From: domg472@gmail.com (Dominick Grift)
Date: Mon, 7 Jun 2010 20:17:14 +0200
Subject: [refpolicy] [ patch v2 1/4] cgroup in filesystem.
Message-ID: <20100607181705.GA2809@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Move cgroup_t declarations from kernel.te to filesystem.te
Redo cgroup interfaces in filesystem.if
Add file context specification for /cgroup mountpoint to filesystem.fc

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 b029773... 9306de6... M	policy/modules/kernel/filesystem.fc
:100644 100644 a2c146b... 4052ab9... M	policy/modules/kernel/filesystem.if
:100644 100644 774e0a1... cb889c3... M	policy/modules/kernel/filesystem.te
:100644 100644 78fb6b2... 5b6c8b9... M	policy/modules/kernel/kernel.te
 policy/modules/kernel/filesystem.fc |    2 +
 policy/modules/kernel/filesystem.if |  150 +++++++++++++++++++++++++----------
 policy/modules/kernel/filesystem.te |    6 ++
 policy/modules/kernel/kernel.te     |    9 --
 4 files changed, 116 insertions(+), 51 deletions(-)

diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index b029773..9306de6 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -1 +1,3 @@
 /dev/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
+
+/cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index a2c146b..4052ab9 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -559,7 +559,25 @@ interface(`fs_register_binary_executable_type',`
 
 ########################################
 ## <summary>
-##	Mount a cgroup filesystem.
+##	Get attributes of cgroup filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_cgroup',`
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Mount cgroup filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -577,8 +595,25 @@ interface(`fs_mount_cgroup', `
 
 ########################################
 ## <summary>
-##	Remount a cgroup filesystem  This allows
-##	some mount options to be changed.
+##	Mount on cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mounton_cgroup', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:dir mounton;
+')
+
+########################################
+## <summary>
+##	Remount cgroup filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -596,7 +631,7 @@ interface(`fs_remount_cgroup', `
 
 ########################################
 ## <summary>
-##	Unmount a cgroup file system.
+##	Unmount cgroup filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -614,65 +649,62 @@ interface(`fs_unmount_cgroup', `
 
 ########################################
 ## <summary>
-##	Get the attributes of a cgroup filesystem.
+##	Delete cgroup directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`fs_getattr_cgroup',`
+interface(`fs_delete_cgroup_dirs', `
 	gen_require(`
-		type cifs_t;
+		type cgroup_t;
 	')
 
-	allow $1 cifs_t:filesystem getattr;
+	delete_dirs_pattern($1, cgroup_t, cgroup_t)
 ')
 
 ########################################
 ## <summary>
-##      list dirs on cgroup
-##      file systems.
+##	list cgroup directories.
 ## </summary>
 ## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
+##	<summary>
+##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`fs_list_cgroup_dirs', `
-        gen_require(`
-                type cgroup_t;
-
-        ')
+	gen_require(`
+		type cgroup_t;
+	')
 
-        list_dirs_pattern($1, cgroup_t, cgroup_t)
+	list_dirs_pattern($1, cgroup_t, cgroup_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to read
-##	dirs on a CIFS or SMB filesystem.
+##	Manage cgroup directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`fs_dontaudit_list_cifs_dirs',`
+interface(`fs_manage_cgroup_dirs',`
 	gen_require(`
-		type cifs_t;
+		type cgroup_t;
+
 	')
 
-	dontaudit $1 cifs_t:dir list_dir_perms;
+	manage_dirs_pattern($1, cgroup_t, cgroup_t)
 ')
 
 ########################################
 ## <summary>
-##	Manage dirs on cgroup file systems.
+##	Search cgroup directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -680,19 +712,18 @@ interface(`fs_dontaudit_list_cifs_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_manage_cgroup_dirs',`
+interface(`fs_search_cgroup_dirs',`
 	gen_require(`
 		type cgroup_t;
 
 	')
 
-	manage_dirs_pattern($1, cgroup_t, cgroup_t)
+	search_dirs_pattern($1, cgroup_t, cgroup_t)
 ')
 
 ########################################
 ## <summary>
-##	Set attributes of files on cgroup
-##	file systems.
+##	Manage cgroup files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -700,19 +731,18 @@ interface(`fs_manage_cgroup_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_setattr_cgroup_files',`
+interface(`fs_manage_cgroup_files',`
 	gen_require(`
 		type cgroup_t;
 
 	')
 
-	setattr_files_pattern($1, cgroup_t, cgroup_t)
+	manage_files_pattern($1, cgroup_t, cgroup_t)
 ')
 
 ########################################
 ## <summary>
-##	Read files on cgroup
-##	file systems.
+##	Read cgroup files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -731,8 +761,7 @@ interface(`fs_read_cgroup_files',`
 
 ########################################
 ## <summary>
-##	Write files on cgroup
-##	file systems.
+##	Read and write cgroup files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -740,19 +769,18 @@ interface(`fs_read_cgroup_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_write_cgroup_files', `
+interface(`fs_rw_cgroup_files',`
 	gen_require(`
 		type cgroup_t;
 
 	')
 
-	write_files_pattern($1, cgroup_t, cgroup_t)
+	rw_files_pattern($1, cgroup_t, cgroup_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write files on cgroup
-##	file systems.
+##	Write cgroup files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -760,13 +788,51 @@ interface(`fs_write_cgroup_files', `
 ##	</summary>
 ## </param>
 #
-interface(`fs_rw_cgroup_files',`
+interface(`fs_write_cgroup_files', `
 	gen_require(`
 		type cgroup_t;
+	')
+
+	write_files_pattern($1, cgroup_t, cgroup_t)
+')
 
+########################################
+## <summary>
+##	Do not audit attempts to open,
+##	get attributes, read and write
+##	cgroup files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
 	')
 
-	rw_files_pattern($1, cgroup_t, cgroup_t)
+	dontaudit $1 cgroup_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read
+##	dirs on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_cifs_dirs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	dontaudit $1 cifs_t:dir list_dir_perms;
 ')
 
 ########################################
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 774e0a1..cb889c3 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -68,6 +68,12 @@ fs_type(capifs_t)
 files_mountpoint(capifs_t)
 genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
 
+type cgroup_t;
+fs_type(cgroup_t)
+files_type(cgroup_t)
+files_mountpoint(cgroup_t)
+genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+
 type configfs_t;
 fs_type(configfs_t)
 genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 78fb6b2..5b6c8b9 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -46,15 +46,6 @@ role system_r types kernel_t;
 sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
 
 #
-# cgroup fs
-#
-
-type cgroup_t;
-fs_type(cgroup_t)
-allow cgroup_t self:filesystem associate;
-genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
-
-#
 # DebugFS
 #
 
-- 
1.7.0.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100607/f4bdc195/attachment.bin