From: domg472@gmail.com (Dominick Grift)
Date: Mon, 7 Jun 2010 20:10:02 +0200
Subject: [refpolicy]  [patch v2 0/1] Revisiting cgroups.
Message-ID: <20100607181000.GA1233@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


Here's another shot at cgroups.

Revisiting existing cgrou policy:
- Move cgroup_t declarations from kernel.te to filesystem.te
- Redo cgroup interfaces in filesystem.if
- Add file context specification for /cgroup mountpoint to filesystem.fc

Implementing libcgroup policy:
- Libcg automates cgroup management.

How libcg init scripts interact with cgroup:
- The libcgroup init scripts use tools in /usr/bin like cgexec and cgclear.

How users interact with cgroup:
- All login users can list cgroup.
- Common users can read and write cgroup files (access governed by dac).

policy/modules/kernel/filesystem.fc |    2 +
policy/modules/kernel/filesystem.if |  150 +++++++++++++++++++++++++----------
policy/modules/kernel/filesystem.te |    6 ++
policy/modules/kernel/kernel.te     |    9 --
policy/modules/services/cgroup.fc   |   10 +++
policy/modules/services/cgroup.if   |  149 ++++++++++++++++++++++++++++++++++
policy/modules/services/cgroup.te   |   86 ++++++++++++++++++++
policy/modules/system/init.te       |    7 ++
policy/modules/system/userdomain.if |    4 +
9 files changed, 372 insertions(+), 51 deletions(-)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100607/94e400ee/attachment.bin