, dir) then the compiler will
remove the duplicate files_rw_pid_dirs()

However if hwloc_manage_runtime() is used without
files_pid_file_trans() then the caller can create /var/run/hwloc with
a manual type transition (provided that he has access to
setfscreatecon and compute_create (which nowadays is used by
policycoreutils)


So yes this is definitely a matter of taste. I like to keep some room
to manouver and this this is a reasonable compromise.

Eventually it is your call though, but if it was my call i would
accept this as is obviously
> 
>> diff --git a/hwloc.te b/hwloc.te new file mode 100644 index
>> 0000000..3465e3a --- /dev/null +++ b/hwloc.te @@ -0,0 +1,28 @@ 
>> +policy_module(hwloc, 1.0.0) + 
>> +######################################## +# +# Declarations +# 
>> + +attribute_role hwloc_dhwd_roles; +roleattribute system_r
>> hwloc_dhwd_roles; + +type hwloc_dhwd_t; +type hwloc_dhwd_exec_t; 
>> +init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t) +role
>> hwloc_dhwd_roles types hwloc_dhwd_t; + +type hwloc_var_run_t; 
>> +files_pid_file(hwloc_var_run_t) + 
>> +######################################## +# +# Local policy +# 
>> + +allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms; 
>> +allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms; 
>> +files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir) + 
>> +dev_read_sysfs(hwloc_dhwd_t)
>> 
> 
> 


- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXIPoQAAoJECV0jlU3+UdpvI8L/21oI/n/FRQR43HWUQtQBzjr
3lCgCRw619Zs/x7YbLSLwfqpFl8bWsFTJSDe+738fXNh+fmO9ktC+mQ3dyUYcDJJ
uFkTkK4lvVmuF5kPd3/BI6xDKsPn849/gjEBOsRNnh9h16PqnGOdQJayWzr4aBIZ
De0kFmLlLwocFxNllSoan060vdvG62tPNZuPlVtw1vgfA3isk9nDSMScajlEoK7k
QN8TYP+PdJehLpHUyxZeQcxO1Bom6gFLSFcmHPRvimpTwiSVFzLYxKcuALQSbY9c
N2YHXKSNgYVM959oILI8m2ufdqswSHW7sJ8Tl+1dQGoyewUxy92bKCukwFZFfy4K
4tVDKGWINJo5J7d2iromIBZKTVRuf3iMTgi6Jg0QCeU1QDTDLqzmQLEe+Ln7PN0U
55RnKrMrAFEy6pCJ9fY/F9NqhcRcra5sLmfFc51YP5nvqNee9W1Xzw9ATEu2mwuZ
pmPx5z0R2t2+Lpy0ggkZQ4nq6iOUO7GmIuPShVG4uw==
=7IWe
-----END PGP SIGNATURE-----

[refpolicy] [Patch V2 1/1] Add hwloc-dump-hwdata SELinux policy

[Christopher J. PeBenito]

On 4/27/2016 1:42 PM, Dominick Grift wrote:
> On 04/27/2016 07:33 PM, Christopher J. PeBenito wrote:
>> On 4/27/2016 11:21 AM, gandrejc wrote:
> 

>>> +######################################## +## <summary> +##
>>> Manage hwloc runtime. +## </summary> +## <param name="domain"> 
>>> +##	<summary> +##	Domain allowed access. +##	</summary> +##
>>> </param> +# +interface(`hwloc_manage_runtime',` +	gen_require(` +
>>> type hwloc_var_run_t; +	') + +	files_rw_pid_dirs($1) +	allow $1
>>> hwloc_var_run_t:dir manage_dir_perms; +	allow $1
>>> hwloc_var_run_t:file manage_file_perms; +	allow $1
>>> hwloc_var_run_t:lnk_file manage_lnk_file_perms; +')
> 
>> Are there subdirectories under /var/run/hwloc?  If not, I would
>> reduce the access to rw_dir_perms on hwloc_var_run_t dirs.
> 
> Not that i am aware of but I would keep it atleast a little flexible.
> That is also why i added the lnk_file permissions.

I'm fine with the lnk_file permissions, but I see this interface as
applying to the contents of the top level directory.  Though if there
are subdirectories, the're isn't a good enough reason to distinguish the
top from sub directories.


>> Additionally, since the tool itself seems to create the top level
>> dir (based on the below filetrans in the .te), it doesn't seem
>> appropriate for this interface allow the caller
>> files_rw_pid_dirs(), but to simply search pid dirs.  The
>> rw_pid_dirs would more likely fall under a filetrans interface.
> 
> 
> By default the app probably creates /var/run/hwloc. However In my view
> callers of the interface should be able to create /var/run/hwloc as
> well with a manual type transition with mkdir -Z /var/run/hwloc if
> that is ever needed for whatever reason.
> 
> If the hwloc_manage_runtime() is used together with
> files_pid_filetrans($1, hwloc_var_run_t, dir) then the compiler will
> remove the duplicate files_rw_pid_dirs()
> 
> However if hwloc_manage_runtime() is used without
> files_pid_file_trans() then the caller can create /var/run/hwloc with
> a manual type transition (provided that he has access to
> setfscreatecon and compute_create (which nowadays is used by
> policycoreutils)
> 
> 
> So yes this is definitely a matter of taste. I like to keep some room
> to manouver and this this is a reasonable compromise.

I understand the desire to be flexible, but this doesn't give us the
chance to be more restrictive.

Ultimately I'm not persuaded simply because sysadm can already manage
all these files. I'd like to reduce sysadm's access, but I think the
blanket pid access makes sense.  Splitting into two or three interfaces
is more flexible from the policy writing perspective, and the flexible
(from the runtime perspective) behavior you describe above is what is
desired, then all of the interfaces can be called.  Then we still have
room for more restrictive cases.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [Patch V2 1/1] Add hwloc-dump-hwdata SELinux policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/27/2016 08:09 PM, Christopher J. PeBenito wrote:
> On 4/27/2016 1:42 PM, Dominick Grift wrote:
>> On 04/27/2016 07:33 PM, Christopher J. PeBenito wrote:
>>> On 4/27/2016 11:21 AM, gandrejc wrote:
>> 
> 
>>>> +######################################## +## <summary> +## 
>>>> Manage hwloc runtime. +## </summary> +## <param
>>>> name="domain"> +##	<summary> +##	Domain allowed access. +##
>>>> </summary> +## </param> +#
>>>> +interface(`hwloc_manage_runtime',` +	gen_require(` + type
>>>> hwloc_var_run_t; +	') + +	files_rw_pid_dirs($1) +	allow $1 
>>>> hwloc_var_run_t:dir manage_dir_perms; +	allow $1 
>>>> hwloc_var_run_t:file manage_file_perms; +	allow $1 
>>>> hwloc_var_run_t:lnk_file manage_lnk_file_perms; +')
>> 
>>> Are there subdirectories under /var/run/hwloc?  If not, I
>>> would reduce the access to rw_dir_perms on hwloc_var_run_t
>>> dirs.
>> 
>> Not that i am aware of but I would keep it atleast a little
>> flexible. That is also why i added the lnk_file permissions.
> 
> I'm fine with the lnk_file permissions, but I see this interface
> as applying to the contents of the top level directory.  Though if
> there are subdirectories, the're isn't a good enough reason to
> distinguish the top from sub directories.
> 
> 
>>> Additionally, since the tool itself seems to create the top
>>> level dir (based on the below filetrans in the .te), it doesn't
>>> seem appropriate for this interface allow the caller 
>>> files_rw_pid_dirs(), but to simply search pid dirs.  The 
>>> rw_pid_dirs would more likely fall under a filetrans
>>> interface.
>> 
>> 
>> By default the app probably creates /var/run/hwloc. However In my
>> view callers of the interface should be able to create
>> /var/run/hwloc as well with a manual type transition with mkdir
>> -Z /var/run/hwloc if that is ever needed for whatever reason.
>> 
>> If the hwloc_manage_runtime() is used together with 
>> files_pid_filetrans($1, hwloc_var_run_t, dir) then the compiler
>> will remove the duplicate files_rw_pid_dirs()
>> 
>> However if hwloc_manage_runtime() is used without 
>> files_pid_file_trans() then the caller can create /var/run/hwloc
>> with a manual type transition (provided that he has access to 
>> setfscreatecon and compute_create (which nowadays is used by 
>> policycoreutils)
>> 
>> 
>> So yes this is definitely a matter of taste. I like to keep some
>> room to manouver and this this is a reasonable compromise.
> 
> I understand the desire to be flexible, but this doesn't give us
> the chance to be more restrictive.
> 
> Ultimately I'm not persuaded simply because sysadm can already
> manage all these files. I'd like to reduce sysadm's access, but I
> think the blanket pid access makes sense.  Splitting into two or
> three interfaces is more flexible from the policy writing
> perspective, and the flexible (from the runtime perspective)
> behavior you describe above is what is desired, then all of the
> interfaces can be called.  Then we still have room for more
> restrictive cases.
> 

Fair enough


- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXIQElAAoJECV0jlU3+UdpZXUL/0IA4cLrNn1OWE7pqxvKdL4W
01DNtCmtrYc2PUylx3jlY2D5Nkn4Rmlu8txPMJjZH2URMP1u2kqHj30M/8fxPXK1
Pt7C9P7RKIWzd/Am9bKLYcrfMpW/U/n1n/0t/iM7M/UVk/xfXwXsodJLPQNtxmlw
UYL0aM/iAz9u4fuiYFpy8f/qu6/L26N0xMkIE99jc9KGeMQ3qdyjPoHYYvqbovii
VgK6lt2uw1xpZ72t8RzuxQ4Bp1eYnEKCKp+Z0+XQvAp/MxSv8ApC75Eg38+g9d4i
0Hs4yKYy8RFYOgOjkpC6naBfJwUQEIdM0k9D0abQeaX9neuBQzIfXxvSHjYRvhZA
rIj2TrrpoOUB5VHWVqr8q3Q32bjxOl5Lw1MTqk1RIjWR7Z1vga4UbQAoo/endMzC
q/bTAbhAVtq2LXP2lIdEQ0yRHzOP6qTU36mr2HUbQR8C1P8QSPZ/zMDavf4HmV7a
YWxSok7Xe55oHfxy/5+zzhNQDtPlOTdP+xECiNaUKA==
=BAC9
-----END PGP SIGNATURE-----

[refpolicy] [Patch V2 1/1] Add hwloc-dump-hwdata SELinux policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/27/2016 08:09 PM, Christopher J. PeBenito wrote:

>> 
>> So yes this is definitely a matter of taste. I like to keep some
>> room to manouver and this this is a reasonable compromise.
> 
> I understand the desire to be flexible, but this doesn't give us
> the chance to be more restrictive.
> 
> Ultimately I'm not persuaded simply because sysadm can already
> manage all these files. I'd like to reduce sysadm's access, but I
> think the blanket pid access makes sense.  Splitting into two or
> three interfaces is more flexible from the policy writing
> perspective, and the flexible (from the runtime perspective)
> behavior you describe above is what is desired, then all of the
> interfaces can be called.  Then we still have room for more
> restrictive cases.
> 

So now that i have accepted your point of view let me explain why I do
not do this with DSSP

I do not give blanket access to sysadm to maintain all of /var/run,
this is part of my ".adm()" implementation.

managing services can be done on an individual level in DSSP
so hwloc.adm() can manage /var/run/hwloc (and when i mean "manage" i
mean rm -rf /var/run/hwloc && mkdir -Z /var/run/hwlok) but not
/var/run/http

sysadm is (almost) merely the accumulation of all the ".adm()" macros
available.
So if i would give sysadm blacket /var/run access then that would just
be duplicate because sysadm can already manage it via the ".adm()"
macro calls.

I think though that your approach explained above seems a little
inconsistent with your desire to not give login users "blanket" access
to user content via for example: userdom_manage_all_home_content()
userdom_relabel_home_content()

In that instance you do want to give access on individual basis
example: firefox.manage_home_content() firefox.relabe_home_content()

Anyhow it is just a matter of taste, and i accept this decision and i
will try to remember this in the future. (it will be kind of confusing
but i will try)

- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXIQVBAAoJECV0jlU3+UdpQxQL+gM0zuRtOzeqxgrzzoVuMC9Y
43Fuc3TTPE4ryXjPlPZg8pZB+LfuTTwOvxg27h+ngQjgz9ozWUdHEo9vqdAMsgJE
QKpuCF6pWAwvMvUHFCBxkPVs5U92MTBvjGNeWFw22PbS84UZOkm+PiJgGEwK/99d
anTZMU6NGyORJNGAgPfjww6TWOgpKpRa+QvRRnA0joOGhO2EkOLTcWQ5WSkPyl4h
qAq5TbmbIQSKJvsuBSsOjS0tYxv1YFi3Mx8GfX3ZARVZ9bJn8DNOrq75PD4h3X+I
YciK1gSGpQ7E8IWBvPzpWvH1VnRKQw8PayZuwjkRxAhWkZtAHZPlDXRpXRt5KWG2
0ODn/Azc/hZB4MrNZQz5eTPZt8LldfOCG4U80iEHJfedjNreDWEzxFUD76+SzNC1
Wt3POeJHcP7nuK34ywomRTHQGLRDSXugLo5XRnZ/jY/5wyWGN6ytFpaat3Xu41ep
udLI9GxRcdXokHRGwwiK5s54s8lRMeMJRMLYeve8gA==
=7Yf1
-----END PGP SIGNATURE-----

[refpolicy] [Patch V2 1/1] Add hwloc-dump-hwdata SELinux policy

[Christopher J. PeBenito]

On 4/27/2016 2:30 PM, Dominick Grift wrote:
> On 04/27/2016 08:09 PM, Christopher J. PeBenito wrote:
> 
>>>
>>> So yes this is definitely a matter of taste. I like to keep some
>>> room to manouver and this this is a reasonable compromise.
> 
>> I understand the desire to be flexible, but this doesn't give us
>> the chance to be more restrictive.
> 
>> Ultimately I'm not persuaded simply because sysadm can already
>> manage all these files. I'd like to reduce sysadm's access, but I
>> think the blanket pid access makes sense.  Splitting into two or
>> three interfaces is more flexible from the policy writing
>> perspective, and the flexible (from the runtime perspective)
>> behavior you describe above is what is desired, then all of the
>> interfaces can be called.  Then we still have room for more
>> restrictive cases.
> 
> 
> So now that i have accepted your point of view let me explain why I do
> not do this with DSSP
> 
> I do not give blanket access to sysadm to maintain all of /var/run,
> this is part of my ".adm()" implementation.
> 
> managing services can be done on an individual level in DSSP
> so hwloc.adm() can manage /var/run/hwloc (and when i mean "manage" i
> mean rm -rf /var/run/hwloc && mkdir -Z /var/run/hwlok) but not
> /var/run/http
> 
> sysadm is (almost) merely the accumulation of all the ".adm()" macros
> available.
> So if i would give sysadm blacket /var/run access then that would just
> be duplicate because sysadm can already manage it via the ".adm()"
> macro calls.
> 
> I think though that your approach explained above seems a little
> inconsistent with your desire to not give login users "blanket" access
> to user content via for example: userdom_manage_all_home_content()
> userdom_relabel_home_content()
> 
> In that instance you do want to give access on individual basis
> example: firefox.manage_home_content() firefox.relabe_home_content()

This is a good point; I would prefer that sysadm also be a collection
calls to admin() interfaces too, and it has slowly been moving that way.
 Hopefully we we will be able to eliminate the blanket access some time
in the future.  However, the interface we're talking about is not the
hwloc_admin() interface.  I would be fine changing this interface into
the hwloc_admin() interface.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [Patch V2 1/1] Add hwloc-dump-hwdata SELinux policy

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/27/2016 08:39 PM, Christopher J. PeBenito wrote:
> On 4/27/2016 2:30 PM, Dominick Grift wrote:
>> On 04/27/2016 08:09 PM, Christopher J. PeBenito wrote:
>> 
>>>> 
>>>> So yes this is definitely a matter of taste. I like to keep
>>>> some room to manouver and this this is a reasonable
>>>> compromise.
>> 
>>> I understand the desire to be flexible, but this doesn't give
>>> us the chance to be more restrictive.
>> 
>>> Ultimately I'm not persuaded simply because sysadm can already 
>>> manage all these files. I'd like to reduce sysadm's access, but
>>> I think the blanket pid access makes sense.  Splitting into two
>>> or three interfaces is more flexible from the policy writing 
>>> perspective, and the flexible (from the runtime perspective) 
>>> behavior you describe above is what is desired, then all of
>>> the interfaces can be called.  Then we still have room for
>>> more restrictive cases.
>> 
>> 
>> So now that i have accepted your point of view let me explain why
>> I do not do this with DSSP
>> 
>> I do not give blanket access to sysadm to maintain all of
>> /var/run, this is part of my ".adm()" implementation.
>> 
>> managing services can be done on an individual level in DSSP so
>> hwloc.adm() can manage /var/run/hwloc (and when i mean "manage"
>> i mean rm -rf /var/run/hwloc && mkdir -Z /var/run/hwlok) but not 
>> /var/run/http
>> 
>> sysadm is (almost) merely the accumulation of all the ".adm()"
>> macros available. So if i would give sysadm blacket /var/run
>> access then that would just be duplicate because sysadm can
>> already manage it via the ".adm()" macro calls.
>> 
>> I think though that your approach explained above seems a little 
>> inconsistent with your desire to not give login users "blanket"
>> access to user content via for example:
>> userdom_manage_all_home_content() userdom_relabel_home_content()
>> 
>> In that instance you do want to give access on individual basis 
>> example: firefox.manage_home_content()
>> firefox.relabe_home_content()
> 
> This is a good point; I would prefer that sysadm also be a
> collection calls to admin() interfaces too, and it has slowly been
> moving that way. Hopefully we we will be able to eliminate the
> blanket access some time in the future.  However, the interface
> we're talking about is not the hwloc_admin() interface.  I would be
> fine changing this interface into the hwloc_admin() interface.
> 

Indeed. A hwloc_admin() should have been created and called instead.

But I still stay of the opinion that "manage_runtime" should mean that
all of it can be managed as opposed to only specified content under
the top-level.

- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXIQihAAoJECV0jlU3+Udp3P8L/Rq22uk9t0t1JOtVqvBtrp22
bl/JH2+jAelycJnq1NONJj6vPYBa+ySWh43nvwD5OHDOOUhU7oAPMWciyLJhMPHh
zvE0BvGizj/J09W6RD3GTHGjFV0+54bZxWIfmTO9L6Rb/GvX8EEl8mTloAvsNZjs
hqlGdE/xX/Jpj+HJ1ghfn9+qnRpVh7Pb04eTBvB9Xe0ekT0cfCb1PNt/ULzPr1Gm
11cHCNZV3tBqWllwFTdVaOmmyICJcxfSr85UlIbgqCb8wIID/Z7BlgCS+IBe3/x/
hw5cmzBVEVZCDZDzxIM82eOEDuctG9lFkUrmGYuq0JRQQ9+oSoHmT8pp81IPY2B3
aNSyzYtzSQBNMwhDUo2h6jH7f+5OdnN0uVnhJUpLSMPpv3QUa0BRqYsVnpuBTq6O
bXPoZ615UBSMra26AHyByn7EFYGxWzN4w15OjzhCs0xurb4ZNaUTCqejPPCefGt0
7cyjHEgGjoiiHsBj42cOPRtO9O1vuwkkcd/UJ8u24w==
=0K5A
-----END PGP SIGNATURE-----

[refpolicy] [PATCH V3] Add hwloc-dump-hwdata SELinux policy

[Dominick Grift]

The Portable Hardware Locality (hwloc) software package
provides a portable abstraction (across OS, versions, architectures, ...)
of the hierarchical topology of modern architectures,
including NUMA memory nodes, sockets, shared caches,
cores and simultaneous multithreading.
It also gathers various system attributes such as cache and memory information
as well as the locality of I/O devices such as network interfaces,
InfiniBand HCAs or GPUs.

New hwloc utility (hwloc-dump-hwdata) reads firmware entries and generates
intermediate files to be used later by hwloc utils.

This cannot be done when MLS is in enforicing mode because SELinux blocks
access to var_run_t for user_t.

The policy does the following:
- adds hwloc_dhwd_exec_t type for hwloc-dump-hwdata executable
- adds hwloc_dhwd_t system domain with entry point in
hwloc_dhwd_exec_t
- allows hwloc_dhwd_exec_t to be run as application
- allows hwloc_dhwd_t access sysfs
- allows hwloc_dhwd_t to create dir and file in /var/run
- makes transition for hwloc-dump-hwdata output file from var_run_t to
var_t.

The data is derived from proprietary SMBIOS entries containing MCDRAM memory
side cache configuration : cache size, associativity, inclusiveness and
line size.

V3:
Add hwloc_admin()
Remove hwloc_manage_runtime()
Add hwloc_dhwd_unit_t
Rename run, domtrans and exec interfaces

Signed-off-by: Dominick Grift <dac.override@gmail.com>
---
 hwloc.fc |   5 +++
 hwloc.if | 106 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 hwloc.te |  31 +++++++++++++++++++
 3 files changed, 142 insertions(+)
 create mode 100644 hwloc.fc
 create mode 100644 hwloc.if
 create mode 100644 hwloc.te

diff --git a/hwloc.fc b/hwloc.fc
new file mode 100644
index 0000000..d0c5a15
--- /dev/null
+++ b/hwloc.fc
@@ -0,0 +1,5 @@
+/usr/sbin/hwloc-dump-hwdata	--	gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
+
+/usr/lib/systemd/system/hwloc-dump-hwdata.*	--	gen_context(system_u:object_r:hwloc_dhwd_unit_t,s0)
+
+/var/run/hwloc(/.*)?	gen_context(system_u:object_r:hwloc_var_run_t,s0)
diff --git a/hwloc.if b/hwloc.if
new file mode 100644
index 0000000..c2349ec
--- /dev/null
+++ b/hwloc.if
@@ -0,0 +1,106 @@
+## <summary>Dump topology and locality information from hardware tables.</summary>
+
+########################################
+## <summary>
+##	Execute hwloc dhwd in the hwloc dhwd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`hwloc_domtrans_dhwd',`
+	gen_require(`
+		type hwloc_dhwd_t, hwloc_dhwd_exec_t;
+	')
+
+	domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t)
+')
+
+########################################
+## <summary>
+##	Execute hwloc dhwd in the hwloc dhwd domain, and
+##	allow the specified role the hwloc dhwd domain,
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`hwloc_run_dhwd',`
+	gen_require(`
+		attribute_role hwloc_dhwd_roles;
+	')
+
+	hwloc_domtrans_dhwd($1)
+	roleattribute $2 hwloc_dhwd_roles;
+')
+
+########################################
+## <summary>
+##	Execute hwloc dhwd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hwloc_exec_dhwd',`
+	gen_require(`
+		type hwloc_dhwd_exec_t;
+	')
+
+	can_exec($1, hwloc_dhwd_exec_t)
+')
+
+########################################
+## <summary>
+##	Read hwloc runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hwloc_read_runtime_files',`
+	gen_require(`
+		type hwloc_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an hwloc environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`hwloc_admin',`
+	gen_require(`
+		type hwloc_dhwd_t, hwloc_var_run_t;
+	')
+
+	allow $1 hwloc_dhwd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, hwloc_dhwd_t)
+
+	admin_pattern($1, hwloc_var_run_t)
+	files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc")
+')
diff --git a/hwloc.te b/hwloc.te
new file mode 100644
index 0000000..afe13cc
--- /dev/null
+++ b/hwloc.te
@@ -0,0 +1,31 @@
+policy_module(hwloc, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role hwloc_dhwd_roles;
+roleattribute system_r hwloc_dhwd_roles;
+
+type hwloc_dhwd_t;
+type hwloc_dhwd_exec_t;
+init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t)
+role hwloc_dhwd_roles types hwloc_dhwd_t;
+
+type hwloc_var_run_t;
+files_pid_file(hwloc_var_run_t)
+
+type hwloc_dhwd_unit_t;
+init_unit_file(hwloc_dhwd_unit_t)
+
+########################################
+#
+# Local policy
+#
+
+allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms;
+allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms;
+files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
+
+dev_read_sysfs(hwloc_dhwd_t)
-- 
2.5.5

[refpolicy] [Patch V2 1/1] Update refpolicy to handle hwloc

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/27/2016 05:21 PM, gandrejc wrote:
> The Portable Hardware Locality (hwloc) software package provides a 
> portable abstraction (across OS, versions, architectures, ...) of
> the hierarchical topology of modern architectures, including NUMA
> memory nodes, sockets, shared caches, cores and simultaneous
> multithreading. It also gathers various system attributes such as
> cache and memory information as well as the locality of I/O devices
> such as network interfaces, InfiniBand HCAs or GPUs.
> 

grzegorz, I imagine that by now you may be a little confused by this
discussion. Therefore I am willing to create a new patch with some of
the considerations mentioned in this threat applied.

I would need some information though that i cannot find myself. Your
policy implies that hwloc-dhwd can be run as a system service. However
the system service initscript and/or service unit is not taken into
consideration.

what is the exact location of this script? Once I know that , then i
can redo the patch with that part taken into account and hopefully
take away the remaining concerns.

- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXIRA6AAoJECV0jlU3+Udpm+gL/iXpQhK0Vknb9U5jyzCQ4FhH
nzOvD2yfZhgVHdNt+D//OZ45fcZsyGFy1V4JPUpS703csgCzYzbTyvKq6rF0Wc3O
TYZixv1WKx8l35SAN5nKvFBvv9b+WPcbxT4Rm6pzXUcH+TVJdi1inOpOqQ1dNF30
rruZEBkkOwW2wLyHa/W2APDD0iBG5M9roBL5NjN54H215J3iugt2lh+aJIFXhClZ
JeMUTE10UAL2TvZiuNPmsDjmzsKfOZg0VrDuE4hYYlAvNz4CotZye/PX1izlZvVc
oPn0kaCHfLoRR9Z1UiR4nLH+lzawUOLsoiskofo2cARxRU6MYy2u7OYFWVopDx46
+02/v7LgPVCHrBmJhLd4E5aBh2H2Y+QeomTHPYgg+uGOyW3oSEzoMubhciKOqGcZ
n58ZCYsFnQmBNC9IGd1yLfJN4V+SOPEYKxHT2k2bvabNQFeZ4MXLp0Xl1FzrsRaI
V9BrlYGOTQg5t5uBZmnWzDhs8KtTTJCoPEdbvDDAHA==
=6m1E
-----END PGP SIGNATURE-----

[refpolicy] [Patch V2 1/1] Update refpolicy to handle hwloc

[Andrejczuk, Grzegorz]

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 04/27/2016 05:21 PM, gandrejc wrote:
> > The Portable Hardware Locality (hwloc) software package provides a
> > portable abstraction (across OS, versions, architectures, ...) of the 
> > hierarchical topology of modern architectures, including NUMA memory 
> > nodes, sockets, shared caches, cores and simultaneous multithreading. 
> > It also gathers various system attributes such as cache and memory 
> > information as well as the locality of I/O devices such as network 
> > interfaces, InfiniBand HCAs or GPUs.
> 

> grzegorz, I imagine that by now you may be a little confused by this discussion. Therefore I am willing to create a new patch with some of the considerations mentioned > in this threat applied.

> I would need some information though that i cannot find myself. Your policy implies that hwloc-dhwd can be run as a system service. However the system service > > > > initscript and/or service unit is not taken into consideration.
> what is the exact location of this script? Once I know that , then i can redo the patch with that part taken into account and hopefully take away the remaining concerns.

We support system only, unit file is hwloc-dump-hwdata.service is installed to default systemd unit location (on RedHat /usr/lib/systemd/system). 
The unit file looks like this:
[Unit]
Description=Dump hardware topology and locality information to /var/run/hwloc

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/hwloc-dump-hwdata -o /var/run/hwloc
ExecStop=/usr/bin/rm -rf /var/run/hwloc

[Install]
WantedBy=multi-user.target

- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXIRA6AAoJECV0jlU3+Udpm+gL/iXpQhK0Vknb9U5jyzCQ4FhH
nzOvD2yfZhgVHdNt+D//OZ45fcZsyGFy1V4JPUpS703csgCzYzbTyvKq6rF0Wc3O
TYZixv1WKx8l35SAN5nKvFBvv9b+WPcbxT4Rm6pzXUcH+TVJdi1inOpOqQ1dNF30
rruZEBkkOwW2wLyHa/W2APDD0iBG5M9roBL5NjN54H215J3iugt2lh+aJIFXhClZ
JeMUTE10UAL2TvZiuNPmsDjmzsKfOZg0VrDuE4hYYlAvNz4CotZye/PX1izlZvVc
oPn0kaCHfLoRR9Z1UiR4nLH+lzawUOLsoiskofo2cARxRU6MYy2u7OYFWVopDx46
+02/v7LgPVCHrBmJhLd4E5aBh2H2Y+QeomTHPYgg+uGOyW3oSEzoMubhciKOqGcZ
n58ZCYsFnQmBNC9IGd1yLfJN4V+SOPEYKxHT2k2bvabNQFeZ4MXLp0Xl1FzrsRaI
V9BrlYGOTQg5t5uBZmnWzDhs8KtTTJCoPEdbvDDAHA==
=6m1E
-----END PGP SIGNATURE-----
--------------------------------------------------------------------

Intel Technology Poland sp. z o.o.
ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 | Kapital zakladowy 200.000 PLN.

Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata i moze zawierac informacje poufne. W razie przypadkowego otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie; jakiekolwiek
przegladanie lub rozpowszechnianie jest zabronione.
This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). If you are not the intended recipient, please contact the sender and delete all copies; any review or distribution by
others is strictly prohibited.

[refpolicy] [Patch V2 1/1] Update refpolicy to handle hwloc

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/28/2016 10:24 AM, Andrejczuk, Grzegorz wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>> 
>> On 04/27/2016 05:21 PM, gandrejc wrote:
>>> The Portable Hardware Locality (hwloc) software package
>>> provides a portable abstraction (across OS, versions,
>>> architectures, ...) of the hierarchical topology of modern
>>> architectures, including NUMA memory nodes, sockets, shared
>>> caches, cores and simultaneous multithreading. It also gathers
>>> various system attributes such as cache and memory information
>>> as well as the locality of I/O devices such as network 
>>> interfaces, InfiniBand HCAs or GPUs.
>> 
> 
>> grzegorz, I imagine that by now you may be a little confused by
>> this discussion. Therefore I am willing to create a new patch
>> with some of the considerations mentioned > in this threat
>> applied.
> 
>> I would need some information though that i cannot find myself.
>> Your policy implies that hwloc-dhwd can be run as a system
>> service. However the system service > > > > initscript and/or
>> service unit is not taken into consideration. what is the exact
>> location of this script? Once I know that , then i can redo the
>> patch with that part taken into account and hopefully take away
>> the remaining concerns.
> 
> We support system only, unit file is hwloc-dump-hwdata.service is
> installed to default systemd unit location (on RedHat
> /usr/lib/systemd/system). The unit file looks like this: [Unit] 
> Description=Dump hardware topology and locality information to
> /var/run/hwloc
> 
> [Service] Type=oneshot RemainAfterExit=yes 
> ExecStart=/usr/sbin/hwloc-dump-hwdata -o /var/run/hwloc 
> ExecStop=/usr/bin/rm -rf /var/run/hwloc
> 

Okay, thanks. I will see if i can whip another patch up today.

By the way that ExecStop= is generally not such a good idea. Is that
really required? Does it not just overwrite the files in there when
you restart the service?

systemd will usually run generic coreutils like rm with a domain
transition to the initrc_t domain. That means that initrc_t would need
to be able to rm /var/run/hwloc. This is sub-optimal.

Its bad enough that ExecStop is often used for kill $MAINPID with system
d.

> [Install] WantedBy=multi-user.target
> 
> - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D
> 2C7B 6B02 
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>
> 
Dominick Grift
> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
> 
> iQGcBAEBCAAGBQJXIRA6AAoJECV0jlU3+Udpm+gL/iXpQhK0Vknb9U5jyzCQ4FhH 
> nzOvD2yfZhgVHdNt+D//OZ45fcZsyGFy1V4JPUpS703csgCzYzbTyvKq6rF0Wc3O 
> TYZixv1WKx8l35SAN5nKvFBvv9b+WPcbxT4Rm6pzXUcH+TVJdi1inOpOqQ1dNF30 
> rruZEBkkOwW2wLyHa/W2APDD0iBG5M9roBL5NjN54H215J3iugt2lh+aJIFXhClZ 
> JeMUTE10UAL2TvZiuNPmsDjmzsKfOZg0VrDuE4hYYlAvNz4CotZye/PX1izlZvVc 
> oPn0kaCHfLoRR9Z1UiR4nLH+lzawUOLsoiskofo2cARxRU6MYy2u7OYFWVopDx46 
> +02/v7LgPVCHrBmJhLd4E5aBh2H2Y+QeomTHPYgg+uGOyW3oSEzoMubhciKOqGcZ 
> n58ZCYsFnQmBNC9IGd1yLfJN4V+SOPEYKxHT2k2bvabNQFeZ4MXLp0Xl1FzrsRaI 
> V9BrlYGOTQg5t5uBZmnWzDhs8KtTTJCoPEdbvDDAHA== =6m1E -----END PGP
> SIGNATURE----- 
> --------------------------------------------------------------------
>
>  Intel Technology Poland sp. z o.o. ul. Slowackiego 173 | 80-298
> Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial Gospodarczy
> Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 |
> Kapital zakladowy 200.000 PLN.
> 
> Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego
> adresata i moze zawierac informacje poufne. W razie przypadkowego
> otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz
> trwale jej usuniecie; jakiekolwiek przegladanie lub
> rozpowszechnianie jest zabronione. This e-mail and any attachments
> may contain confidential material for the sole use of the intended
> recipient(s). If you are not the intended recipient, please contact
> the sender and delete all copies; any review or distribution by 
> others is strictly prohibited.
> 


- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXIdAnAAoJECV0jlU3+UdpmHEL/ArdwLHT8BzWFn5dA+Y1025O
y9cvZDsmlbS6+oI+8ZupQVSNZWj98n81L8X8hRcMtpf5hdIl5juXnY5+umwRigPd
xaDEnD027hggzyrQHmvy6ZE6ecdQNc3sHYx7M0Jw4d/sQHTZNWFoB7fj363SHgZ2
76uK1qJZMCT6i+opFpocg3Fea5KaVGYG501xk/G6yTX7+qiYNdYPWsj7bovAxdxD
tqd722IxEKYMwuVSvkIBZaHRxWfDKFlY5d5GzHA5S6JwN0AB4KyD6btcjB0U4Fhp
fL7zK/X4UEGrYCwW8aYuDgNNz6aawjQFKF16oGxeqvodV6j6uekhk2h+SldpkD2w
eyQVDaCrjzyjHTAhESav2uOGVkOrYk+I2metlVhiFIDNXZ7UFKFk1Y0gvmecm7jg
EMMryZVNKpDkDpvI7cCmtW24gZl4ZT05o7SyVSgLuwKdB0EO3//Hpl+lV0MGOuWA
CkVb2Mc9tX4ZlPMB9Pp4HIchEoerY6i4pF0LzqyHGg==
=reqL
-----END PGP SIGNATURE-----

[refpolicy] [Patch V2 1/1] Update refpolicy to handle hwloc

[Andrejczuk, Grzegorz]

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>On 04/28/2016 10:24 AM, Andrejczuk, Grzegorz wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>> 
>>> On 04/27/2016 05:21 PM, gandrejc wrote:
>>>> The Portable Hardware Locality (hwloc) software package provides a 
>>>> portable abstraction (across OS, versions, architectures, ...) of 
>>> the hierarchical topology of modern architectures, including NUMA 
>>>> memory nodes, sockets, shared caches, cores and simultaneous 
>>>> multithreading. It also gathers various system attributes such as 
>>>> cache and memory information as well as the locality of I/O devices 
>>>> such as network interfaces, InfiniBand HCAs or GPUs.
>>> 
>> 
>>> grzegorz, I imagine that by now you may be a little confused by this 
>>> discussion. Therefore I am willing to create a new patch with some of 
>>> the considerations mentioned > in this threat applied. 
>> 
>>> I would need some information though that i cannot find myself.
>>> Your policy implies that hwloc-dhwd can be run as a system service. 
>>> However the system service > > > > initscript and/or service unit is 
>>> not taken into consideration. what is the exact location of this 
>>> script? Once I know that , then i can redo the patch with that part 
>>> taken into account and hopefully take away the remaining concerns.
>> 
>> We support system only, unit file is hwloc-dump-hwdata.service is 
>> installed to default systemd unit location (on RedHat 
>> /usr/lib/systemd/system). The unit file looks like this: [Unit] 
>> Description=Dump hardware topology and locality information to 
>> /var/run/hwloc
>> 
>> [Service] Type=oneshot RemainAfterExit=yes 
>> ExecStart=/usr/sbin/hwloc-dump-hwdata -o /var/run/hwloc 
>> ExecStop=/usr/bin/rm -rf /var/run/hwloc
>> 
>
>Okay, thanks. I will see if i can whip another patch up today.
>
>By the way that ExecStop= is generally not such a good idea. Is that really required? Does it not just overwrite the files in there when you restart the service?
>
>systemd will usually run generic coreutils like rm with a domain transition to the initrc_t domain. That means that initrc_t would need to be able to rm /var/run/hwloc. >This is sub-optimal.
>
>Its bad enough that ExecStop is often used for kill $MAINPID with system d.

I pushed the change with removing of the ExecStop from service file to hwloc maintainer. It should be accepted as service truncates its files. 
I will keep you posted. 

> [Install] WantedBy=multi-user.target
> 
> - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 
> 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>
> 
Dominick Grift
> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
> 
> iQGcBAEBCAAGBQJXIRA6AAoJECV0jlU3+Udpm+gL/iXpQhK0Vknb9U5jyzCQ4FhH
> nzOvD2yfZhgVHdNt+D//OZ45fcZsyGFy1V4JPUpS703csgCzYzbTyvKq6rF0Wc3O
> TYZixv1WKx8l35SAN5nKvFBvv9b+WPcbxT4Rm6pzXUcH+TVJdi1inOpOqQ1dNF30
> rruZEBkkOwW2wLyHa/W2APDD0iBG5M9roBL5NjN54H215J3iugt2lh+aJIFXhClZ
> JeMUTE10UAL2TvZiuNPmsDjmzsKfOZg0VrDuE4hYYlAvNz4CotZye/PX1izlZvVc
> oPn0kaCHfLoRR9Z1UiR4nLH+lzawUOLsoiskofo2cARxRU6MYy2u7OYFWVopDx46
> +02/v7LgPVCHrBmJhLd4E5aBh2H2Y+QeomTHPYgg+uGOyW3oSEzoMubhciKOqGcZ
> n58ZCYsFnQmBNC9IGd1yLfJN4V+SOPEYKxHT2k2bvabNQFeZ4MXLp0Xl1FzrsRaI
> V9BrlYGOTQg5t5uBZmnWzDhs8KtTTJCoPEdbvDDAHA== =6m1E -----END PGP
> SIGNATURE-----
> --------------------------------------------------------------------
>
>  Intel Technology Poland sp. z o.o. ul. Slowackiego 173 | 80-298 
> Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial Gospodarczy 
> Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 | Kapital 
> zakladowy 200.000 PLN.
> 
> Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego 
> adresata i moze zawierac informacje poufne. W razie przypadkowego 
> otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz trwale 
> jej usuniecie; jakiekolwiek przegladanie lub rozpowszechnianie jest 
> zabronione. This e-mail and any attachments may contain confidential 
> material for the sole use of the intended recipient(s). If you are not 
> the intended recipient, please contact the sender and delete all 
> copies; any review or distribution by others is strictly prohibited.
> 


- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJXIdAnAAoJECV0jlU3+UdpmHEL/ArdwLHT8BzWFn5dA+Y1025O
y9cvZDsmlbS6+oI+8ZupQVSNZWj98n81L8X8hRcMtpf5hdIl5juXnY5+umwRigPd
xaDEnD027hggzyrQHmvy6ZE6ecdQNc3sHYx7M0Jw4d/sQHTZNWFoB7fj363SHgZ2
76uK1qJZMCT6i+opFpocg3Fea5KaVGYG501xk/G6yTX7+qiYNdYPWsj7bovAxdxD
tqd722IxEKYMwuVSvkIBZaHRxWfDKFlY5d5GzHA5S6JwN0AB4KyD6btcjB0U4Fhp
fL7zK/X4UEGrYCwW8aYuDgNNz6aawjQFKF16oGxeqvodV6j6uekhk2h+SldpkD2w
eyQVDaCrjzyjHTAhESav2uOGVkOrYk+I2metlVhiFIDNXZ7UFKFk1Y0gvmecm7jg
EMMryZVNKpDkDpvI7cCmtW24gZl4ZT05o7SyVSgLuwKdB0EO3//Hpl+lV0MGOuWA
CkVb2Mc9tX4ZlPMB9Pp4HIchEoerY6i4pF0LzqyHGg==
=reqL
-----END PGP SIGNATURE-----
--------------------------------------------------------------------

Intel Technology Poland sp. z o.o.
ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 | Kapital zakladowy 200.000 PLN.

Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata i moze zawierac informacje poufne. W razie przypadkowego otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie; jakiekolwiek
przegladanie lub rozpowszechnianie jest zabronione.
This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). If you are not the intended recipient, please contact the sender and delete all copies; any review or distribution by
others is strictly prohibited.

[refpolicy] [PATCH] Update refpolicy to handle hwloc

[Dominick Grift]

The Portable Hardware Locality (hwloc) software package provides a
portable abstraction (across OS, versions, architectures, ...) of the
hierarchical topology of modern architectures, including NUMA memory
nodes, sockets, shared caches, cores and simultaneous multithreading. It
also gathers various system attributes such as cache and memory
information as well as the locality of I/O devices such as network
interfaces, InfiniBand HCAs or GPUs.

Following changes enable:
- add interface to change dirs in /var/run
- add optional policies for hwloc-dump-hwdata

V3:
Remove files_rw_pid_dirs()
Call hwloc_admin(sysadm_t) instead of hwloc_manage_runtime(sysadm_t)
Adjust calls to renamed hwloc dhwd run and exec interfaces

Signed-off-by: Dominick Grift <dac.override@gmail.com>
---
 policy/modules/roles/sysadm.te      | 5 +++++
 policy/modules/system/userdomain.if | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index ceaa4cb..5bbb52c 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -458,6 +458,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	hwloc_admin(sysadm_t)
+	hwloc_run_dhwd(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	howl_admin(sysadm_t, sysadm_r)
 ')
 
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index cbb6e09..d604147 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -619,6 +619,11 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
+		hwloc_exec_dhwd($1_t)
+		hwloc_read_runtime_files($1_t)
+	')
+
+	optional_policy(`
 		inetd_use_fds($1_t)
 		inetd_rw_tcp_sockets($1_t)
 	')
-- 
2.5.5

[refpolicy] [PATCH] Update refpolicy to handle hwloc

[Christopher J. PeBenito]

On 4/28/2016 6:04 AM, Dominick Grift wrote:
> The Portable Hardware Locality (hwloc) software package provides a
> portable abstraction (across OS, versions, architectures, ...) of the
> hierarchical topology of modern architectures, including NUMA memory
> nodes, sockets, shared caches, cores and simultaneous multithreading. It
> also gathers various system attributes such as cache and memory
> information as well as the locality of I/O devices such as network
> interfaces, InfiniBand HCAs or GPUs.
> 
> Following changes enable:
> - add interface to change dirs in /var/run
> - add optional policies for hwloc-dump-hwdata
> 
> V3:
> Remove files_rw_pid_dirs()
> Call hwloc_admin(sysadm_t) instead of hwloc_manage_runtime(sysadm_t)
> Adjust calls to renamed hwloc dhwd run and exec interfaces

Merged.



> Signed-off-by: Dominick Grift <dac.override@gmail.com>
> ---
>  policy/modules/roles/sysadm.te      | 5 +++++
>  policy/modules/system/userdomain.if | 5 +++++
>  2 files changed, 10 insertions(+)
> 
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index ceaa4cb..5bbb52c 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -458,6 +458,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	hwloc_admin(sysadm_t)
> +	hwloc_run_dhwd(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
>  	howl_admin(sysadm_t, sysadm_r)
>  ')
>  
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index cbb6e09..d604147 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -619,6 +619,11 @@ template(`userdom_common_user_template',`
>  	')
>  
>  	optional_policy(`
> +		hwloc_exec_dhwd($1_t)
> +		hwloc_read_runtime_files($1_t)
> +	')
> +
> +	optional_policy(`
>  		inetd_use_fds($1_t)
>  		inetd_rw_tcp_sockets($1_t)
>  	')
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH V3 RESENT] Update refpolicy to handle hwloc

[Dominick Grift]

The Portable Hardware Locality (hwloc) software package provides a
portable abstraction (across OS, versions, architectures, ...) of the
hierarchical topology of modern architectures, including NUMA memory
nodes, sockets, shared caches, cores and simultaneous multithreading. It
also gathers various system attributes such as cache and memory
information as well as the locality of I/O devices such as network
interfaces, InfiniBand HCAs or GPUs.

Following changes enable:
- add interface to change dirs in /var/run
- add optional policies for hwloc-dump-hwdata

V3:
Remove files_rw_pid_dirs()
Call hwloc_admin(sysadm_t) instead of hwloc_manage_runtime(sysadm_t)
Adjust calls to renamed hwloc dhwd run and exec interfaces

Signed-off-by: Dominick Grift <dac.override@gmail.com>
---
 policy/modules/roles/sysadm.te      | 5 +++++
 policy/modules/system/userdomain.if | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index ceaa4cb..5bbb52c 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -458,6 +458,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	hwloc_admin(sysadm_t)
+	hwloc_run_dhwd(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	howl_admin(sysadm_t, sysadm_r)
 ')
 
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index cbb6e09..d604147 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -619,6 +619,11 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
+		hwloc_exec_dhwd($1_t)
+		hwloc_read_runtime_files($1_t)
+	')
+
+	optional_policy(`
 		inetd_use_fds($1_t)
 		inetd_rw_tcp_sockets($1_t)
 	')
-- 
2.5.5

[refpolicy] [PATCH V3 RESENT] Update refpolicy to handle hwloc

[Christopher J. PeBenito]

On 4/28/2016 6:06 AM, Dominick Grift wrote:
> The Portable Hardware Locality (hwloc) software package provides a
> portable abstraction (across OS, versions, architectures, ...) of the
> hierarchical topology of modern architectures, including NUMA memory
> nodes, sockets, shared caches, cores and simultaneous multithreading. It
> also gathers various system attributes such as cache and memory
> information as well as the locality of I/O devices such as network
> interfaces, InfiniBand HCAs or GPUs.
> 
> Following changes enable:
> - add interface to change dirs in /var/run
> - add optional policies for hwloc-dump-hwdata
> 
> V3:
> Remove files_rw_pid_dirs()
> Call hwloc_admin(sysadm_t) instead of hwloc_manage_runtime(sysadm_t)
> Adjust calls to renamed hwloc dhwd run and exec interfaces

Merged.


> Signed-off-by: Dominick Grift <dac.override@gmail.com>
> ---
>  policy/modules/roles/sysadm.te      | 5 +++++
>  policy/modules/system/userdomain.if | 5 +++++
>  2 files changed, 10 insertions(+)
> 
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index ceaa4cb..5bbb52c 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -458,6 +458,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	hwloc_admin(sysadm_t)
> +	hwloc_run_dhwd(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
>  	howl_admin(sysadm_t, sysadm_r)
>  ')
>  
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index cbb6e09..d604147 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -619,6 +619,11 @@ template(`userdom_common_user_template',`
>  	')
>  
>  	optional_policy(`
> +		hwloc_exec_dhwd($1_t)
> +		hwloc_read_runtime_files($1_t)
> +	')
> +
> +	optional_policy(`
>  		inetd_use_fds($1_t)
>  		inetd_rw_tcp_sockets($1_t)
>  	')
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com