2010-10-11 16:06:28

by domg472

[permalink] [raw]
Subject: [refpolicy] [ patch 1/1] cgroup: cgred and cgconfig rc scripts in F14 need to read their config files.

cgroup: remove file context specification for /sys/fs/cgroup for now.
cgroup: cgred needs listen IPC unix_stream_socket.
cgroup: cleanups.

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 59bae6a... 451fd81... M policy/modules/kernel/filesystem.fc
:100644 100644 d020c93... dfed218... M policy/modules/services/cgroup.if
:100644 100644 8ca2333... f7311b6... M policy/modules/services/cgroup.te
:100644 100644 8a105fd... 42fb68a... M policy/modules/system/init.te
policy/modules/kernel/filesystem.fc | 3 +-
policy/modules/services/cgroup.if | 69 ++++++++++++++++++++++++++---------
policy/modules/services/cgroup.te | 2 +-
policy/modules/system/init.te | 2 +
4 files changed, 56 insertions(+), 20 deletions(-)

diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index 59bae6a..451fd81 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -2,5 +2,4 @@
/dev/shm/.* <<none>>

/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
-
-/sys/fs/cgroup(/.*)? <<none>>
+/cgroup/.* <<none>>
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
index d020c93..dfed218 100644
--- a/policy/modules/services/cgroup.if
+++ b/policy/modules/services/cgroup.if
@@ -2,13 +2,12 @@

########################################
## <summary>
-## Execute a domain transition to run
-## CG Clear.
+## Execute CG clear in the cgclear domain.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`cgroup_domtrans_cgclear',`
@@ -22,13 +21,12 @@ interface(`cgroup_domtrans_cgclear',`

########################################
## <summary>
-## Execute a domain transition to run
-## CG config parser.
+## Execute CG config parser in the cgconfig domain.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`cgroup_domtrans_cgconfig',`
@@ -61,13 +59,31 @@ interface(`cgroup_initrc_domtrans_cgconfig',`

########################################
## <summary>
-## Execute a domain transition to run
-## CG rules engine daemon.
+## Read CG config parser configuration files.
## </summary>
## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_read_cgconfig_config',`
+ gen_require(`
+ type cgconfig_etc_t;
+ ')
+
+ allow $1 cgconfig_etc_t:file read_file_perms;
+ files_search_etc($1)
+')
+
+########################################
## <summary>
-## Domain allowed to transition.
+## Execute CG rules engine daemon in the cgred domain.
## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
## </param>
#
interface(`cgroup_domtrans_cgred',`
@@ -102,8 +118,8 @@ interface(`cgroup_initrc_domtrans_cgred',`
########################################
## <summary>
## Execute a domain transition to
-## run CG Clear and allow the
-## specified role the CG Clear
+## run CG clear and allow the
+## specified role the cgclear
## domain.
## </summary>
## <param name="domain">
@@ -130,7 +146,7 @@ interface(`cgroup_run_cgclear',`
########################################
## <summary>
## Connect to CG rules engine daemon
-## over unix stream sockets.
+## with unix stream sockets.
## </summary>
## <param name="domain">
## <summary>
@@ -138,7 +154,7 @@ interface(`cgroup_run_cgclear',`
## </summary>
## </param>
#
-interface(`cgroup_stream_connect_cgred', `
+interface(`cgroup_stream_connect_cgred',`
gen_require(`
type cgred_var_run_t, cgred_t;
')
@@ -149,6 +165,25 @@ interface(`cgroup_stream_connect_cgred', `

########################################
## <summary>
+## Read CG rules engine daemon configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_read_cgred_config',`
+ gen_require(`
+ type cgrules_etc_t;
+ ')
+
+ allow $1 cgrules_etc_t:file read_file_perms;
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an cgroup environment.
## </summary>
@@ -182,10 +217,10 @@ interface(`cgroup_admin',`

admin_pattern($1, cgconfig_etc_t)
admin_pattern($1, cgrules_etc_t)
- files_search_etc($1)
+ files_list_etc($1)

admin_pattern($1, cgred_var_run_t)
- files_search_pids($1)
+ files_list_pids($1)

cgroup_initrc_domtrans_cgconfig($1)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
index 8ca2333..f7311b6 100644
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
@@ -76,10 +76,10 @@ fs_mounton_cgroup(cgconfig_t)
allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
+allow cgred_t self:unix_stream_socket listen;

allow cgred_t cgrules_etc_t:file read_file_perms;

-# rc script creates pid file
manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8a105fd..42fb68a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -571,6 +571,8 @@ optional_policy(`
')

optional_policy(`
+ cgroup_read_cgconfig_config(initrc_t)
+ cgroup_read_cgred_config(initrc_t)
cgroup_stream_connect_cgred(initrc_t)
')

--
1.7.2.3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101011/9bde211d/attachment-0001.bin