From: Russell Coker <russell@coker.com.au>
To: Daniel Burgener <dburgener@linux.microsoft.com>,
selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] rasdaemon V2
Date: Fri, 18 Feb 2022 02:13:55 +1100 [thread overview]
Message-ID: <B1BD91EA-BA17-4AFA-8014-6F50A2181229@coker.com.au> (raw)
In-Reply-To: <e80b4363-6d18-3866-630a-961525fcfe47@linux.microsoft.com>
Thanks. I'll send another patch based on that in about 12 hours.
On 18 February 2022 1:54:19 am AEDT, Daniel Burgener <dburgener@linux.microsoft.com> wrote:
>On 2/17/2022 9:46 AM, Russell Coker wrote:
>> Same as before but with the needed summary and removed the obsolete lockdown
>> rule.
>>
>> Should be ready for merging now.
>> Signed-off-by: Russell Coker <russell@coker.com.au>
>
>I thought this sounded familiar, so I searched my inbox, and it looks
>like you submitted this same patch a year ago, and there was feedback
>from Chris and Dominick that doesn't seem to be addressed yet. I'll
>try to capture it all inline below.
>
>>
>> Index: refpolicy-2.20220217/policy/modules/kernel/filesystem.if
>> ===================================================================
>> --- refpolicy-2.20220217.orig/policy/modules/kernel/filesystem.if
>> +++ refpolicy-2.20220217/policy/modules/kernel/filesystem.if
>> @@ -5485,6 +5485,43 @@ interface(`fs_getattr_tracefs_files',`
>>
>> ########################################
>> ## <summary>
>> +## Read/write trace filesystem files
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`fs_write_tracefs_files',`
>> + gen_require(`
>> + type tracefs_t;
>> + ')
>> +
>> + allow $1 tracefs_t:dir list_dir_perms;
>> + allow $1 tracefs_t:file rw_file_perms;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## create trace filesystem directories
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`fs_create_tracefs_dirs',`
>> + gen_require(`
>> + type tracefs_t;
>> + ')
>> +
>> + allow $1 tracefs_t:dir { create rw_dir_perms };
>> +')
>> +
>> +########################################
>> +## <summary>
>> ## Mount a XENFS filesystem.
>> ## </summary>
>> ## <param name="domain">
>> Index: refpolicy-2.20220217/policy/modules/services/rasdaemon.fc
>> ===================================================================
>> --- /dev/null
>> +++ refpolicy-2.20220217/policy/modules/services/rasdaemon.fc
>> @@ -0,0 +1,3 @@
>> +/usr/sbin/rasdaemon -- gen_context(system_u:object_r:rasdaemon_exec_t,s0)
>> +/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_t,s0)
>> +
>> Index: refpolicy-2.20220217/policy/modules/services/rasdaemon.if
>> ===================================================================
>> --- /dev/null
>> +++ refpolicy-2.20220217/policy/modules/services/rasdaemon.if
>> @@ -0,0 +1 @@
>> +## <summary>RAS (Reliability, Availability and Serviceability) logging tool</summary>
>> Index: refpolicy-2.20220217/policy/modules/services/rasdaemon.te
>> ===================================================================
>> --- /dev/null
>> +++ refpolicy-2.20220217/policy/modules/services/rasdaemon.te
>> @@ -0,0 +1,47 @@
>> +policy_module(rasdaemon, 1.0.0)
>> +
>> +# rasdaemon is a RAS (Reliability, Availability and Serviceability) logging
>> +# tool. It currently records memory errors, using the EDAC tracing events.
>> +# EDAC are drivers in the Linux kernel that handle detection of ECC errors
>> +# from memory controllers for most chipsets on x86 and ARM architectures.
>> +#
>> +# https://git.infradead.org/users/mchehab/rasdaemon.git
>
>This can get wrapped in xml <summary> and <desc> tags so it gets put in
>docs.
>
>> +
>> +########################################
>> +#
>> +# Declarations
>> +#
>> +
>> +type rasdaemon_t;
>> +type rasdaemon_exec_t;
>> +init_daemon_domain(rasdaemon_t, rasdaemon_exec_t)
>> +
>> +type rasdaemon_var_t;
>> +files_type(rasdaemon_var_t)
>> +
>> +########################################
>> +#
>> +# Local policy
>> +#
>> +
>> +allow rasdaemon_t self:unix_dgram_socket create_socket_perms;
>
>This is redundant, implied by logging_send_syslog_message()
>
>> +
>> +allow rasdaemon_t rasdaemon_var_t:dir manage_dir_perms;
>> +allow rasdaemon_t rasdaemon_var_t:file manage_file_perms;
>> +
>> +kernel_read_debugfs(rasdaemon_t)
>> +kernel_read_system_state(rasdaemon_t)
>> +kernel_read_vm_overcommit_sysctl(rasdaemon_t)
>> +kernel_search_fs_sysctls(rasdaemon_t)
>> +
>> +dev_list_sysfs(rasdaemon_t)
>> +dev_read_urand(rasdaemon_t)
>> +
>> +files_read_etc_symlinks(rasdaemon_t)
>
>This is redundant (implied by miscfiles_read_localization)
>
>> +files_search_var_lib(rasdaemon_t)
>> +fs_write_tracefs_files(rasdaemon_t)
>> +fs_create_tracefs_dirs(rasdaemon_t)
>> +
>> +logging_send_syslog_msg(rasdaemon_t)
>> +miscfiles_read_localization(rasdaemon_t)
>> +
>
--
Sent from my Huawei Mate 9 with K-9 Mail.
prev parent reply other threads:[~2022-02-17 15:27 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-17 14:46 [PATCH] rasdaemon V2 Russell Coker
2022-02-17 14:54 ` Daniel Burgener
2022-02-17 15:13 ` Russell Coker [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=B1BD91EA-BA17-4AFA-8014-6F50A2181229@coker.com.au \
--to=russell@coker.com.au \
--cc=dburgener@linux.microsoft.com \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).