2010-07-05 12:03:40

by domg472

Subject: [refpolicy] [ cgroup patch redone 1/1] Allow cgred to setsched all allow initrc (/usr/bin/cgclear) setsched all allow cgred sys_admin capability

Allow cgred to setsched all
Allow initrc (/usr/bin/cgclear) setsched all
Allow cgred sys_admin capability

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 bb3a671... 6ae88ca... M policy/modules/services/cgroup.te
:100644 100644 d9d2789... 5926603... M policy/modules/system/init.te
policy/modules/services/cgroup.te | 3 ++-
policy/modules/system/init.te | 1 +
2 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
index bb3a671..6ae88ca 100644
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
@@ -53,7 +53,7 @@ fs_unmount_cgroup(cgconfig_t)
# cgred personal policy.
#

-allow cgred_t self:capability { net_admin sys_ptrace dac_override };
+allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };

@@ -65,6 +65,7 @@ files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
kernel_read_system_state(cgred_t)

domain_read_all_domains_state(cgred_t)
+domain_setpriority_all_domains(cgred_t)

files_getattr_all_files(cgred_t)
files_getattr_all_sockets(cgred_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d9d2789..5926603 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -575,6 +575,7 @@ optional_policy(`

optional_policy(`
cgroup_stream_connect(initrc_t)
+ domain_setpriority_all_domains(initrc_t)
')

optional_policy(`
--
1.7.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100705/772a0623/attachment.bin

2010-07-06 12:21:13

by cpebenito

Subject: [refpolicy] [ cgroup patch redone 1/1] Allow cgred to setsched all allow initrc (/usr/bin/cgclear) setsched all allow cgred sys_admin capability

On 07/05/10 08:03, Dominick Grift wrote:
> Allow cgred to setsched all
> Allow initrc (/usr/bin/cgclear) setsched all
> Allow cgred sys_admin capability

Based on what I see from the cgclear man page, it seems like it should
be running in the cgconfig_t domain.

> Signed-off-by: Dominick Grift<[email protected]>
> ---
> :100644 100644 bb3a671... 6ae88ca... M policy/modules/services/cgroup.te
> :100644 100644 d9d2789... 5926603... M policy/modules/system/init.te
> policy/modules/services/cgroup.te | 3 ++-
> policy/modules/system/init.te | 1 +
> 2 files changed, 3 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
> index bb3a671..6ae88ca 100644
> --- a/policy/modules/services/cgroup.te
> +++ b/policy/modules/services/cgroup.te
> @@ -53,7 +53,7 @@ fs_unmount_cgroup(cgconfig_t)
> # cgred personal policy.
> #
>
> -allow cgred_t self:capability { net_admin sys_ptrace dac_override };
> +allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
> allow cgred_t self:netlink_socket { write bind create read };
> allow cgred_t self:unix_dgram_socket { write create connect };
>
> @@ -65,6 +65,7 @@ files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
> kernel_read_system_state(cgred_t)
>
> domain_read_all_domains_state(cgred_t)
> +domain_setpriority_all_domains(cgred_t)
>
> files_getattr_all_files(cgred_t)
> files_getattr_all_sockets(cgred_t)
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index d9d2789..5926603 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -575,6 +575,7 @@ optional_policy(`
>
> optional_policy(`
> cgroup_stream_connect(initrc_t)
> + domain_setpriority_all_domains(initrc_t)
> ')
>
> optional_policy(`
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-07-06 14:11:38

by domg472

Subject: [refpolicy] [ cgroup patch redone 1/1] Allow cgred to setsched all allow initrc (/usr/bin/cgclear) setsched all allow cgred sys_admin capability

On Tue, Jul 06, 2010 at 08:21:13AM -0400, Christopher J. PeBenito wrote:
> On 07/05/10 08:03, Dominick Grift wrote:
> >Allow cgred to setsched all
> >Allow initrc (/usr/bin/cgclear) setsched all
> >Allow cgred sys_admin capability
>
> Based on what I see from the cgclear man page, it seems like it
> should be running in the cgconfig_t domain.

In recent times i have confined /usr/bin/cgclear but i later decided to undo it (it is probably in my "git log" though).

cgclear isnt such a problem to run confined but this app can also be run by users.

A similar app is cgexec this program basically "extends" init script, but it can also be used to users.

Confining both cgclear and cgexec is possible but it make thing probably more complicated then they need to be.

There are other cg apps called from cgconfig init script as well like: cgset, cgclassify, cgcreate. These are really /usr/bin user apps.

Looking at the initrc policy, initrc has pretty much access so i personally do not have a problem adding this as well to avoid unneeded complications.

>
> >Signed-off-by: Dominick Grift<[email protected]>
> >---
> >:100644 100644 bb3a671... 6ae88ca... M policy/modules/services/cgroup.te
> >:100644 100644 d9d2789... 5926603... M policy/modules/system/init.te
> > policy/modules/services/cgroup.te | 3 ++-
> > policy/modules/system/init.te | 1 +
> > 2 files changed, 3 insertions(+), 1 deletions(-)
> >
> >diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
> >index bb3a671..6ae88ca 100644
> >--- a/policy/modules/services/cgroup.te
> >+++ b/policy/modules/services/cgroup.te
> >@@ -53,7 +53,7 @@ fs_unmount_cgroup(cgconfig_t)
> > # cgred personal policy.
> > #
> >
> >-allow cgred_t self:capability { net_admin sys_ptrace dac_override };
> >+allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
> > allow cgred_t self:netlink_socket { write bind create read };
> > allow cgred_t self:unix_dgram_socket { write create connect };
> >
> >@@ -65,6 +65,7 @@ files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
> > kernel_read_system_state(cgred_t)
> >
> > domain_read_all_domains_state(cgred_t)
> >+domain_setpriority_all_domains(cgred_t)
> >
> > files_getattr_all_files(cgred_t)
> > files_getattr_all_sockets(cgred_t)
> >diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> >index d9d2789..5926603 100644
> >--- a/policy/modules/system/init.te
> >+++ b/policy/modules/system/init.te
> >@@ -575,6 +575,7 @@ optional_policy(`
> >
> > optional_policy(`
> > cgroup_stream_connect(initrc_t)
> >+ domain_setpriority_all_domains(initrc_t)
> > ')
> >
> > optional_policy(`
> >
> >
> >
> >_______________________________________________
> >refpolicy mailing list
> >refpolicy at oss.tresys.com
> >http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100706/416e1b02/attachment.bin

2010-07-07 12:18:56

by cpebenito

Subject: [refpolicy] [ cgroup patch redone 1/1] Allow cgred to setsched all allow initrc (/usr/bin/cgclear) setsched all allow cgred sys_admin capability

On 07/06/10 10:11, Dominick Grift wrote:
> On Tue, Jul 06, 2010 at 08:21:13AM -0400, Christopher J. PeBenito wrote:
>> On 07/05/10 08:03, Dominick Grift wrote:
>>> Allow cgred to setsched all
>>> Allow initrc (/usr/bin/cgclear) setsched all
>>> Allow cgred sys_admin capability
>>
>> Based on what I see from the cgclear man page, it seems like it
>> should be running in the cgconfig_t domain.
>
> In recent times i have confined /usr/bin/cgclear but i later decided to undo it (it is probably in my "git log" though).
>
> cgclear isnt such a problem to run confined but this app can also be run by users.

This seems like even more of a reason for it to run in cgconfig_t.

> A similar app is cgexec this program basically "extends" init script, but it can also be used to users.

But the purpose of cgconfig_t is for configuring cgroups, right?
Clearing cgroups is a configuration action too.

> Confining both cgclear and cgexec is possible but it make thing probably more complicated then they need to be.
>
> There are other cg apps called from cgconfig init script as well like: cgset, cgclassify, cgcreate. These are really /usr/bin user apps.
>
> Looking at the initrc policy, initrc has pretty much access so i personally do not have a problem adding this as well to avoid unneeded complications.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com