Move cgroup_t declarations from kernel.te to filesystem.te
Redo cgroup interfaces in filesystem.if
Add file context specification for /cgroup mountpoint to filesystem.fc
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 b029773... 9306de6... M policy/modules/kernel/filesystem.fc
:100644 100644 a2c146b... 4052ab9... M policy/modules/kernel/filesystem.if
:100644 100644 774e0a1... cb889c3... M policy/modules/kernel/filesystem.te
:100644 100644 78fb6b2... 5b6c8b9... M policy/modules/kernel/kernel.te
policy/modules/kernel/filesystem.fc | 2 +
policy/modules/kernel/filesystem.if | 150 +++++++++++++++++++++++++----------
policy/modules/kernel/filesystem.te | 6 ++
policy/modules/kernel/kernel.te | 9 --
4 files changed, 116 insertions(+), 51 deletions(-)
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index b029773..9306de6 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -1 +1,3 @@
/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+
+/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index a2c146b..4052ab9 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -559,7 +559,25 @@ interface(`fs_register_binary_executable_type',`
########################################
## <summary>
-## Mount a cgroup filesystem.
+## Get attributes of cgroup filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_cgroup',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Mount cgroup filesystems.
## </summary>
## <param name="domain">
## <summary>
@@ -577,8 +595,25 @@ interface(`fs_mount_cgroup', `
########################################
## <summary>
-## Remount a cgroup filesystem This allows
-## some mount options to be changed.
+## Mount on cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mounton_cgroup', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir mounton;
+')
+
+########################################
+## <summary>
+## Remount cgroup filesystems.
## </summary>
## <param name="domain">
## <summary>
@@ -596,7 +631,7 @@ interface(`fs_remount_cgroup', `
########################################
## <summary>
-## Unmount a cgroup file system.
+## Unmount cgroup filesystems.
## </summary>
## <param name="domain">
## <summary>
@@ -614,65 +649,62 @@ interface(`fs_unmount_cgroup', `
########################################
## <summary>
-## Get the attributes of a cgroup filesystem.
+## Delete cgroup directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`fs_getattr_cgroup',`
+interface(`fs_delete_cgroup_dirs', `
gen_require(`
- type cifs_t;
+ type cgroup_t;
')
- allow $1 cifs_t:filesystem getattr;
+ delete_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## list dirs on cgroup
-## file systems.
+## list cgroup directories.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`fs_list_cgroup_dirs', `
- gen_require(`
- type cgroup_t;
-
- ')
+ gen_require(`
+ type cgroup_t;
+ ')
- list_dirs_pattern($1, cgroup_t, cgroup_t)
+ list_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Do not audit attempts to read
-## dirs on a CIFS or SMB filesystem.
+## Manage cgroup directories.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`fs_dontaudit_list_cifs_dirs',`
+interface(`fs_manage_cgroup_dirs',`
gen_require(`
- type cifs_t;
+ type cgroup_t;
+
')
- dontaudit $1 cifs_t:dir list_dir_perms;
+ manage_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Manage dirs on cgroup file systems.
+## Search cgroup directories.
## </summary>
## <param name="domain">
## <summary>
@@ -680,19 +712,18 @@ interface(`fs_dontaudit_list_cifs_dirs',`
## </summary>
## </param>
#
-interface(`fs_manage_cgroup_dirs',`
+interface(`fs_search_cgroup_dirs',`
gen_require(`
type cgroup_t;
')
- manage_dirs_pattern($1, cgroup_t, cgroup_t)
+ search_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Set attributes of files on cgroup
-## file systems.
+## Manage cgroup files.
## </summary>
## <param name="domain">
## <summary>
@@ -700,19 +731,18 @@ interface(`fs_manage_cgroup_dirs',`
## </summary>
## </param>
#
-interface(`fs_setattr_cgroup_files',`
+interface(`fs_manage_cgroup_files',`
gen_require(`
type cgroup_t;
')
- setattr_files_pattern($1, cgroup_t, cgroup_t)
+ manage_files_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Read files on cgroup
-## file systems.
+## Read cgroup files.
## </summary>
## <param name="domain">
## <summary>
@@ -731,8 +761,7 @@ interface(`fs_read_cgroup_files',`
########################################
## <summary>
-## Write files on cgroup
-## file systems.
+## Read and write cgroup files.
## </summary>
## <param name="domain">
## <summary>
@@ -740,19 +769,18 @@ interface(`fs_read_cgroup_files',`
## </summary>
## </param>
#
-interface(`fs_write_cgroup_files', `
+interface(`fs_rw_cgroup_files',`
gen_require(`
type cgroup_t;
')
- write_files_pattern($1, cgroup_t, cgroup_t)
+ rw_files_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Read and write files on cgroup
-## file systems.
+## Write cgroup files.
## </summary>
## <param name="domain">
## <summary>
@@ -760,13 +788,51 @@ interface(`fs_write_cgroup_files', `
## </summary>
## </param>
#
-interface(`fs_rw_cgroup_files',`
+interface(`fs_write_cgroup_files', `
gen_require(`
type cgroup_t;
+ ')
+
+ write_files_pattern($1, cgroup_t, cgroup_t)
+')
+########################################
+## <summary>
+## Do not audit attempts to open,
+## get attributes, read and write
+## cgroup files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
')
- rw_files_pattern($1, cgroup_t, cgroup_t)
+ dontaudit $1 cgroup_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read
+## dirs on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_cifs_dirs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:dir list_dir_perms;
')
########################################
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 774e0a1..cb889c3 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -68,6 +68,12 @@ fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
+type cgroup_t;
+fs_type(cgroup_t)
+files_type(cgroup_t)
+files_mountpoint(cgroup_t)
+genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+
type configfs_t;
fs_type(configfs_t)
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 78fb6b2..5b6c8b9 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -46,15 +46,6 @@ role system_r types kernel_t;
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
#
-# cgroup fs
-#
-
-type cgroup_t;
-fs_type(cgroup_t)
-allow cgroup_t self:filesystem associate;
-genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
-
-#
# DebugFS
#
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100607/f4bdc195/attachment.bin