Libcgroup moved cgclear to /sbin. Confine it so that initrc_t can domain transition to the cgclear_t domain. That way we do not have to extend the initrc_t domains policy.
We might want to add cgroup_run_cgclear to sysadm module.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 c17388d... 420c9d3... M policy/modules/services/cgroup.fc
:100644 100644 2d1eaf3... 66d68bc... M policy/modules/services/cgroup.if
:100644 100644 bb3a671... 121b137... M policy/modules/services/cgroup.te
:100644 100644 29f9757... d0d30e2... M policy/modules/system/init.te
policy/modules/services/cgroup.fc | 4 ++
policy/modules/services/cgroup.if | 66 +++++++++++++++++++++++++++++++++----
policy/modules/services/cgroup.te | 34 +++++++++++++++++--
policy/modules/system/init.te | 6 +--
4 files changed, 96 insertions(+), 14 deletions(-)
diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc
index c17388d..420c9d3 100644
--- a/policy/modules/services/cgroup.fc
+++ b/policy/modules/services/cgroup.fc
@@ -1,10 +1,14 @@
/etc/cgconfig.conf -- gen_context(system_u:object_r:cgconfig_etc_t,s0)
/etc/cgrules.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0)
+/etc/sysconfig/cgconfig -- gen_context(system_u:object_r:cgconfig_etc_t,s0)
+/etc/sysconfig/cgred.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0)
+
/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
+/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
index 2d1eaf3..66d68bc 100644
--- a/policy/modules/services/cgroup.if
+++ b/policy/modules/services/cgroup.if
@@ -3,6 +3,26 @@
########################################
## <summary>
## Execute a domain transition to run
+## CG Clear.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_domtrans_cgclear',`
+ gen_require(`
+ type cgclear_t, cgclear_exec_t;
+ ')
+
+ domtrans_pattern($1, cgclear_exec_t, cgclear_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run
## CG config parser.
## </summary>
## <param name="domain">
@@ -36,7 +56,6 @@ interface(`cgroup_initrc_domtrans_cgconfig',`
type cgconfig_initrc_exec_t;
')
- files_search_etc($1)
init_labeled_script_domtrans($1, cgconfig_initrc_exec_t)
')
@@ -82,6 +101,34 @@ interface(`cgroup_initrc_domtrans_cgred',`
########################################
## <summary>
+## Execute a domain transition to
+## run CG Clear and allow the
+## specified role the CG Clear
+## domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cgroup_run_cgclear',`
+ gen_require(`
+ type cgclear_t;
+ ')
+
+ cgroup_domtrans_cgclear($1)
+ role $2 types cgclear_t;
+')
+
+########################################
+## <summary>
## Connect to CG rules engine daemon
## over unix stream sockets.
## </summary>
@@ -91,7 +138,7 @@ interface(`cgroup_initrc_domtrans_cgred',`
## </summary>
## </param>
#
-interface(`cgroup_stream_connect', `
+interface(`cgroup_stream_connect_cgred', `
gen_require(`
type cgred_var_run_t, cgred_t;
')
@@ -121,14 +168,17 @@ interface(`cgroup_admin',`
gen_require(`
type cgred_t, cgconfig_t, cgred_var_run_t;
type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
- type cgrules_etc_t;
+ type cgrules_etc_t, cgclear_t, cgclear_exec_t;
')
- allow $1 cgconfig_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, cgconfig_t, cgconfig_t)
+ allow $1 cgclear_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cgclear_t)
- allow $1 cgred_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, cgred_t, cgred_t)
+ allow $1 cgconfig_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cgconfig_t)
+
+ allow $1 cgred_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cgred_t)
admin_pattern($1, cgconfig_etc_t)
admin_pattern($1, cgrules_etc_t)
@@ -144,4 +194,6 @@ interface(`cgroup_admin',`
cgroup_initrc_domtrans_cgred($1)
role_transition $2 cgred_initrc_exec_t system_r;
+
+ cgroup_run_cgclear($1, $2)
')
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
index bb3a671..121b137 100644
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
@@ -5,6 +5,10 @@ policy_module(cgroup, 1.0.0)
# Declarations
#
+type cgclear_t;
+type cgclear_exec_t;
+init_daemon_domain(cgclear_t, cgclear_exec_t)
+
type cgred_t;
type cgred_exec_t;
init_daemon_domain(cgred_t, cgred_exec_t)
@@ -30,6 +34,22 @@ files_config_file(cgconfig_etc_t)
########################################
#
+# cgcreate personal policy.
+#
+
+allow cgclear_t self:capability sys_admin;
+
+kernel_read_system_state(cgclear_t)
+
+domain_setpriority_all_domains(cgclear_t)
+
+fs_delete_cgroup_dirs(cgclear_t)
+fs_list_cgroup_dirs(cgclear_t)
+fs_rw_cgroup_files(cgclear_t)
+fs_unmount_cgroup(cgclear_t)
+
+########################################
+#
# cgconfig personal policy.
#
@@ -37,38 +57,46 @@ allow cgconfig_t self:capability { chown sys_admin };
allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+# search will do.
kernel_list_unlabeled(cgconfig_t)
kernel_read_system_state(cgconfig_t)
+# /etc/nsswitch.conf, /etc/passwd
files_read_etc_files(cgconfig_t)
fs_manage_cgroup_dirs(cgconfig_t)
fs_manage_cgroup_files(cgconfig_t)
fs_mount_cgroup(cgconfig_t)
fs_mounton_cgroup(cgconfig_t)
-fs_unmount_cgroup(cgconfig_t)
########################################
#
# cgred personal policy.
#
-allow cgred_t self:capability { net_admin sys_ptrace dac_override };
+# not sure about sys_admin
+allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
allow cgred_t cgrules_etc_t:file read_file_perms;
+# rc script creates pid file
+manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
-files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
+files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })
kernel_read_system_state(cgred_t)
domain_read_all_domains_state(cgred_t)
+# not sure about this but seems likely
+domain_setpriority_all_domains(cgred_t)
files_getattr_all_files(cgred_t)
files_getattr_all_sockets(cgred_t)
files_read_all_symlinks(cgred_t)
+
+# /etc/group
files_read_etc_files(cgred_t)
fs_write_cgroup_files(cgred_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 29f9757..d0d30e2 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -338,9 +338,7 @@ files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
-fs_delete_cgroup_dirs(initrc_t)
-fs_list_cgroup_dirs(initrc_t)
-fs_rw_cgroup_files(initrc_t)
+fs_write_cgroup_files(initrc_t)
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
@@ -570,7 +568,7 @@ optional_policy(`
')
optional_policy(`
- cgroup_stream_connect(initrc_t)
+ cgroup_stream_connect_gred(initrc_t)
')
optional_policy(`
--
1.7.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100808/5fc25727/attachment.bin