Remove the cgroup declarations from the kernel module and add a new cgroupfs
declaration in filesystems module.
Rename all group interfaces in filesystems interfaces file to reflect cgroupfs changes.
Modify the calls to cgroup filesystem policy in the virt module.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 a2c146b... 5a34915... M policy/modules/kernel/filesystem.if
:100644 100644 0c413e2... 275a1e5... M policy/modules/kernel/filesystem.te
:100644 100644 3ef6a62... 44d2b58... M policy/modules/kernel/kernel.te
:100644 100644 a2989cd... c0f8293... M policy/modules/services/virt.te
policy/modules/kernel/filesystem.if | 107 +++++++++++++++++------------------
policy/modules/kernel/filesystem.te | 5 ++
policy/modules/kernel/kernel.te | 9 ---
policy/modules/services/virt.te | 4 +-
4 files changed, 58 insertions(+), 67 deletions(-)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index a2c146b..5a34915 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -567,12 +567,12 @@ interface(`fs_register_binary_executable_type',`
## </summary>
## </param>
#
-interface(`fs_mount_cgroup', `
+interface(`fs_mount_cgroupfs', `
gen_require(`
- type cgroup_t;
+ type cgroupfs_t;
')
- allow $1 cgroup_t:filesystem mount;
+ allow $1 cgroupfs_t:filesystem mount;
')
########################################
@@ -586,12 +586,12 @@ interface(`fs_mount_cgroup', `
## </summary>
## </param>
#
-interface(`fs_remount_cgroup', `
+interface(`fs_remount_cgroupfs', `
gen_require(`
- type cgroup_t;
+ type cgroupfs_t;
')
- allow $1 cgroup_t:filesystem remount;
+ allow $1 cgroupfs_t:filesystem remount;
')
########################################
@@ -604,12 +604,12 @@ interface(`fs_remount_cgroup', `
## </summary>
## </param>
#
-interface(`fs_unmount_cgroup', `
+interface(`fs_unmount_cgroupfs', `
gen_require(`
- type cgroup_t;
+ type cgroupfs_t;
')
- allow $1 cgroup_t:filesystem unmount;
+ allow $1 cgroupfs_t:filesystem unmount;
')
########################################
@@ -623,56 +623,56 @@ interface(`fs_unmount_cgroup', `
## </param>
## <rolecap/>
#
-interface(`fs_getattr_cgroup',`
+interface(`fs_getattr_cgroupfs', `
gen_require(`
- type cifs_t;
+ type cgroupfs_t;
')
- allow $1 cifs_t:filesystem getattr;
+ allow $1 cgroupfs_t:filesystem getattr;
')
########################################
## <summary>
-## list dirs on cgroup
-## file systems.
+## list dirs on cgroup
+## file systems.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
-interface(`fs_list_cgroup_dirs', `
- gen_require(`
- type cgroup_t;
-
- ')
+interface(`fs_list_cgroupfs_dirs', `
+ gen_require(`
+ type cgroupfs_t;
+ ')
- list_dirs_pattern($1, cgroup_t, cgroup_t)
+ list_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
')
########################################
## <summary>
-## Do not audit attempts to read
-## dirs on a CIFS or SMB filesystem.
+## Manage dirs on cgroup file systems.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`fs_dontaudit_list_cifs_dirs',`
+interface(`fs_manage_cgroupfs_dirs', `
gen_require(`
- type cifs_t;
+ type cgroupfs_t;
+
')
- dontaudit $1 cifs_t:dir list_dir_perms;
+ manage_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
')
########################################
## <summary>
-## Manage dirs on cgroup file systems.
+## Set attributes of files on cgroup
+## file systems.
## </summary>
## <param name="domain">
## <summary>
@@ -680,19 +680,17 @@ interface(`fs_dontaudit_list_cifs_dirs',`
## </summary>
## </param>
#
-interface(`fs_manage_cgroup_dirs',`
+interface(`fs_setattr_cgroupfs_files', `
gen_require(`
- type cgroup_t;
-
+ type cgroupfs_t;
')
- manage_dirs_pattern($1, cgroup_t, cgroup_t)
+ setattr_files_pattern($1, cgroupfs_t, cgroupfs_t)
')
########################################
## <summary>
-## Set attributes of files on cgroup
-## file systems.
+## Read files on cgroup file systems.
## </summary>
## <param name="domain">
## <summary>
@@ -700,19 +698,18 @@ interface(`fs_manage_cgroup_dirs',`
## </summary>
## </param>
#
-interface(`fs_setattr_cgroup_files',`
+interface(`fs_read_cgroupfs_files', `
gen_require(`
- type cgroup_t;
+ type cgroupfs_t;
')
- setattr_files_pattern($1, cgroup_t, cgroup_t)
+ read_files_pattern($1, cgroupfs_t, cgroupfs_t)
')
########################################
## <summary>
-## Read files on cgroup
-## file systems.
+## Write files on cgroup file systems.
## </summary>
## <param name="domain">
## <summary>
@@ -720,18 +717,18 @@ interface(`fs_setattr_cgroup_files',`
## </summary>
## </param>
#
-interface(`fs_read_cgroup_files',`
+interface(`fs_write_cgroupfs_files', `
gen_require(`
- type cgroup_t;
+ type cgroupfs_t;
')
- read_files_pattern($1, cgroup_t, cgroup_t)
+ write_files_pattern($1, cgroupfs_t, cgroupfs_t)
')
########################################
## <summary>
-## Write files on cgroup
+## Read and write files on cgroup
## file systems.
## </summary>
## <param name="domain">
@@ -740,33 +737,31 @@ interface(`fs_read_cgroup_files',`
## </summary>
## </param>
#
-interface(`fs_write_cgroup_files', `
+interface(`fs_rw_cgroupfs_files', `
gen_require(`
- type cgroup_t;
-
+ type cgroupfs_t;
')
- write_files_pattern($1, cgroup_t, cgroup_t)
+ rw_files_pattern($1, cgroupfs_t, cgroupfs_t)
')
########################################
## <summary>
-## Read and write files on cgroup
-## file systems.
+## Do not audit attempts to read
+## dirs on a CIFS or SMB filesystem.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`fs_rw_cgroup_files',`
+interface(`fs_dontaudit_list_cifs_dirs',`
gen_require(`
- type cgroup_t;
-
+ type cifs_t;
')
- rw_files_pattern($1, cgroup_t, cgroup_t)
+ dontaudit $1 cifs_t:dir list_dir_perms;
')
########################################
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 0c413e2..275a1e5 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -68,6 +68,11 @@ fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
+type cgroupfs_t;
+fs_type(cgroupfs_t)
+files_type(cgroupfs_t)
+genfscon cgroup / gen_context(system_u:object_r:cgroupfs_t,s0)
+
type configfs_t;
fs_type(configfs_t)
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 3ef6a62..44d2b58 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -46,15 +46,6 @@ role system_r types kernel_t;
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
#
-# cgroup fs
-#
-
-type cgroup_t;
-fs_type(cgroup_t)
-allow cgroup_t self:filesystem associate;
-genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
-
-#
# DebugFS
#
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index a2989cd..c0f8293 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -265,8 +265,8 @@ fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
-fs_manage_cgroup_dirs(virtd_t)
-fs_rw_cgroup_files(virtd_t)
+fs_manage_cgroupfs_dirs(virtd_t)
+fs_rw_cgroupfs_files(virtd_t)
mcs_process_set_categories(virtd_t)
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100428/f61e6009/attachment.bin
On Wed, 2010-04-28 at 05:58 -0400, Dominick Grift wrote:
> Remove the cgroup declarations from the kernel module and add a new
> cgroupfs
> declaration in filesystems module.
>
> Rename all group interfaces in filesystems interfaces file to reflect
> cgroupfs changes.
>
> Modify the calls to cgroup filesystem policy in the virt module.
Since Dan's submission of the original policy is still sitting in my
queue, I think it would best if you and Dan worked this one out. Then
one of you can resubmit the policy.
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> :100644 100644 a2c146b... 5a34915... M
> policy/modules/kernel/filesystem.if
> :100644 100644 0c413e2... 275a1e5... M
> policy/modules/kernel/filesystem.te
> :100644 100644 3ef6a62... 44d2b58... M
> policy/modules/kernel/kernel.te
> :100644 100644 a2989cd... c0f8293... M
> policy/modules/services/virt.te
> policy/modules/kernel/filesystem.if | 107
> +++++++++++++++++------------------
> policy/modules/kernel/filesystem.te | 5 ++
> policy/modules/kernel/kernel.te | 9 ---
> policy/modules/services/virt.te | 4 +-
> 4 files changed, 58 insertions(+), 67 deletions(-)
>
> diff --git a/policy/modules/kernel/filesystem.if
> b/policy/modules/kernel/filesystem.if
> index a2c146b..5a34915 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -567,12 +567,12 @@ interface(`fs_register_binary_executable_type',`
> ## </summary>
> ## </param>
> #
> -interface(`fs_mount_cgroup', `
> +interface(`fs_mount_cgroupfs', `
> gen_require(`
> - type cgroup_t;
> + type cgroupfs_t;
> ')
>
> - allow $1 cgroup_t:filesystem mount;
> + allow $1 cgroupfs_t:filesystem mount;
> ')
>
> ########################################
> @@ -586,12 +586,12 @@ interface(`fs_mount_cgroup', `
> ## </summary>
> ## </param>
> #
> -interface(`fs_remount_cgroup', `
> +interface(`fs_remount_cgroupfs', `
> gen_require(`
> - type cgroup_t;
> + type cgroupfs_t;
> ')
>
> - allow $1 cgroup_t:filesystem remount;
> + allow $1 cgroupfs_t:filesystem remount;
> ')
>
> ########################################
> @@ -604,12 +604,12 @@ interface(`fs_remount_cgroup', `
> ## </summary>
> ## </param>
> #
> -interface(`fs_unmount_cgroup', `
> +interface(`fs_unmount_cgroupfs', `
> gen_require(`
> - type cgroup_t;
> + type cgroupfs_t;
> ')
>
> - allow $1 cgroup_t:filesystem unmount;
> + allow $1 cgroupfs_t:filesystem unmount;
> ')
>
> ########################################
> @@ -623,56 +623,56 @@ interface(`fs_unmount_cgroup', `
> ## </param>
> ## <rolecap/>
> #
> -interface(`fs_getattr_cgroup',`
> +interface(`fs_getattr_cgroupfs', `
> gen_require(`
> - type cifs_t;
> + type cgroupfs_t;
> ')
>
> - allow $1 cifs_t:filesystem getattr;
> + allow $1 cgroupfs_t:filesystem getattr;
> ')
>
> ########################################
> ## <summary>
> -## list dirs on cgroup
> -## file systems.
> +## list dirs on cgroup
> +## file systems.
> ## </summary>
> ## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> ## </param>
> #
> -interface(`fs_list_cgroup_dirs', `
> - gen_require(`
> - type cgroup_t;
> -
> - ')
> +interface(`fs_list_cgroupfs_dirs', `
> + gen_require(`
> + type cgroupfs_t;
> + ')
>
> - list_dirs_pattern($1, cgroup_t, cgroup_t)
> + list_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
> ')
>
> ########################################
> ## <summary>
> -## Do not audit attempts to read
> -## dirs on a CIFS or SMB filesystem.
> +## Manage dirs on cgroup file systems.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain to not audit.
> +## Domain allowed access.
> ## </summary>
> ## </param>
> #
> -interface(`fs_dontaudit_list_cifs_dirs',`
> +interface(`fs_manage_cgroupfs_dirs', `
> gen_require(`
> - type cifs_t;
> + type cgroupfs_t;
> +
> ')
>
> - dontaudit $1 cifs_t:dir list_dir_perms;
> + manage_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
> ')
>
> ########################################
> ## <summary>
> -## Manage dirs on cgroup file systems.
> +## Set attributes of files on cgroup
> +## file systems.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -680,19 +680,17 @@ interface(`fs_dontaudit_list_cifs_dirs',`
> ## </summary>
> ## </param>
> #
> -interface(`fs_manage_cgroup_dirs',`
> +interface(`fs_setattr_cgroupfs_files', `
> gen_require(`
> - type cgroup_t;
> -
> + type cgroupfs_t;
> ')
>
> - manage_dirs_pattern($1, cgroup_t, cgroup_t)
> + setattr_files_pattern($1, cgroupfs_t, cgroupfs_t)
> ')
>
> ########################################
> ## <summary>
> -## Set attributes of files on cgroup
> -## file systems.
> +## Read files on cgroup file systems.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -700,19 +698,18 @@ interface(`fs_manage_cgroup_dirs',`
> ## </summary>
> ## </param>
> #
> -interface(`fs_setattr_cgroup_files',`
> +interface(`fs_read_cgroupfs_files', `
> gen_require(`
> - type cgroup_t;
> + type cgroupfs_t;
>
> ')
>
> - setattr_files_pattern($1, cgroup_t, cgroup_t)
> + read_files_pattern($1, cgroupfs_t, cgroupfs_t)
> ')
>
> ########################################
> ## <summary>
> -## Read files on cgroup
> -## file systems.
> +## Write files on cgroup file systems.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -720,18 +717,18 @@ interface(`fs_setattr_cgroup_files',`
> ## </summary>
> ## </param>
> #
> -interface(`fs_read_cgroup_files',`
> +interface(`fs_write_cgroupfs_files', `
> gen_require(`
> - type cgroup_t;
> + type cgroupfs_t;
>
> ')
>
> - read_files_pattern($1, cgroup_t, cgroup_t)
> + write_files_pattern($1, cgroupfs_t, cgroupfs_t)
> ')
>
> ########################################
> ## <summary>
> -## Write files on cgroup
> +## Read and write files on cgroup
> ## file systems.
> ## </summary>
> ## <param name="domain">
> @@ -740,33 +737,31 @@ interface(`fs_read_cgroup_files',`
> ## </summary>
> ## </param>
> #
> -interface(`fs_write_cgroup_files', `
> +interface(`fs_rw_cgroupfs_files', `
> gen_require(`
> - type cgroup_t;
> -
> + type cgroupfs_t;
> ')
>
> - write_files_pattern($1, cgroup_t, cgroup_t)
> + rw_files_pattern($1, cgroupfs_t, cgroupfs_t)
> ')
>
> ########################################
> ## <summary>
> -## Read and write files on cgroup
> -## file systems.
> +## Do not audit attempts to read
> +## dirs on a CIFS or SMB filesystem.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> -## Domain allowed access.
> +## Domain to not audit.
> ## </summary>
> ## </param>
> #
> -interface(`fs_rw_cgroup_files',`
> +interface(`fs_dontaudit_list_cifs_dirs',`
> gen_require(`
> - type cgroup_t;
> -
> + type cifs_t;
> ')
>
> - rw_files_pattern($1, cgroup_t, cgroup_t)
> + dontaudit $1 cifs_t:dir list_dir_perms;
> ')
>
> ########################################
> diff --git a/policy/modules/kernel/filesystem.te
> b/policy/modules/kernel/filesystem.te
> index 0c413e2..275a1e5 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -68,6 +68,11 @@ fs_type(capifs_t)
> files_mountpoint(capifs_t)
> genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
>
> +type cgroupfs_t;
> +fs_type(cgroupfs_t)
> +files_type(cgroupfs_t)
> +genfscon cgroup / gen_context(system_u:object_r:cgroupfs_t,s0)
> +
> type configfs_t;
> fs_type(configfs_t)
> genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
> diff --git a/policy/modules/kernel/kernel.te
> b/policy/modules/kernel/kernel.te
> index 3ef6a62..44d2b58 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -46,15 +46,6 @@ role system_r types kernel_t;
> sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
>
> #
> -# cgroup fs
> -#
> -
> -type cgroup_t;
> -fs_type(cgroup_t)
> -allow cgroup_t self:filesystem associate;
> -genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
> -
> -#
> # DebugFS
> #
>
> diff --git a/policy/modules/services/virt.te
> b/policy/modules/services/virt.te
> index a2989cd..c0f8293 100644
> --- a/policy/modules/services/virt.te
> +++ b/policy/modules/services/virt.te
> @@ -265,8 +265,8 @@ fs_list_auto_mountpoints(virtd_t)
> fs_getattr_xattr_fs(virtd_t)
> fs_rw_anon_inodefs_files(virtd_t)
> fs_list_inotifyfs(virtd_t)
> -fs_manage_cgroup_dirs(virtd_t)
> -fs_rw_cgroup_files(virtd_t)
> +fs_manage_cgroupfs_dirs(virtd_t)
> +fs_rw_cgroupfs_files(virtd_t)
>
> mcs_process_set_categories(virtd_t)
>
> --
> 1.7.0.1
>
>
>
> plain text document attachment (ATT75148.txt)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I will make Dominicks changes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvsGLsACgkQrlYvE4MpobNRewCZAQb73fiyKlbKApv56MYMuvWh
S7IAni4gd2D9ln+kQN8pnsPuf6ty4n4D
=aq+I
-----END PGP SIGNATURE-----
On Thu, May 13, 2010 at 10:36:05AM -0400, Christopher J. PeBenito wrote:
> On Wed, 2010-04-28 at 05:58 -0400, Dominick Grift wrote:
> > Remove the cgroup declarations from the kernel module and add a new
> > cgroupfs
> > declaration in filesystems module.
> >
> > Rename all group interfaces in filesystems interfaces file to reflect
> > cgroupfs changes.
> >
> > Modify the calls to cgroup filesystem policy in the virt module.
>
> Since Dan's submission of the original policy is still sitting in my
> queue, I think it would best if you and Dan worked this one out. Then
> one of you can resubmit the policy.
Yes, Please do not use this patch set. I have made many changes since then.
I wanted to confine some libcgroup commands that are called in the libcgroup init scripts like cgclear and cgexec, but the more it thought about it the more i started doubting the usefulnes of this.
The more because cgexec basically needs pretty much all access that initrc_t has. Because if one defines CGROUP_DAEMON in the initscript, then init will let cgexec start the particular services instead of init. I was thinking about an attribute that could be added to the init_daemon_domain() but i dont see the benefit.
So in the end i decided to just extend initrc_t to do the stuff cgexec and cgclear does and only confine the commands that have their own init script (cg rules engine daemon, cg config parser)
dwalsh merged some of my recent policy from my master branch, it would be useful if the fedora community would put some scrutiny on the policy. Because i have a feeling that its not tested thoroughly.
>
> > Signed-off-by: Dominick Grift <[email protected]>
> > ---
> > :100644 100644 a2c146b... 5a34915... M
> > policy/modules/kernel/filesystem.if
> > :100644 100644 0c413e2... 275a1e5... M
> > policy/modules/kernel/filesystem.te
> > :100644 100644 3ef6a62... 44d2b58... M
> > policy/modules/kernel/kernel.te
> > :100644 100644 a2989cd... c0f8293... M
> > policy/modules/services/virt.te
> > policy/modules/kernel/filesystem.if | 107
> > +++++++++++++++++------------------
> > policy/modules/kernel/filesystem.te | 5 ++
> > policy/modules/kernel/kernel.te | 9 ---
> > policy/modules/services/virt.te | 4 +-
> > 4 files changed, 58 insertions(+), 67 deletions(-)
> >
> > diff --git a/policy/modules/kernel/filesystem.if
> > b/policy/modules/kernel/filesystem.if
> > index a2c146b..5a34915 100644
> > --- a/policy/modules/kernel/filesystem.if
> > +++ b/policy/modules/kernel/filesystem.if
> > @@ -567,12 +567,12 @@ interface(`fs_register_binary_executable_type',`
> > ## </summary>
> > ## </param>
> > #
> > -interface(`fs_mount_cgroup', `
> > +interface(`fs_mount_cgroupfs', `
> > gen_require(`
> > - type cgroup_t;
> > + type cgroupfs_t;
> > ')
> >
> > - allow $1 cgroup_t:filesystem mount;
> > + allow $1 cgroupfs_t:filesystem mount;
> > ')
> >
> > ########################################
> > @@ -586,12 +586,12 @@ interface(`fs_mount_cgroup', `
> > ## </summary>
> > ## </param>
> > #
> > -interface(`fs_remount_cgroup', `
> > +interface(`fs_remount_cgroupfs', `
> > gen_require(`
> > - type cgroup_t;
> > + type cgroupfs_t;
> > ')
> >
> > - allow $1 cgroup_t:filesystem remount;
> > + allow $1 cgroupfs_t:filesystem remount;
> > ')
> >
> > ########################################
> > @@ -604,12 +604,12 @@ interface(`fs_remount_cgroup', `
> > ## </summary>
> > ## </param>
> > #
> > -interface(`fs_unmount_cgroup', `
> > +interface(`fs_unmount_cgroupfs', `
> > gen_require(`
> > - type cgroup_t;
> > + type cgroupfs_t;
> > ')
> >
> > - allow $1 cgroup_t:filesystem unmount;
> > + allow $1 cgroupfs_t:filesystem unmount;
> > ')
> >
> > ########################################
> > @@ -623,56 +623,56 @@ interface(`fs_unmount_cgroup', `
> > ## </param>
> > ## <rolecap/>
> > #
> > -interface(`fs_getattr_cgroup',`
> > +interface(`fs_getattr_cgroupfs', `
> > gen_require(`
> > - type cifs_t;
> > + type cgroupfs_t;
> > ')
> >
> > - allow $1 cifs_t:filesystem getattr;
> > + allow $1 cgroupfs_t:filesystem getattr;
> > ')
> >
> > ########################################
> > ## <summary>
> > -## list dirs on cgroup
> > -## file systems.
> > +## list dirs on cgroup
> > +## file systems.
> > ## </summary>
> > ## <param name="domain">
> > -## <summary>
> > -## Domain allowed access.
> > -## </summary>
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > ## </param>
> > #
> > -interface(`fs_list_cgroup_dirs', `
> > - gen_require(`
> > - type cgroup_t;
> > -
> > - ')
> > +interface(`fs_list_cgroupfs_dirs', `
> > + gen_require(`
> > + type cgroupfs_t;
> > + ')
> >
> > - list_dirs_pattern($1, cgroup_t, cgroup_t)
> > + list_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
> > ')
> >
> > ########################################
> > ## <summary>
> > -## Do not audit attempts to read
> > -## dirs on a CIFS or SMB filesystem.
> > +## Manage dirs on cgroup file systems.
> > ## </summary>
> > ## <param name="domain">
> > ## <summary>
> > -## Domain to not audit.
> > +## Domain allowed access.
> > ## </summary>
> > ## </param>
> > #
> > -interface(`fs_dontaudit_list_cifs_dirs',`
> > +interface(`fs_manage_cgroupfs_dirs', `
> > gen_require(`
> > - type cifs_t;
> > + type cgroupfs_t;
> > +
> > ')
> >
> > - dontaudit $1 cifs_t:dir list_dir_perms;
> > + manage_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
> > ')
> >
> > ########################################
> > ## <summary>
> > -## Manage dirs on cgroup file systems.
> > +## Set attributes of files on cgroup
> > +## file systems.
> > ## </summary>
> > ## <param name="domain">
> > ## <summary>
> > @@ -680,19 +680,17 @@ interface(`fs_dontaudit_list_cifs_dirs',`
> > ## </summary>
> > ## </param>
> > #
> > -interface(`fs_manage_cgroup_dirs',`
> > +interface(`fs_setattr_cgroupfs_files', `
> > gen_require(`
> > - type cgroup_t;
> > -
> > + type cgroupfs_t;
> > ')
> >
> > - manage_dirs_pattern($1, cgroup_t, cgroup_t)
> > + setattr_files_pattern($1, cgroupfs_t, cgroupfs_t)
> > ')
> >
> > ########################################
> > ## <summary>
> > -## Set attributes of files on cgroup
> > -## file systems.
> > +## Read files on cgroup file systems.
> > ## </summary>
> > ## <param name="domain">
> > ## <summary>
> > @@ -700,19 +698,18 @@ interface(`fs_manage_cgroup_dirs',`
> > ## </summary>
> > ## </param>
> > #
> > -interface(`fs_setattr_cgroup_files',`
> > +interface(`fs_read_cgroupfs_files', `
> > gen_require(`
> > - type cgroup_t;
> > + type cgroupfs_t;
> >
> > ')
> >
> > - setattr_files_pattern($1, cgroup_t, cgroup_t)
> > + read_files_pattern($1, cgroupfs_t, cgroupfs_t)
> > ')
> >
> > ########################################
> > ## <summary>
> > -## Read files on cgroup
> > -## file systems.
> > +## Write files on cgroup file systems.
> > ## </summary>
> > ## <param name="domain">
> > ## <summary>
> > @@ -720,18 +717,18 @@ interface(`fs_setattr_cgroup_files',`
> > ## </summary>
> > ## </param>
> > #
> > -interface(`fs_read_cgroup_files',`
> > +interface(`fs_write_cgroupfs_files', `
> > gen_require(`
> > - type cgroup_t;
> > + type cgroupfs_t;
> >
> > ')
> >
> > - read_files_pattern($1, cgroup_t, cgroup_t)
> > + write_files_pattern($1, cgroupfs_t, cgroupfs_t)
> > ')
> >
> > ########################################
> > ## <summary>
> > -## Write files on cgroup
> > +## Read and write files on cgroup
> > ## file systems.
> > ## </summary>
> > ## <param name="domain">
> > @@ -740,33 +737,31 @@ interface(`fs_read_cgroup_files',`
> > ## </summary>
> > ## </param>
> > #
> > -interface(`fs_write_cgroup_files', `
> > +interface(`fs_rw_cgroupfs_files', `
> > gen_require(`
> > - type cgroup_t;
> > -
> > + type cgroupfs_t;
> > ')
> >
> > - write_files_pattern($1, cgroup_t, cgroup_t)
> > + rw_files_pattern($1, cgroupfs_t, cgroupfs_t)
> > ')
> >
> > ########################################
> > ## <summary>
> > -## Read and write files on cgroup
> > -## file systems.
> > +## Do not audit attempts to read
> > +## dirs on a CIFS or SMB filesystem.
> > ## </summary>
> > ## <param name="domain">
> > ## <summary>
> > -## Domain allowed access.
> > +## Domain to not audit.
> > ## </summary>
> > ## </param>
> > #
> > -interface(`fs_rw_cgroup_files',`
> > +interface(`fs_dontaudit_list_cifs_dirs',`
> > gen_require(`
> > - type cgroup_t;
> > -
> > + type cifs_t;
> > ')
> >
> > - rw_files_pattern($1, cgroup_t, cgroup_t)
> > + dontaudit $1 cifs_t:dir list_dir_perms;
> > ')
> >
> > ########################################
> > diff --git a/policy/modules/kernel/filesystem.te
> > b/policy/modules/kernel/filesystem.te
> > index 0c413e2..275a1e5 100644
> > --- a/policy/modules/kernel/filesystem.te
> > +++ b/policy/modules/kernel/filesystem.te
> > @@ -68,6 +68,11 @@ fs_type(capifs_t)
> > files_mountpoint(capifs_t)
> > genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
> >
> > +type cgroupfs_t;
> > +fs_type(cgroupfs_t)
> > +files_type(cgroupfs_t)
> > +genfscon cgroup / gen_context(system_u:object_r:cgroupfs_t,s0)
> > +
> > type configfs_t;
> > fs_type(configfs_t)
> > genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
> > diff --git a/policy/modules/kernel/kernel.te
> > b/policy/modules/kernel/kernel.te
> > index 3ef6a62..44d2b58 100644
> > --- a/policy/modules/kernel/kernel.te
> > +++ b/policy/modules/kernel/kernel.te
> > @@ -46,15 +46,6 @@ role system_r types kernel_t;
> > sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
> >
> > #
> > -# cgroup fs
> > -#
> > -
> > -type cgroup_t;
> > -fs_type(cgroup_t)
> > -allow cgroup_t self:filesystem associate;
> > -genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
> > -
> > -#
> > # DebugFS
> > #
> >
> > diff --git a/policy/modules/services/virt.te
> > b/policy/modules/services/virt.te
> > index a2989cd..c0f8293 100644
> > --- a/policy/modules/services/virt.te
> > +++ b/policy/modules/services/virt.te
> > @@ -265,8 +265,8 @@ fs_list_auto_mountpoints(virtd_t)
> > fs_getattr_xattr_fs(virtd_t)
> > fs_rw_anon_inodefs_files(virtd_t)
> > fs_list_inotifyfs(virtd_t)
> > -fs_manage_cgroup_dirs(virtd_t)
> > -fs_rw_cgroup_files(virtd_t)
> > +fs_manage_cgroupfs_dirs(virtd_t)
> > +fs_rw_cgroupfs_files(virtd_t)
> >
> > mcs_process_set_categories(virtd_t)
> >
> > --
> > 1.7.0.1
> >
> >
> >
> > plain text document attachment (ATT75148.txt)
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100513/ac003adc/attachment.bin