From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 13 May 2010 10:36:05 -0400
Subject: [refpolicy] [ cgroups revisited 1/4] First lets clean up what
 we currently have.
In-Reply-To: <20100428095830.GA6461@localhost.localdomain>
References: <20100428095830.GA6461@localhost.localdomain>
Message-ID: <1273761365.738.50.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2010-04-28 at 05:58 -0400, Dominick Grift wrote:
> Remove the cgroup declarations from the kernel module and add a new
> cgroupfs
> declaration in filesystems module.
> 
> Rename all group interfaces in filesystems interfaces file to reflect
> cgroupfs changes.
> 
> Modify the calls to cgroup filesystem policy in the virt module.

Since Dan's submission of the original policy is still sitting in my
queue, I think it would best if you and Dan worked this one out.  Then
one of you can resubmit the policy.

> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 a2c146b... 5a34915... M
> policy/modules/kernel/filesystem.if
> :100644 100644 0c413e2... 275a1e5... M
> policy/modules/kernel/filesystem.te
> :100644 100644 3ef6a62... 44d2b58... M
> policy/modules/kernel/kernel.te
> :100644 100644 a2989cd... c0f8293... M
> policy/modules/services/virt.te
>  policy/modules/kernel/filesystem.if |  107
> +++++++++++++++++------------------
>  policy/modules/kernel/filesystem.te |    5 ++
>  policy/modules/kernel/kernel.te     |    9 ---
>  policy/modules/services/virt.te     |    4 +-
>  4 files changed, 58 insertions(+), 67 deletions(-)
> 
> diff --git a/policy/modules/kernel/filesystem.if
> b/policy/modules/kernel/filesystem.if
> index a2c146b..5a34915 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -567,12 +567,12 @@ interface(`fs_register_binary_executable_type',`
>  ##     </summary>
>  ## </param>
>  #
> -interface(`fs_mount_cgroup', `
> +interface(`fs_mount_cgroupfs', `
>         gen_require(`
> -               type cgroup_t;
> +               type cgroupfs_t;
>         ')
> 
> -       allow $1 cgroup_t:filesystem mount;
> +       allow $1 cgroupfs_t:filesystem mount;
>  ')
> 
>  ########################################
> @@ -586,12 +586,12 @@ interface(`fs_mount_cgroup', `
>  ##     </summary>
>  ## </param>
>  #
> -interface(`fs_remount_cgroup', `
> +interface(`fs_remount_cgroupfs', `
>         gen_require(`
> -               type cgroup_t;
> +               type cgroupfs_t;
>         ')
> 
> -       allow $1 cgroup_t:filesystem remount;
> +       allow $1 cgroupfs_t:filesystem remount;
>  ')
> 
>  ########################################
> @@ -604,12 +604,12 @@ interface(`fs_remount_cgroup', `
>  ##     </summary>
>  ## </param>
>  #
> -interface(`fs_unmount_cgroup', `
> +interface(`fs_unmount_cgroupfs', `
>         gen_require(`
> -               type cgroup_t;
> +               type cgroupfs_t;
>         ')
> 
> -       allow $1 cgroup_t:filesystem unmount;
> +       allow $1 cgroupfs_t:filesystem unmount;
>  ')
> 
>  ########################################
> @@ -623,56 +623,56 @@ interface(`fs_unmount_cgroup', `
>  ## </param>
>  ## <rolecap/>
>  #
> -interface(`fs_getattr_cgroup',`
> +interface(`fs_getattr_cgroupfs', `
>         gen_require(`
> -               type cifs_t;
> +               type cgroupfs_t;
>         ')
> 
> -       allow $1 cifs_t:filesystem getattr;
> +       allow $1 cgroupfs_t:filesystem getattr;
>  ')
> 
>  ########################################
>  ## <summary>
> -##      list dirs on cgroup
> -##      file systems.
> +##     list dirs on cgroup
> +##     file systems.
>  ## </summary>
>  ## <param name="domain">
> -##      <summary>
> -##      Domain allowed access.
> -##      </summary>
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
>  ## </param>
>  #
> -interface(`fs_list_cgroup_dirs', `
> -        gen_require(`
> -                type cgroup_t;
> -
> -        ')
> +interface(`fs_list_cgroupfs_dirs', `
> +       gen_require(`
> +               type cgroupfs_t;
> +       ')
> 
> -        list_dirs_pattern($1, cgroup_t, cgroup_t)
> +       list_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
>  ')
> 
>  ########################################
>  ## <summary>
> -##     Do not audit attempts to read
> -##     dirs on a CIFS or SMB filesystem.
> +##     Manage dirs on cgroup file systems.
>  ## </summary>
>  ## <param name="domain">
>  ##     <summary>
> -##     Domain to not audit.
> +##     Domain allowed access.
>  ##     </summary>
>  ## </param>
>  #
> -interface(`fs_dontaudit_list_cifs_dirs',`
> +interface(`fs_manage_cgroupfs_dirs', `
>         gen_require(`
> -               type cifs_t;
> +               type cgroupfs_t;
> +
>         ')
> 
> -       dontaudit $1 cifs_t:dir list_dir_perms;
> +       manage_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
>  ')
> 
>  ########################################
>  ## <summary>
> -##     Manage dirs on cgroup file systems.
> +##     Set attributes of files on cgroup
> +##     file systems.
>  ## </summary>
>  ## <param name="domain">
>  ##     <summary>
> @@ -680,19 +680,17 @@ interface(`fs_dontaudit_list_cifs_dirs',`
>  ##     </summary>
>  ## </param>
>  #
> -interface(`fs_manage_cgroup_dirs',`
> +interface(`fs_setattr_cgroupfs_files', `
>         gen_require(`
> -               type cgroup_t;
> -
> +               type cgroupfs_t;
>         ')
> 
> -       manage_dirs_pattern($1, cgroup_t, cgroup_t)
> +       setattr_files_pattern($1, cgroupfs_t, cgroupfs_t)
>  ')
> 
>  ########################################
>  ## <summary>
> -##     Set attributes of files on cgroup
> -##     file systems.
> +##     Read files on cgroup file systems.
>  ## </summary>
>  ## <param name="domain">
>  ##     <summary>
> @@ -700,19 +698,18 @@ interface(`fs_manage_cgroup_dirs',`
>  ##     </summary>
>  ## </param>
>  #
> -interface(`fs_setattr_cgroup_files',`
> +interface(`fs_read_cgroupfs_files', `
>         gen_require(`
> -               type cgroup_t;
> +               type cgroupfs_t;
> 
>         ')
> 
> -       setattr_files_pattern($1, cgroup_t, cgroup_t)
> +       read_files_pattern($1, cgroupfs_t, cgroupfs_t)
>  ')
> 
>  ########################################
>  ## <summary>
> -##     Read files on cgroup
> -##     file systems.
> +##     Write files on cgroup file systems.
>  ## </summary>
>  ## <param name="domain">
>  ##     <summary>
> @@ -720,18 +717,18 @@ interface(`fs_setattr_cgroup_files',`
>  ##     </summary>
>  ## </param>
>  #
> -interface(`fs_read_cgroup_files',`
> +interface(`fs_write_cgroupfs_files', `
>         gen_require(`
> -               type cgroup_t;
> +               type cgroupfs_t;
> 
>         ')
> 
> -       read_files_pattern($1, cgroup_t, cgroup_t)
> +       write_files_pattern($1, cgroupfs_t, cgroupfs_t)
>  ')
> 
>  ########################################
>  ## <summary>
> -##     Write files on cgroup
> +##     Read and write files on cgroup
>  ##     file systems.
>  ## </summary>
>  ## <param name="domain">
> @@ -740,33 +737,31 @@ interface(`fs_read_cgroup_files',`
>  ##     </summary>
>  ## </param>
>  #
> -interface(`fs_write_cgroup_files', `
> +interface(`fs_rw_cgroupfs_files', `
>         gen_require(`
> -               type cgroup_t;
> -
> +               type cgroupfs_t;
>         ')
> 
> -       write_files_pattern($1, cgroup_t, cgroup_t)
> +       rw_files_pattern($1, cgroupfs_t, cgroupfs_t)
>  ')
> 
>  ########################################
>  ## <summary>
> -##     Read and write files on cgroup
> -##     file systems.
> +##     Do not audit attempts to read
> +##     dirs on a CIFS or SMB filesystem.
>  ## </summary>
>  ## <param name="domain">
>  ##     <summary>
> -##     Domain allowed access.
> +##     Domain to not audit.
>  ##     </summary>
>  ## </param>
>  #
> -interface(`fs_rw_cgroup_files',`
> +interface(`fs_dontaudit_list_cifs_dirs',`
>         gen_require(`
> -               type cgroup_t;
> -
> +               type cifs_t;
>         ')
> 
> -       rw_files_pattern($1, cgroup_t, cgroup_t)
> +       dontaudit $1 cifs_t:dir list_dir_perms;
>  ')
> 
>  ########################################
> diff --git a/policy/modules/kernel/filesystem.te
> b/policy/modules/kernel/filesystem.te
> index 0c413e2..275a1e5 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -68,6 +68,11 @@ fs_type(capifs_t)
>  files_mountpoint(capifs_t)
>  genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
> 
> +type cgroupfs_t;
> +fs_type(cgroupfs_t)
> +files_type(cgroupfs_t)
> +genfscon cgroup / gen_context(system_u:object_r:cgroupfs_t,s0)
> +
>  type configfs_t;
>  fs_type(configfs_t)
>  genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
> diff --git a/policy/modules/kernel/kernel.te
> b/policy/modules/kernel/kernel.te
> index 3ef6a62..44d2b58 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -46,15 +46,6 @@ role system_r types kernel_t;
>  sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
> 
>  #
> -# cgroup fs
> -#
> -
> -type cgroup_t;
> -fs_type(cgroup_t)
> -allow cgroup_t self:filesystem associate;
> -genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
> -
> -#
>  # DebugFS
>  #
> 
> diff --git a/policy/modules/services/virt.te
> b/policy/modules/services/virt.te
> index a2989cd..c0f8293 100644
> --- a/policy/modules/services/virt.te
> +++ b/policy/modules/services/virt.te
> @@ -265,8 +265,8 @@ fs_list_auto_mountpoints(virtd_t)
>  fs_getattr_xattr_fs(virtd_t)
>  fs_rw_anon_inodefs_files(virtd_t)
>  fs_list_inotifyfs(virtd_t)
> -fs_manage_cgroup_dirs(virtd_t)
> -fs_rw_cgroup_files(virtd_t)
> +fs_manage_cgroupfs_dirs(virtd_t)
> +fs_rw_cgroupfs_files(virtd_t)
> 
>  mcs_process_set_categories(virtd_t)
> 
> --
> 1.7.0.1
> 
> 
> 
> plain text document attachment (ATT75148.txt)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com