This is a set of scripts that automate cgroup management.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 5a34915... 3b65a38... M policy/modules/kernel/filesystem.if
:000000 100644 0000000... dd006ff... A policy/modules/services/cgroup.fc
:000000 100644 0000000... abcab97... A policy/modules/services/cgroup.if
:000000 100644 0000000... 67facee... A policy/modules/services/cgroup.te
policy/modules/kernel/filesystem.if | 19 +++++
policy/modules/services/cgroup.fc | 11 +++
policy/modules/services/cgroup.if | 126 +++++++++++++++++++++++++++++++++++
policy/modules/services/cgroup.te | 111 ++++++++++++++++++++++++++++++
4 files changed, 267 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 5a34915..3b65a38 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -633,6 +633,25 @@ interface(`fs_getattr_cgroupfs', `
########################################
## <summary>
+## Delete dirs on cgroup
+## file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_delete_cgroupfs_dirs', `
+ gen_require(`
+ type cgroupfs_t;
+ ')
+
+ delete_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
+')
+
+########################################
+## <summary>
## list dirs on cgroup
## file systems.
## </summary>
diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc
new file mode 100644
index 0000000..dd006ff
--- /dev/null
+++ b/policy/modules/services/cgroup.fc
@@ -0,0 +1,11 @@
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
+
+/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
+
+/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
+/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t,s0)
+/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
+
+/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
+
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
new file mode 100644
index 0000000..abcab97
--- /dev/null
+++ b/policy/modules/services/cgroup.if
@@ -0,0 +1,126 @@
+## <summary>Control group rules engine daemon.</summary>
+## <desc>
+## <p>
+## cgrulesengd is a daemon, which distributes processes
+## to control groups. When any process changes its
+## effective UID or GID, cgred inspects list of
+## rules loaded from cgrules.conf file and moves the
+## process to the appropriate control group.
+## </p>
+## <p>
+## The list of rules is read during the daemon startup and
+## are cached in daemons memory. The daemon reloads the
+## list of rules when it receives SIGUSR2 signal.
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Delete cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_delete_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ delete_dirs_pattern($1, cgroup_t, cgroup_t)
+ cgroup_search_cgroup_dirs($1)
+')
+
+########################################
+## <summary>
+## List cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_list_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_manage_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_rw_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Search cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_search_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write cgred sock file in /var/run.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_stream_connect', `
+ gen_require(`
+ type cgred_var_run_t, cgred_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t)
+')
+
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
new file mode 100644
index 0000000..67facee
--- /dev/null
+++ b/policy/modules/services/cgroup.te
@@ -0,0 +1,111 @@
+
+policy_module(cgroup, 1.0.0)
+
+########################################
+#
+# cgroup global declarations.
+#
+
+type cgroup_t;
+files_mountpoint(cgroup_t)
+
+########################################
+#
+# cgclear personal declarations.
+#
+
+type cgclear_t;
+type cgclear_exec_t;
+init_daemon_domain(cgclear_t, cgclear_exec_t)
+
+########################################
+#
+# cgconfig personal declarations.
+#
+
+type cgconfigparser_t;
+type cgconfigparser_exec_t;
+init_daemon_domain(cgconfigparser_t, cgconfigparser_exec_t)
+
+type cgconfig_initrc_exec_t;
+init_script_file(cgconfig_initrc_exec_t)
+
+########################################
+#
+# cgred personal declarations.
+#
+
+type cgred_t;
+type cgred_exec_t;
+init_daemon_domain(cgred_t, cgred_exec_t)
+
+type cgred_initrc_exec_t;
+init_script_file(cgred_initrc_exec_t)
+
+type cgred_var_run_t;
+files_pid_file(cgred_var_run_t)
+
+########################################
+#
+# cgclear personal policy.
+#
+
+kernel_read_system_state(cgclear_t)
+
+fs_delete_cgroupfs_dirs(cgclear_t)
+fs_list_cgroupfs_dirs(cgclear_t)
+fs_rw_cgroupfs_files(cgclear_t)
+fs_unmount_cgroupfs(cgclear_t)
+
+cgroup_delete_cgroup_dirs(cgclear_t)
+
+########################################
+#
+# cgconfig personal policy.
+#
+
+manage_dirs_pattern(cgconfigparser_t, cgroup_t, cgroup_t)
+manage_files_pattern(cgconfigparser_t, cgroup_t, cgroup_t)
+allow cgconfigparser_t cgroup_t:dir mounton;
+
+kernel_list_unlabeled(cgconfigparser_t)
+kernel_read_system_state(cgconfigparser_t)
+
+files_read_etc_files(cgconfigparser_t)
+
+fs_manage_cgroupfs_dirs(cgconfigparser_t)
+fs_mount_cgroupfs(cgconfigparser_t)
+fs_rw_cgroupfs_files(cgconfigparser_t)
+fs_setattr_cgroupfs_files(cgconfigparser_t)
+
+########################################
+#
+# cgred personal policy.
+#
+
+allow cgred_t self:capability { net_admin sys_ptrace dac_override };
+allow cgred_t self:netlink_socket { write bind create read };
+allow cgred_t self:unix_dgram_socket { write create connect };
+
+manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
+files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
+
+kernel_read_system_state(cgred_t)
+
+domain_read_all_domains_state(cgred_t)
+
+files_read_etc_files(cgred_t)
+
+files_search_all(cgred_t)
+files_getattr_all_files(cgred_t)
+files_getattr_all_dirs(cgred_t)
+files_getattr_all_sockets(cgred_t)
+files_getattr_all_pipes(cgred_t)
+files_read_all_symlinks(cgred_t)
+
+fs_write_cgroupfs_files(cgred_t)
+
+logging_send_syslog_msg(cgred_t)
+
+miscfiles_read_localization(cgred_t)
+
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100428/736f358a/attachment.bin