mcelog policy from Dan Walsh

Me: Removed permissive line, and fixed a couple style issues
2010-03-12 15:54:29 -05:00 · 2010-03-12 15:54:29 -05:00 · 1484157201
parent f7d413af27
commit 1484157201
3 changed files with 52 additions and 0 deletions
--- a/policy/modules/admin/mcelog.fc
+++ b/policy/modules/admin/mcelog.fc
@ -0,0 +1 @@
+/usr/sbin/mcelog	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
--- a/policy/modules/admin/mcelog.if
+++ b/policy/modules/admin/mcelog.if
@ -0,0 +1,21 @@
+
+## <summary>policy for mcelog</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run mcelog.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mcelog_domtrans',`
+	gen_require(`
+		type mcelog_t, mcelog_exec_t;
+	')
+
+	domtrans_pattern($1, mcelog_exec_t, mcelog_t)
+')
+
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
@ -0,0 +1,30 @@
+
+policy_module(mcelog,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mcelog_t;
+type mcelog_exec_t;
+application_domain(mcelog_t, mcelog_exec_t)
+cron_system_entry(mcelog_t, mcelog_exec_t)
+
+########################################
+#
+# mcelog local policy
+#
+
+allow mcelog_t self:capability sys_admin;
+
+kernel_read_system_state(mcelog_t)
+
+dev_read_raw_memory(mcelog_t)
+dev_read_kmsg(mcelog_t)
+
+files_read_etc_files(mcelog_t)
+
+logging_send_syslog_msg(mcelog_t)
+
+miscfiles_read_localization(mcelog_t)
				`@ -0,0 +1 @@`
				`/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)`