From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-494275-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id BF53813800E
	for <garchives@archives.gentoo.org>; Wed,  8 Aug 2012 19:38:12 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 3C7DAE086E;
	Wed,  8 Aug 2012 19:37:58 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id DE156E086E
	for <gentoo-commits@lists.gentoo.org>; Wed,  8 Aug 2012 19:37:57 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id F15471B4033
	for <gentoo-commits@lists.gentoo.org>; Wed,  8 Aug 2012 19:37:56 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id A6025E5441
	for <gentoo-commits@lists.gentoo.org>; Wed,  8 Aug 2012 19:37:53 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1344451896.112743ef475b5b5c02018c19ecd0a879faf12f50.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/kernel/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/mcelog.fc policy/modules/contrib/mcelog.te policy/modules/kernel/corecommands.fc
X-VCS-Directories: policy/modules/contrib/ policy/modules/kernel/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 112743ef475b5b5c02018c19ecd0a879faf12f50
X-VCS-Branch: master
Date: Wed,  8 Aug 2012 19:37:53 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 4bb0e2fb-a7b3-4db8-8152-03ef6db84c15
X-Archives-Hash: d58bdd3d2087517adbd17ea0a9724f40

commit:     112743ef475b5b5c02018c19ecd0a879faf12f50
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  8 18:51:36 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug  8 18:51:36 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=112743ef

Backport mcelog changes, from refpolicy, thanks to Guido Trantalancia

---
 policy/modules/contrib/mcelog.fc      |   12 ++++
 policy/modules/contrib/mcelog.te      |  111 +++++++++++++++++++++++++++++++-
 policy/modules/kernel/corecommands.fc |    7 ++-
 3 files changed, 125 insertions(+), 5 deletions(-)

diff --git a/policy/modules/contrib/mcelog.fc b/policy/modules/contrib/mcelog.fc
index 56c43c0..e5c1a63 100644
--- a/policy/modules/contrib/mcelog.fc
+++ b/policy/modules/contrib/mcelog.fc
@@ -1 +1,13 @@
+/etc/mcelog(/.*)?		gen_context(system_u:object_r:mcelog_etc_t,s0)
+
+ifdef(`distro_redhat',`
+/etc/mcelog/triggers	-d	gen_context(system_u:object_r:mcelog_etc_t,s0)
+')
+
+/etc/rc\.d/init\.d/mcelog --	gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
+
 /usr/sbin/mcelog	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
+
+/var/log/mcelog.*	--	gen_context(system_u:object_r:mcelog_log_t,s0)
+/var/run/mcelog\.pid	--	gen_context(system_u:object_r:mcelog_var_run_t,s0)
+/var/run/mcelog-client	-s	gen_context(system_u:object_r:mcelog_var_run_t,s0)

diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te
index 5671977..6e44f91 100644
--- a/policy/modules/contrib/mcelog.te
+++ b/policy/modules/contrib/mcelog.te
@@ -1,14 +1,70 @@
-policy_module(mcelog, 1.1.0)
+policy_module(mcelog, 1.1.1)
 
 ########################################
 #
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow mcelog to run in client mode.
+## Required to run mcelog in client
+## mode.
+## </p>
+## </desc>
+gen_tunable(mcelog_client, false)
+
+## <desc>
+## <p>
+## Allow mcelog to execute scripts.
+## Required to execute optional triggers
+## and/or local scripts.
+## </p>
+## </desc>
+gen_tunable(mcelog_exec_scripts, true)
+
+## <desc>
+## <p>
+## Allow mcelog to use all the user ttys.
+## Required in foreground mode and to
+## print out usage and version information.
+## </p>
+## </desc>
+gen_tunable(mcelog_foreground, true)
+
+## <desc>
+## <p>
+## Allow mcelog to run a server.
+## Required to enable the optional configurable
+## Unix stream socket server functionality.
+## </p>
+## </desc>
+gen_tunable(mcelog_server, false)
+
+## <desc>
+## <p>
+## Allow mcelog to use syslog.
+## Required to use the configurable
+## syslog option.
+## </p>
+## </desc>
+gen_tunable(mcelog_syslog, true)
+
 type mcelog_t;
 type mcelog_exec_t;
-application_domain(mcelog_t, mcelog_exec_t)
-cron_system_entry(mcelog_t, mcelog_exec_t)
+init_daemon_domain(mcelog_t, mcelog_exec_t)
+
+type mcelog_initrc_exec_t;
+init_script_file(mcelog_initrc_exec_t)
+
+type mcelog_etc_t;
+files_config_file(mcelog_etc_t)
+
+type mcelog_log_t;
+logging_log_file(mcelog_log_t)
+
+type mcelog_var_run_t;
+files_pid_file(mcelog_var_run_t)
 
 ########################################
 #
@@ -16,17 +72,64 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
 #
 
 allow mcelog_t self:capability sys_admin;
+allow mcelog_t self:unix_stream_socket connected_socket_perms;
+allow mcelog_t mcelog_etc_t:dir list_dir_perms;
+
+read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
+
+# manage a logfile in a generic or private log directory
+manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+logging_log_filetrans(mcelog_t, mcelog_log_t, file)
+
+manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
 
 kernel_read_system_state(mcelog_t)
 
 dev_read_raw_memory(mcelog_t)
 dev_read_kmsg(mcelog_t)
+dev_rw_sysfs(mcelog_t)
 
 files_read_etc_files(mcelog_t)
 
 # for /dev/mem access
 mls_file_read_all_levels(mcelog_t)
 
-logging_send_syslog_msg(mcelog_t)
+locallogin_use_fds(mcelog_t)
 
 miscfiles_read_localization(mcelog_t)
+
+# needed in client-mode
+tunable_policy(`mcelog_client',`
+	allow mcelog_t self:unix_stream_socket connectto;
+')
+
+# required for executing optional triggers and scripts
+tunable_policy(`mcelog_exec_scripts',`
+	allow mcelog_t self:fifo_file { read getattr write };
+	corecmd_exec_bin(mcelog_t)
+	corecmd_exec_shell(mcelog_t)
+')
+
+# required for optional foreground mode and
+# console output
+tunable_policy(`mcelog_foreground',`
+	userdom_use_user_terminals(mcelog_t)
+')
+
+# required for the optional server functionality
+tunable_policy(`mcelog_server',`
+	allow mcelog_t self:unix_stream_socket { listen accept };
+')
+
+# use syslog functionality (optional, configurable)
+tunable_policy(`mcelog_syslog',`
+	logging_send_syslog_msg(mcelog_t)
+')
+
+# optional support for running it as a cron job
+optional_policy(`
+	cron_system_entry(mcelog_t, mcelog_exec_t)
+')

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index f212f4a..defaa6d 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,8 +72,13 @@ ifdef(`distro_redhat',`
 /etc/kde/shutdown(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
-/etc/mcelog/cache-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
+
+/etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/mcelog/.*\.local		--	gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_redhat',`
 /etc/mcelog/triggers(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+')
 /etc/mgetty\+sendfax/new_fax	--	gen_context(system_u:object_r:bin_t,s0)
 
 /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)