From: domg472@gmail.com (Dominick Grift) Date: Wed, 28 Apr 2010 12:00:14 +0200 Subject: [refpolicy] [ cgroups revisited 2/4] Now implement libcgroup policy. Message-ID: <20100428100011.GA6487@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This is a set of scripts that automate cgroup management. Signed-off-by: Dominick Grift --- :100644 100644 5a34915... 3b65a38... M policy/modules/kernel/filesystem.if :000000 100644 0000000... dd006ff... A policy/modules/services/cgroup.fc :000000 100644 0000000... abcab97... A policy/modules/services/cgroup.if :000000 100644 0000000... 67facee... A policy/modules/services/cgroup.te policy/modules/kernel/filesystem.if | 19 +++++ policy/modules/services/cgroup.fc | 11 +++ policy/modules/services/cgroup.if | 126 +++++++++++++++++++++++++++++++++++ policy/modules/services/cgroup.te | 111 ++++++++++++++++++++++++++++++ 4 files changed, 267 insertions(+), 0 deletions(-) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 5a34915..3b65a38 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -633,6 +633,25 @@ interface(`fs_getattr_cgroupfs', ` ######################################## ## +## Delete dirs on cgroup +## file systems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_delete_cgroupfs_dirs', ` + gen_require(` + type cgroupfs_t; + ') + + delete_dirs_pattern($1, cgroupfs_t, cgroupfs_t) +') + +######################################## +## ## list dirs on cgroup ## file systems. ## diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc new file mode 100644 index 0000000..dd006ff --- /dev/null +++ b/policy/modules/services/cgroup.fc @@ -0,0 +1,11 @@ +/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) + +/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0) +/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0) + +/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) +/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t,s0) +/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) + +/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) + diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if new file mode 100644 index 0000000..abcab97 --- /dev/null +++ b/policy/modules/services/cgroup.if @@ -0,0 +1,126 @@ +## Control group rules engine daemon. +## +##

+## cgrulesengd is a daemon, which distributes processes +## to control groups. When any process changes its +## effective UID or GID, cgred inspects list of +## rules loaded from cgrules.conf file and moves the +## process to the appropriate control group. +##

+##

+## The list of rules is read during the daemon startup and +## are cached in daemons memory. The daemon reloads the +## list of rules when it receives SIGUSR2 signal. +##

+## + +######################################## +## +## Delete cgroup directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`cgroup_delete_cgroup_dirs', ` + gen_require(` + type cgroup_t; + ') + + delete_dirs_pattern($1, cgroup_t, cgroup_t) + cgroup_search_cgroup_dirs($1) +') + +######################################## +## +## List cgroup directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`cgroup_list_cgroup_dirs', ` + gen_require(` + type cgroup_t; + ') + + allow $1 cgroup_t:dir list_dir_perms; +') + +######################################## +## +## Manage cgroup directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`cgroup_manage_cgroup_dirs', ` + gen_require(` + type cgroup_t; + ') + + allow $1 cgroup_t:dir manage_dir_perms; +') + +######################################## +## +## Read and write cgroup directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`cgroup_rw_cgroup_dirs', ` + gen_require(` + type cgroup_t; + ') + + allow $1 cgroup_t:dir rw_dir_perms; +') + +######################################## +## +## Search cgroup directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`cgroup_search_cgroup_dirs', ` + gen_require(` + type cgroup_t; + ') + + allow $1 cgroup_t:dir search_dir_perms; +') + +######################################## +## +## Read and write cgred sock file in /var/run. +## +## +## +## Domain allowed access. +## +## +# +interface(`cgroup_stream_connect', ` + gen_require(` + type cgred_var_run_t, cgred_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t) +') + diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te new file mode 100644 index 0000000..67facee --- /dev/null +++ b/policy/modules/services/cgroup.te @@ -0,0 +1,111 @@ + +policy_module(cgroup, 1.0.0) + +######################################## +# +# cgroup global declarations. +# + +type cgroup_t; +files_mountpoint(cgroup_t) + +######################################## +# +# cgclear personal declarations. +# + +type cgclear_t; +type cgclear_exec_t; +init_daemon_domain(cgclear_t, cgclear_exec_t) + +######################################## +# +# cgconfig personal declarations. +# + +type cgconfigparser_t; +type cgconfigparser_exec_t; +init_daemon_domain(cgconfigparser_t, cgconfigparser_exec_t) + +type cgconfig_initrc_exec_t; +init_script_file(cgconfig_initrc_exec_t) + +######################################## +# +# cgred personal declarations. +# + +type cgred_t; +type cgred_exec_t; +init_daemon_domain(cgred_t, cgred_exec_t) + +type cgred_initrc_exec_t; +init_script_file(cgred_initrc_exec_t) + +type cgred_var_run_t; +files_pid_file(cgred_var_run_t) + +######################################## +# +# cgclear personal policy. +# + +kernel_read_system_state(cgclear_t) + +fs_delete_cgroupfs_dirs(cgclear_t) +fs_list_cgroupfs_dirs(cgclear_t) +fs_rw_cgroupfs_files(cgclear_t) +fs_unmount_cgroupfs(cgclear_t) + +cgroup_delete_cgroup_dirs(cgclear_t) + +######################################## +# +# cgconfig personal policy. +# + +manage_dirs_pattern(cgconfigparser_t, cgroup_t, cgroup_t) +manage_files_pattern(cgconfigparser_t, cgroup_t, cgroup_t) +allow cgconfigparser_t cgroup_t:dir mounton; + +kernel_list_unlabeled(cgconfigparser_t) +kernel_read_system_state(cgconfigparser_t) + +files_read_etc_files(cgconfigparser_t) + +fs_manage_cgroupfs_dirs(cgconfigparser_t) +fs_mount_cgroupfs(cgconfigparser_t) +fs_rw_cgroupfs_files(cgconfigparser_t) +fs_setattr_cgroupfs_files(cgconfigparser_t) + +######################################## +# +# cgred personal policy. +# + +allow cgred_t self:capability { net_admin sys_ptrace dac_override }; +allow cgred_t self:netlink_socket { write bind create read }; +allow cgred_t self:unix_dgram_socket { write create connect }; + +manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) +files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file) + +kernel_read_system_state(cgred_t) + +domain_read_all_domains_state(cgred_t) + +files_read_etc_files(cgred_t) + +files_search_all(cgred_t) +files_getattr_all_files(cgred_t) +files_getattr_all_dirs(cgred_t) +files_getattr_all_sockets(cgred_t) +files_getattr_all_pipes(cgred_t) +files_read_all_symlinks(cgred_t) + +fs_write_cgroupfs_files(cgred_t) + +logging_send_syslog_msg(cgred_t) + +miscfiles_read_localization(cgred_t) + -- 1.7.0.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100428/736f358a/attachment.bin