diff options
| author |   Russell Coker <russell@coker.com.au> | 2023-09-22 00:22:36 +1000 |
|---|---|---|
| committer |   Kenton Groombridge <concord@gentoo.org> | 2023-10-06 11:27:06 -0400 |
| commit | 345902025b3c03467a48c8b1474cbd3b3bc085cf (patch) | |
| tree | 8f1efde2ee1784251ff8befe09a49c83042b0ab6 /policy | |
| parent | debian motd.d directory (#689) (diff) | |
| download | hardened-refpolicy-345902025b3c03467a48c8b1474cbd3b3bc085cf.tar.gz hardened-refpolicy-345902025b3c03467a48c8b1474cbd3b3bc085cf.tar.bz2 hardened-refpolicy-345902025b3c03467a48c8b1474cbd3b3bc085cf.zip | |
policy for the Reliability Availability servicability daemon (#690)
* policy for the Reliability Availability servicability daemon
Signed-off-by: Russell Coker <russell@coker.com.au>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Diffstat (limited to 'policy')
| -rw-r--r-- | policy/modules/kernel/filesystem.if | 37 | ||||
| -rw-r--r-- | policy/modules/services/rasdaemon.fc | 3 | ||||
| -rw-r--r-- | policy/modules/services/rasdaemon.if | 10 | ||||
| -rw-r--r-- | policy/modules/services/rasdaemon.te | 41 |
4 files changed, 91 insertions, 0 deletions
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 5cdbc564..5213df5b 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -6156,6 +6156,43 @@ interface(`fs_getattr_tracefs_files',` ######################################## ## <summary> +## Read/write trace filesystem files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_rw_tracefs_files',` + gen_require(` + type tracefs_t; + ') + + allow $1 tracefs_t:dir list_dir_perms; + allow $1 tracefs_t:file rw_file_perms; +') + +######################################## +## <summary> +## create trace filesystem directories +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_create_tracefs_dirs',` + gen_require(` + type tracefs_t; + ') + + allow $1 tracefs_t:dir { create rw_dir_perms }; +') + +######################################## +## <summary> ## Mount a XENFS filesystem. ## </summary> ## <param name="domain"> diff --git a/policy/modules/services/rasdaemon.fc b/policy/modules/services/rasdaemon.fc new file mode 100644 index 00000000..9a83feb4 --- /dev/null +++ b/policy/modules/services/rasdaemon.fc @@ -0,0 +1,3 @@ +/usr/sbin/rasdaemon -- gen_context(system_u:object_r:rasdaemon_exec_t,s0) +/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_t,s0) + diff --git a/policy/modules/services/rasdaemon.if b/policy/modules/services/rasdaemon.if new file mode 100644 index 00000000..9509b026 --- /dev/null +++ b/policy/modules/services/rasdaemon.if @@ -0,0 +1,10 @@ +## <summary>RAS (Reliability, Availability and Serviceability) logging tool</summary> +## +## <desc> +## rasdaemon is a RAS (Reliability, Availability and Serviceability) logging +## tool. It currently records memory errors, using the EDAC tracing events. +## EDAC are drivers in the Linux kernel that handle detection of ECC errors +## from memory controllers for most chipsets on x86 and ARM architectures. +## +## https://git.infradead.org/users/mchehab/rasdaemon.git +## </desc> diff --git a/policy/modules/services/rasdaemon.te b/policy/modules/services/rasdaemon.te new file mode 100644 index 00000000..9a65d5d7 --- /dev/null +++ b/policy/modules/services/rasdaemon.te @@ -0,0 +1,41 @@ +policy_module(rasdaemon) + +######################################## +# +# Declarations +# + +type rasdaemon_t; +type rasdaemon_exec_t; +init_daemon_domain(rasdaemon_t, rasdaemon_exec_t) + +type rasdaemon_var_t; +files_type(rasdaemon_var_t) + +######################################## +# +# Local policy +# + +allow rasdaemon_t self:process getsched; +allow rasdaemon_t self:capability sys_rawio; + +allow rasdaemon_t rasdaemon_var_t:dir manage_dir_perms; +allow rasdaemon_t rasdaemon_var_t:file manage_file_perms; + +kernel_read_debugfs(rasdaemon_t) +kernel_read_system_state(rasdaemon_t) +kernel_read_vm_overcommit_sysctl(rasdaemon_t) +kernel_search_fs_sysctls(rasdaemon_t) + +dev_read_sysfs(rasdaemon_t) +dev_read_urand(rasdaemon_t) +dev_rw_cpu_microcode(rasdaemon_t) + +files_search_var_lib(rasdaemon_t) +fs_create_tracefs_dirs(rasdaemon_t) +fs_rw_tracefs_files(rasdaemon_t) + +logging_send_syslog_msg(rasdaemon_t) +miscfiles_read_localization(rasdaemon_t) + |