From: domg472@gmail.com (Dominick Grift)
Date: Wed, 28 Apr 2010 11:58:33 +0200
Subject: [refpolicy] [ cgroups revisited 1/4] First lets clean up what we
 currently have.
Message-ID: <20100428095830.GA6461@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Remove the cgroup declarations from the kernel module and add a new cgroupfs
declaration in filesystems module.

Rename all group interfaces in filesystems interfaces file to reflect cgroupfs changes.

Modify the calls to cgroup filesystem policy in the virt module.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 a2c146b... 5a34915... M	policy/modules/kernel/filesystem.if
:100644 100644 0c413e2... 275a1e5... M	policy/modules/kernel/filesystem.te
:100644 100644 3ef6a62... 44d2b58... M	policy/modules/kernel/kernel.te
:100644 100644 a2989cd... c0f8293... M	policy/modules/services/virt.te
 policy/modules/kernel/filesystem.if |  107 +++++++++++++++++------------------
 policy/modules/kernel/filesystem.te |    5 ++
 policy/modules/kernel/kernel.te     |    9 ---
 policy/modules/services/virt.te     |    4 +-
 4 files changed, 58 insertions(+), 67 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index a2c146b..5a34915 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -567,12 +567,12 @@ interface(`fs_register_binary_executable_type',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_mount_cgroup', `
+interface(`fs_mount_cgroupfs', `
 	gen_require(`
-		type cgroup_t;
+		type cgroupfs_t;
 	')
 
-	allow $1 cgroup_t:filesystem mount;
+	allow $1 cgroupfs_t:filesystem mount;
 ')
 
 ########################################
@@ -586,12 +586,12 @@ interface(`fs_mount_cgroup', `
 ##	</summary>
 ## </param>
 #
-interface(`fs_remount_cgroup', `
+interface(`fs_remount_cgroupfs', `
 	gen_require(`
-		type cgroup_t;
+		type cgroupfs_t;
 	')
 
-	allow $1 cgroup_t:filesystem remount;
+	allow $1 cgroupfs_t:filesystem remount;
 ')
 
 ########################################
@@ -604,12 +604,12 @@ interface(`fs_remount_cgroup', `
 ##	</summary>
 ## </param>
 #
-interface(`fs_unmount_cgroup', `
+interface(`fs_unmount_cgroupfs', `
 	gen_require(`
-		type cgroup_t;
+		type cgroupfs_t;
 	')
 
-	allow $1 cgroup_t:filesystem unmount;
+	allow $1 cgroupfs_t:filesystem unmount;
 ')
 
 ########################################
@@ -623,56 +623,56 @@ interface(`fs_unmount_cgroup', `
 ## </param>
 ## <rolecap/>
 #
-interface(`fs_getattr_cgroup',`
+interface(`fs_getattr_cgroupfs', `
 	gen_require(`
-		type cifs_t;
+		type cgroupfs_t;
 	')
 
-	allow $1 cifs_t:filesystem getattr;
+	allow $1 cgroupfs_t:filesystem getattr;
 ')
 
 ########################################
 ## <summary>
-##      list dirs on cgroup
-##      file systems.
+##	list dirs on cgroup
+##	file systems.
 ## </summary>
 ## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
+##	<summary>
+##	Domain allowed access.
+##	</summary>
 ## </param>
 #
-interface(`fs_list_cgroup_dirs', `
-        gen_require(`
-                type cgroup_t;
-
-        ')
+interface(`fs_list_cgroupfs_dirs', `
+	gen_require(`
+		type cgroupfs_t;
+	')
 
-        list_dirs_pattern($1, cgroup_t, cgroup_t)
+	list_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read
-##	dirs on a CIFS or SMB filesystem.
+##	Manage dirs on cgroup file systems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`fs_dontaudit_list_cifs_dirs',`
+interface(`fs_manage_cgroupfs_dirs', `
 	gen_require(`
-		type cifs_t;
+		type cgroupfs_t;
+
 	')
 
-	dontaudit $1 cifs_t:dir list_dir_perms;
+	manage_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Manage dirs on cgroup file systems.
+##	Set attributes of files on cgroup
+##	file systems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -680,19 +680,17 @@ interface(`fs_dontaudit_list_cifs_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_manage_cgroup_dirs',`
+interface(`fs_setattr_cgroupfs_files', `
 	gen_require(`
-		type cgroup_t;
-
+		type cgroupfs_t;
 	')
 
-	manage_dirs_pattern($1, cgroup_t, cgroup_t)
+	setattr_files_pattern($1, cgroupfs_t, cgroupfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Set attributes of files on cgroup
-##	file systems.
+##	Read files on cgroup file systems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -700,19 +698,18 @@ interface(`fs_manage_cgroup_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_setattr_cgroup_files',`
+interface(`fs_read_cgroupfs_files', `
 	gen_require(`
-		type cgroup_t;
+		type cgroupfs_t;
 
 	')
 
-	setattr_files_pattern($1, cgroup_t, cgroup_t)
+	read_files_pattern($1, cgroupfs_t, cgroupfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Read files on cgroup
-##	file systems.
+##	Write files on cgroup file systems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -720,18 +717,18 @@ interface(`fs_setattr_cgroup_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_read_cgroup_files',`
+interface(`fs_write_cgroupfs_files', `
 	gen_require(`
-		type cgroup_t;
+		type cgroupfs_t;
 
 	')
 
-	read_files_pattern($1, cgroup_t, cgroup_t)
+	write_files_pattern($1, cgroupfs_t, cgroupfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Write files on cgroup
+##	Read and write files on cgroup
 ##	file systems.
 ## </summary>
 ## <param name="domain">
@@ -740,33 +737,31 @@ interface(`fs_read_cgroup_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_write_cgroup_files', `
+interface(`fs_rw_cgroupfs_files', `
 	gen_require(`
-		type cgroup_t;
-
+		type cgroupfs_t;
 	')
 
-	write_files_pattern($1, cgroup_t, cgroup_t)
+	rw_files_pattern($1, cgroupfs_t, cgroupfs_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write files on cgroup
-##	file systems.
+##	Do not audit attempts to read
+##	dirs on a CIFS or SMB filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`fs_rw_cgroup_files',`
+interface(`fs_dontaudit_list_cifs_dirs',`
 	gen_require(`
-		type cgroup_t;
-
+		type cifs_t;
 	')
 
-	rw_files_pattern($1, cgroup_t, cgroup_t)
+	dontaudit $1 cifs_t:dir list_dir_perms;
 ')
 
 ########################################
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 0c413e2..275a1e5 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -68,6 +68,11 @@ fs_type(capifs_t)
 files_mountpoint(capifs_t)
 genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
 
+type cgroupfs_t;
+fs_type(cgroupfs_t)
+files_type(cgroupfs_t)
+genfscon cgroup / gen_context(system_u:object_r:cgroupfs_t,s0)
+
 type configfs_t;
 fs_type(configfs_t)
 genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 3ef6a62..44d2b58 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -46,15 +46,6 @@ role system_r types kernel_t;
 sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
 
 #
-# cgroup fs
-#
-
-type cgroup_t;
-fs_type(cgroup_t)
-allow cgroup_t self:filesystem associate;
-genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
-
-#
 # DebugFS
 #
 
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index a2989cd..c0f8293 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -265,8 +265,8 @@ fs_list_auto_mountpoints(virtd_t)
 fs_getattr_xattr_fs(virtd_t)
 fs_rw_anon_inodefs_files(virtd_t)
 fs_list_inotifyfs(virtd_t)
-fs_manage_cgroup_dirs(virtd_t)
-fs_rw_cgroup_files(virtd_t)
+fs_manage_cgroupfs_dirs(virtd_t)
+fs_rw_cgroupfs_files(virtd_t)
 
 mcs_process_set_categories(virtd_t)
 
-- 
1.7.0.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100428/f61e6009/attachment.bin