From: Dominick Grift <dominick.grift@defensec.nl>
To: Russell Coker <russell@coker.com.au>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] rasdaemon (replacement for mcelog)
Date: Mon, 08 Mar 2021 09:55:49 +0100 [thread overview]
Message-ID: <ypjl7dmija7e.fsf@defensec.nl> (raw)
In-Reply-To: <YEWNyIsSThUoVAsc@xev> (Russell Coker's message of "Mon, 8 Mar 2021 13:36:56 +1100")
Russell Coker <russell@coker.com.au> writes:
> This is policy for rasdaemon, the new replacement for mcelog. The
> /dev/mcelog device is now an obsolete kernel feature that can be enabled
> for backward compatibility and rasdaeon with tracefs is the new way.
>
> I've tested this and it seems to work OK, but all my servers are working
> well so I haven't been able to test the case of actually detecting an
> error. It would be good if someone with a known damaged server could give
> it a go.
>
> I think this is ready for merging.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210203/policy/modules/kernel/filesystem.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20210203/policy/modules/kernel/filesystem.if
> @@ -5302,6 +5302,25 @@ interface(`fs_getattr_tracefs_files',`
>
> ########################################
> ## <summary>
> +## Read/write trace filesystem files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_write_tracefs_files',`
> + gen_require(`
> + type tracefs_t;
> + ')
> +
> + allow $1 tracefs_t:dir list_dir_perms;
> + allow $1 tracefs_t:file rw_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Mount a XENFS filesystem.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.fc
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20210203/policy/modules/services/rasdaemon.fc
> @@ -0,0 +1,3 @@
> +/usr/sbin/rasdaemon -- gen_context(system_u:object_r:rasdaemon_exec_t,s0)
> +/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_t,s0)
> +
> Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.if
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20210203/policy/modules/services/rasdaemon.if
> @@ -0,0 +1 @@
> +## <summary></summary>
> Index: refpolicy-2.20210203/policy/modules/services/rasdaemon.te
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20210203/policy/modules/services/rasdaemon.te
> @@ -0,0 +1,49 @@
> +policy_module(rasdaemon, 1.0.0)
> +
> +# rasdaemon is a RAS (Reliability, Availability and Serviceability) logging
> +# tool. It currently records memory errors, using the EDAC tracing events.
> +# EDAC are drivers in the Linux kernel that handle detection of ECC errors
> +# from memory controllers for most chipsets on x86 and ARM architectures.
> +#
> +# https://git.infradead.org/users/mchehab/rasdaemon.git
Please use the <summary></summary> for description. We have an api
browser (make doc) and the description should end up there as well.
<summary>Reliability, Availability and Serviceability (RAS) logging tool.</summary>
I would omit the url because those are often subject to change anyway.
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type rasdaemon_t;
> +type rasdaemon_exec_t;
> +init_daemon_domain(rasdaemon_t, rasdaemon_exec_t)
> +
> +type rasdaemon_var_t;
> +files_type(rasdaemon_var_t)
Someone should at some point maybe consider creating a files_state_file()
for /var/lib so that we can differentiate there
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow rasdaemon_t self:unix_dgram_socket create_socket_perms;
redundant: implied with logging_send_syslog_msg()
> +
> +# confidentiality for tracefs and integrity for debugfs
> +allow rasdaemon_t self:lockdown { confidentiality integrity };
> +
> +allow rasdaemon_t rasdaemon_var_t:dir manage_dir_perms;
> +allow rasdaemon_t rasdaemon_var_t:file manage_file_perms;
> +
> +kernel_read_debugfs(rasdaemon_t)
> +kernel_read_system_state(rasdaemon_t)
> +kernel_read_vm_overcommit_sysctl(rasdaemon_t)
> +kernel_search_fs_sysctls(rasdaemon_t)
> +
> +dev_list_sysfs(rasdaemon_t)
> +dev_read_urand(rasdaemon_t)
> +
> +files_read_etc_symlinks(rasdaemon_t)
> +files_search_var_lib(rasdaemon_t)
> +fs_write_tracefs_files(rasdaemon_t)
> +
> +logging_send_syslog_msg(rasdaemon_t)
> +miscfiles_read_localization(rasdaemon_t)
> +
>
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
next prev parent reply other threads:[~2021-03-08 8:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-08 2:36 [PATCH] rasdaemon (replacement for mcelog) Russell Coker
2021-03-08 8:55 ` Dominick Grift [this message]
2021-03-08 8:59 ` Dominick Grift
2021-03-12 15:03 ` Chris PeBenito
2022-02-18 0:25 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ypjl7dmija7e.fsf@defensec.nl \
--to=dominick.grift@defensec.nl \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).