All login users can list cgroup.
Common users can read and write cgroup files (access governed by dac)
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 990063c... 42d4e8d... M policy/modules/system/userdomain.if
policy/modules/system/userdomain.if | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 990063c..42d4e8d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -542,6 +542,8 @@ template(`userdom_common_user_template',`
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
+ fs_rw_cgroup_files($1_t)
+
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
@@ -753,8 +755,10 @@ template(`userdom_login_user_template', `
fs_getattr_all_fs($1_t)
fs_getattr_all_dirs($1_t)
fs_search_auto_mountpoints($1_t)
+ fs_list_cgroup_dirs($1_t)
fs_list_inotifyfs($1_t)
fs_rw_anon_inodefs_files($1_t)
+ fs_dontaudit_rw_cgroup_files($1_t)
auth_dontaudit_write_login_records($1_t)
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100607/30856e1f/attachment-0001.bin