Libcgroup moved cgclear to /sbin.
Confine it so that initrc_t can domain transition to the cgclear_t domain. That way we do not have to extend the initrc_t domains policy.
We might want to add cgroup_run_cgclear to sysadm module.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 c17388d... 420c9d3... M policy/modules/services/cgroup.fc
:100644 100644 2d1eaf3... 66d68bc... M policy/modules/services/cgroup.if
:100644 100644 bb3a671... 2bfc041... M policy/modules/services/cgroup.te
:100644 100644 29f9757... bd45076... M policy/modules/system/init.te
policy/modules/services/cgroup.fc | 4 ++
policy/modules/services/cgroup.if | 66 +++++++++++++++++++++++++++++++++----
policy/modules/services/cgroup.te | 31 +++++++++++++++--
policy/modules/system/init.te | 6 +--
4 files changed, 93 insertions(+), 14 deletions(-)
diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc
index c17388d..420c9d3 100644
--- a/policy/modules/services/cgroup.fc
+++ b/policy/modules/services/cgroup.fc
@@ -1,10 +1,14 @@
/etc/cgconfig.conf -- gen_context(system_u:object_r:cgconfig_etc_t,s0)
/etc/cgrules.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0)
+/etc/sysconfig/cgconfig -- gen_context(system_u:object_r:cgconfig_etc_t,s0)
+/etc/sysconfig/cgred.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0)
+
/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
+/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
index 2d1eaf3..66d68bc 100644
--- a/policy/modules/services/cgroup.if
+++ b/policy/modules/services/cgroup.if
@@ -3,6 +3,26 @@
########################################
## <summary>
## Execute a domain transition to run
+## CG Clear.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_domtrans_cgclear',`
+ gen_require(`
+ type cgclear_t, cgclear_exec_t;
+ ')
+
+ domtrans_pattern($1, cgclear_exec_t, cgclear_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run
## CG config parser.
## </summary>
## <param name="domain">
@@ -36,7 +56,6 @@ interface(`cgroup_initrc_domtrans_cgconfig',`
type cgconfig_initrc_exec_t;
')
- files_search_etc($1)
init_labeled_script_domtrans($1, cgconfig_initrc_exec_t)
')
@@ -82,6 +101,34 @@ interface(`cgroup_initrc_domtrans_cgred',`
########################################
## <summary>
+## Execute a domain transition to
+## run CG Clear and allow the
+## specified role the CG Clear
+## domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cgroup_run_cgclear',`
+ gen_require(`
+ type cgclear_t;
+ ')
+
+ cgroup_domtrans_cgclear($1)
+ role $2 types cgclear_t;
+')
+
+########################################
+## <summary>
## Connect to CG rules engine daemon
## over unix stream sockets.
## </summary>
@@ -91,7 +138,7 @@ interface(`cgroup_initrc_domtrans_cgred',`
## </summary>
## </param>
#
-interface(`cgroup_stream_connect', `
+interface(`cgroup_stream_connect_cgred', `
gen_require(`
type cgred_var_run_t, cgred_t;
')
@@ -121,14 +168,17 @@ interface(`cgroup_admin',`
gen_require(`
type cgred_t, cgconfig_t, cgred_var_run_t;
type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
- type cgrules_etc_t;
+ type cgrules_etc_t, cgclear_t, cgclear_exec_t;
')
- allow $1 cgconfig_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, cgconfig_t, cgconfig_t)
+ allow $1 cgclear_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cgclear_t)
- allow $1 cgred_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, cgred_t, cgred_t)
+ allow $1 cgconfig_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cgconfig_t)
+
+ allow $1 cgred_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cgred_t)
admin_pattern($1, cgconfig_etc_t)
admin_pattern($1, cgrules_etc_t)
@@ -144,4 +194,6 @@ interface(`cgroup_admin',`
cgroup_initrc_domtrans_cgred($1)
role_transition $2 cgred_initrc_exec_t system_r;
+
+ cgroup_run_cgclear($1, $2)
')
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
index bb3a671..2bfc041 100644
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
@@ -5,6 +5,10 @@ policy_module(cgroup, 1.0.0)
# Declarations
#
+type cgclear_t;
+type cgclear_exec_t;
+init_daemon_domain(cgclear_t, cgclear_exec_t)
+
type cgred_t;
type cgred_exec_t;
init_daemon_domain(cgred_t, cgred_exec_t)
@@ -30,6 +34,21 @@ files_config_file(cgconfig_etc_t)
########################################
#
+# cgclear personal policy.
+#
+
+allow cgclear_t self:capability sys_admin;
+
+kernel_read_system_state(cgclear_t)
+
+domain_setpriority_all_domains(cgclear_t)
+
+fs_manage_cgroup_dirs(cgclear_t)
+fs_manage_cgroup_files(cgclear_t)
+fs_unmount_cgroup(cgclear_t)
+
+########################################
+#
# cgconfig personal policy.
#
@@ -37,38 +56,44 @@ allow cgconfig_t self:capability { chown sys_admin };
allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+# search will do.
kernel_list_unlabeled(cgconfig_t)
kernel_read_system_state(cgconfig_t)
+# /etc/nsswitch.conf, /etc/passwd
files_read_etc_files(cgconfig_t)
fs_manage_cgroup_dirs(cgconfig_t)
fs_manage_cgroup_files(cgconfig_t)
fs_mount_cgroup(cgconfig_t)
fs_mounton_cgroup(cgconfig_t)
-fs_unmount_cgroup(cgconfig_t)
########################################
#
# cgred personal policy.
#
-allow cgred_t self:capability { net_admin sys_ptrace dac_override };
+allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
allow cgred_t cgrules_etc_t:file read_file_perms;
+# rc script creates pid file
+manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
-files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
+files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })
kernel_read_system_state(cgred_t)
domain_read_all_domains_state(cgred_t)
+domain_setpriority_all_domains(cgred_t)
files_getattr_all_files(cgred_t)
files_getattr_all_sockets(cgred_t)
files_read_all_symlinks(cgred_t)
+
+# /etc/group
files_read_etc_files(cgred_t)
fs_write_cgroup_files(cgred_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 29f9757..bd45076 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -338,9 +338,7 @@ files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
-fs_delete_cgroup_dirs(initrc_t)
-fs_list_cgroup_dirs(initrc_t)
-fs_rw_cgroup_files(initrc_t)
+fs_write_cgroup_files(initrc_t)
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
@@ -570,7 +568,7 @@ optional_policy(`
')
optional_policy(`
- cgroup_stream_connect(initrc_t)
+ cgroup_stream_connect_cgred(initrc_t)
')
optional_policy(`
--
1.7.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100808/b8cd3fed/attachment.bin
On 08/08/10 06:05, Dominick Grift wrote:
> Libcgroup moved cgclear to /sbin.
> Confine it so that initrc_t can domain transition to the cgclear_t domain. That way we do not have to extend the initrc_t domains policy.
> We might want to add cgroup_run_cgclear to sysadm module.
Merged.
> Signed-off-by: Dominick Grift<[email protected]>
> ---
> :100644 100644 c17388d... 420c9d3... M policy/modules/services/cgroup.fc
> :100644 100644 2d1eaf3... 66d68bc... M policy/modules/services/cgroup.if
> :100644 100644 bb3a671... 2bfc041... M policy/modules/services/cgroup.te
> :100644 100644 29f9757... bd45076... M policy/modules/system/init.te
> policy/modules/services/cgroup.fc | 4 ++
> policy/modules/services/cgroup.if | 66 +++++++++++++++++++++++++++++++++----
> policy/modules/services/cgroup.te | 31 +++++++++++++++--
> policy/modules/system/init.te | 6 +--
> 4 files changed, 93 insertions(+), 14 deletions(-)
>
> diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc
> index c17388d..420c9d3 100644
> --- a/policy/modules/services/cgroup.fc
> +++ b/policy/modules/services/cgroup.fc
> @@ -1,10 +1,14 @@
> /etc/cgconfig.conf -- gen_context(system_u:object_r:cgconfig_etc_t,s0)
> /etc/cgrules.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0)
>
> +/etc/sysconfig/cgconfig -- gen_context(system_u:object_r:cgconfig_etc_t,s0)
> +/etc/sysconfig/cgred.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0)
> +
> /etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
> /etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
>
> /sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
> /sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
> +/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
>
> /var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
> diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
> index 2d1eaf3..66d68bc 100644
> --- a/policy/modules/services/cgroup.if
> +++ b/policy/modules/services/cgroup.if
> @@ -3,6 +3,26 @@
> ########################################
> ##<summary>
> ## Execute a domain transition to run
> +## CG Clear.
> +##</summary>
> +##<param name="domain">
> +##<summary>
> +## Domain allowed to transition.
> +##</summary>
> +##</param>
> +#
> +interface(`cgroup_domtrans_cgclear',`
> + gen_require(`
> + type cgclear_t, cgclear_exec_t;
> + ')
> +
> + domtrans_pattern($1, cgclear_exec_t, cgclear_t)
> + corecmd_search_bin($1)
> +')
> +
> +########################################
> +##<summary>
> +## Execute a domain transition to run
> ## CG config parser.
> ##</summary>
> ##<param name="domain">
> @@ -36,7 +56,6 @@ interface(`cgroup_initrc_domtrans_cgconfig',`
> type cgconfig_initrc_exec_t;
> ')
>
> - files_search_etc($1)
> init_labeled_script_domtrans($1, cgconfig_initrc_exec_t)
> ')
>
> @@ -82,6 +101,34 @@ interface(`cgroup_initrc_domtrans_cgred',`
>
> ########################################
> ##<summary>
> +## Execute a domain transition to
> +## run CG Clear and allow the
> +## specified role the CG Clear
> +## domain.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +##</param>
> +##<param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +##</param>
> +##<rolecap/>
> +#
> +interface(`cgroup_run_cgclear',`
> + gen_require(`
> + type cgclear_t;
> + ')
> +
> + cgroup_domtrans_cgclear($1)
> + role $2 types cgclear_t;
> +')
> +
> +########################################
> +##<summary>
> ## Connect to CG rules engine daemon
> ## over unix stream sockets.
> ##</summary>
> @@ -91,7 +138,7 @@ interface(`cgroup_initrc_domtrans_cgred',`
> ## </summary>
> ##</param>
> #
> -interface(`cgroup_stream_connect', `
> +interface(`cgroup_stream_connect_cgred', `
> gen_require(`
> type cgred_var_run_t, cgred_t;
> ')
> @@ -121,14 +168,17 @@ interface(`cgroup_admin',`
> gen_require(`
> type cgred_t, cgconfig_t, cgred_var_run_t;
> type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
> - type cgrules_etc_t;
> + type cgrules_etc_t, cgclear_t, cgclear_exec_t;
> ')
>
> - allow $1 cgconfig_t:process { ptrace signal_perms getattr };
> - read_files_pattern($1, cgconfig_t, cgconfig_t)
> + allow $1 cgclear_t:process { ptrace signal_perms };
> + ps_process_pattern($1, cgclear_t)
>
> - allow $1 cgred_t:process { ptrace signal_perms getattr };
> - read_files_pattern($1, cgred_t, cgred_t)
> + allow $1 cgconfig_t:process { ptrace signal_perms };
> + ps_process_pattern($1, cgconfig_t)
> +
> + allow $1 cgred_t:process { ptrace signal_perms };
> + ps_process_pattern($1, cgred_t)
>
> admin_pattern($1, cgconfig_etc_t)
> admin_pattern($1, cgrules_etc_t)
> @@ -144,4 +194,6 @@ interface(`cgroup_admin',`
>
> cgroup_initrc_domtrans_cgred($1)
> role_transition $2 cgred_initrc_exec_t system_r;
> +
> + cgroup_run_cgclear($1, $2)
> ')
> diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
> index bb3a671..2bfc041 100644
> --- a/policy/modules/services/cgroup.te
> +++ b/policy/modules/services/cgroup.te
> @@ -5,6 +5,10 @@ policy_module(cgroup, 1.0.0)
> # Declarations
> #
>
> +type cgclear_t;
> +type cgclear_exec_t;
> +init_daemon_domain(cgclear_t, cgclear_exec_t)
> +
> type cgred_t;
> type cgred_exec_t;
> init_daemon_domain(cgred_t, cgred_exec_t)
> @@ -30,6 +34,21 @@ files_config_file(cgconfig_etc_t)
>
> ########################################
> #
> +# cgclear personal policy.
> +#
> +
> +allow cgclear_t self:capability sys_admin;
> +
> +kernel_read_system_state(cgclear_t)
> +
> +domain_setpriority_all_domains(cgclear_t)
> +
> +fs_manage_cgroup_dirs(cgclear_t)
> +fs_manage_cgroup_files(cgclear_t)
> +fs_unmount_cgroup(cgclear_t)
> +
> +########################################
> +#
> # cgconfig personal policy.
> #
>
> @@ -37,38 +56,44 @@ allow cgconfig_t self:capability { chown sys_admin };
>
> allow cgconfig_t cgconfig_etc_t:file read_file_perms;
>
> +# search will do.
> kernel_list_unlabeled(cgconfig_t)
> kernel_read_system_state(cgconfig_t)
>
> +# /etc/nsswitch.conf, /etc/passwd
> files_read_etc_files(cgconfig_t)
>
> fs_manage_cgroup_dirs(cgconfig_t)
> fs_manage_cgroup_files(cgconfig_t)
> fs_mount_cgroup(cgconfig_t)
> fs_mounton_cgroup(cgconfig_t)
> -fs_unmount_cgroup(cgconfig_t)
>
> ########################################
> #
> # cgred personal policy.
> #
>
> -allow cgred_t self:capability { net_admin sys_ptrace dac_override };
> +allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
> allow cgred_t self:netlink_socket { write bind create read };
> allow cgred_t self:unix_dgram_socket { write create connect };
>
> allow cgred_t cgrules_etc_t:file read_file_perms;
>
> +# rc script creates pid file
> +manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
> manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
> -files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
> +files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })
>
> kernel_read_system_state(cgred_t)
>
> domain_read_all_domains_state(cgred_t)
> +domain_setpriority_all_domains(cgred_t)
>
> files_getattr_all_files(cgred_t)
> files_getattr_all_sockets(cgred_t)
> files_read_all_symlinks(cgred_t)
> +
> +# /etc/group
> files_read_etc_files(cgred_t)
>
> fs_write_cgroup_files(cgred_t)
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 29f9757..bd45076 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -338,9 +338,7 @@ files_mounton_isid_type_dirs(initrc_t)
> files_list_default(initrc_t)
> files_mounton_default(initrc_t)
>
> -fs_delete_cgroup_dirs(initrc_t)
> -fs_list_cgroup_dirs(initrc_t)
> -fs_rw_cgroup_files(initrc_t)
> +fs_write_cgroup_files(initrc_t)
> fs_list_inotifyfs(initrc_t)
> fs_register_binary_executable_type(initrc_t)
> # rhgb-console writes to ramfs
> @@ -570,7 +568,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> - cgroup_stream_connect(initrc_t)
> + cgroup_stream_connect_cgred(initrc_t)
> ')
>
> optional_policy(`