Here's another shot at cgroups.
Revisiting existing cgrou policy:
- Move cgroup_t declarations from kernel.te to filesystem.te
- Redo cgroup interfaces in filesystem.if
- Add file context specification for /cgroup mountpoint to filesystem.fc
Implementing libcgroup policy:
- Libcg automates cgroup management.
How libcg init scripts interact with cgroup:
- The libcgroup init scripts use tools in /usr/bin like cgexec and cgclear.
How users interact with cgroup:
- All login users can list cgroup.
- Common users can read and write cgroup files (access governed by dac).
policy/modules/kernel/filesystem.fc | 2 +
policy/modules/kernel/filesystem.if | 150 +++++++++++++++++++++++++----------
policy/modules/kernel/filesystem.te | 6 ++
policy/modules/kernel/kernel.te | 9 --
policy/modules/services/cgroup.fc | 10 +++
policy/modules/services/cgroup.if | 149 ++++++++++++++++++++++++++++++++++
policy/modules/services/cgroup.te | 86 ++++++++++++++++++++
policy/modules/system/init.te | 7 ++
policy/modules/system/userdomain.if | 4 +
9 files changed, 372 insertions(+), 51 deletions(-)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100607/94e400ee/attachment.bin
On Mon, 2010-06-07 at 20:10 +0200, Dominick Grift wrote:
> Here's another shot at cgroups.
>
> Revisiting existing cgrou policy:
> - Move cgroup_t declarations from kernel.te to filesystem.te
> - Redo cgroup interfaces in filesystem.if
> - Add file context specification for /cgroup mountpoint to filesystem.fc
>
> Implementing libcgroup policy:
> - Libcg automates cgroup management.
>
> How libcg init scripts interact with cgroup:
> - The libcgroup init scripts use tools in /usr/bin like cgexec and cgclear.
>
> How users interact with cgroup:
> - All login users can list cgroup.
> - Common users can read and write cgroup files (access governed by dac).
This set is merged. I did some rearrangement and renamed cgconfigparser
types to just cgconfig.
> policy/modules/kernel/filesystem.fc | 2 +
> policy/modules/kernel/filesystem.if | 150 +++++++++++++++++++++++++----------
> policy/modules/kernel/filesystem.te | 6 ++
> policy/modules/kernel/kernel.te | 9 --
> policy/modules/services/cgroup.fc | 10 +++
> policy/modules/services/cgroup.if | 149 ++++++++++++++++++++++++++++++++++
> policy/modules/services/cgroup.te | 86 ++++++++++++++++++++
> policy/modules/system/init.te | 7 ++
> policy/modules/system/userdomain.if | 4 +
> 9 files changed, 372 insertions(+), 51 deletions(-)
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com