From: domg472@gmail.com (Dominick Grift)
Date: Mon, 7 Jun 2010 20:23:45 +0200
Subject: [refpolicy] [ patch v2 2/4] add libcg policy.
Message-ID: <20100607182340.GA2939@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Libcgroup automates cgroup management.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:000000 100644 0000000... abde2f2... A	policy/modules/services/cgroup.fc
:000000 100644 0000000... 4b3fb8d... A	policy/modules/services/cgroup.if
:000000 100644 0000000... 32baa99... A	policy/modules/services/cgroup.te
 policy/modules/services/cgroup.fc |   10 +++
 policy/modules/services/cgroup.if |  149 +++++++++++++++++++++++++++++++++++++
 policy/modules/services/cgroup.te |   86 +++++++++++++++++++++
 3 files changed, 245 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc
new file mode 100644
index 0000000..abde2f2
--- /dev/null
+++ b/policy/modules/services/cgroup.fc
@@ -0,0 +1,10 @@
+/etc/cgconfig.conf			--	gen_context(system_u:object_r:cgconfig_etc_t,s0)
+/etc/cgrules.conf			--	gen_context(system_u:object_r:cgrules_etc_t,s0)
+
+/etc/rc\.d/init\.d/cgconfig	--	gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cgred	--	gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
+
+/sbin/cgconfigparser		--	gen_context(system_u:object_r:cgconfigparser_exec_t,s0)
+/sbin/cgrulesengd			--	gen_context(system_u:object_r:cgred_exec_t,s0)
+
+/var/run/cgred.*				gen_context(system_u:object_r:cgred_var_run_t,s0)
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
new file mode 100644
index 0000000..4b3fb8d
--- /dev/null
+++ b/policy/modules/services/cgroup.if
@@ -0,0 +1,149 @@
+## <summary>libcg is a library that abstracts the control group file system in Linux.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	CG config parser.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_domtrans_cgconfigparser',`
+	gen_require(`
+		type cgconfigparser_t, cgconfigparser_exec_t;
+	')
+
+	domtrans_pattern($1, cgconfigparser_exec_t, cgconfigparser_t)
+	corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	CG config parser.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cgroup_initrc_domtrans_cgconfigparser',`
+	gen_require(`
+		type cgconfig_initrc_exec_t;
+	')
+
+	files_search_etc($1)
+	init_labeled_script_domtrans($1, cgconfig_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	CG rules engine daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_domtrans_cgred',`
+	gen_require(`
+		type cgred_t, cgred_exec_t;
+	')
+
+	domtrans_pattern($1, cgred_exec_t, cgred_t)
+	corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+## 	CG rules engine daemon.
+##	domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`cgroup_initrc_domtrans_cgred',`
+	gen_require(`
+		type cgred_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, cgred_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Connect to CG rules engine daemon
+##	over unix stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cgroup_stream_connect', `
+	gen_require(`
+		type cgred_var_run_t, cgred_t;
+	')
+
+	stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t)
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an cgroup environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cgroup_admin',`
+	gen_require(`
+		type cgred_t, cgconfigparser_t, cgred_var_run_t;
+		type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
+		type cgred_etc_t, cgroup_t;	
+	')
+
+	allow $1 cgconfigparser_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, cgconfigparser_t, cgconfigparser_t)
+
+	allow $1 cgred_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, cgred_t, cgred_t)
+
+	admin_pattern($1, cgroup_t)
+
+	admin_pattern($1, cgconfig_etc_t)
+	admin_pattern($1, cgred_etc_t)
+	files_search_etc($1)
+
+	admin_pattern($1, cgred_var_run_t)
+	files_search_pids($1)
+
+	cgroup_initrc_domtrans_cgconfigparser($1)
+	domain_system_change_exemption($1)
+	role_transition $2 cgconfig_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	cgroup_initrc_domtrans_cgred($1)
+	role_transition $2 cgred_initrc_exec_t system_r;
+')
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
new file mode 100644
index 0000000..32baa99
--- /dev/null
+++ b/policy/modules/services/cgroup.te
@@ -0,0 +1,86 @@
+
+policy_module(cgroup, 1.0.0)
+
+########################################
+#
+# cgred personal declarations.
+#
+
+type cgred_t;
+type cgred_exec_t;
+init_daemon_domain(cgred_t, cgred_exec_t)
+
+type cgred_initrc_exec_t;
+init_script_file(cgred_initrc_exec_t)
+
+type cgred_var_run_t;
+files_pid_file(cgred_var_run_t)
+
+type cgrules_etc_t;
+files_config_file(cgrules_etc_t)
+
+########################################
+#
+# cgconfig personal declarations.
+#
+
+type cgconfigparser_t;
+type cgconfigparser_exec_t;
+init_daemon_domain(cgconfigparser_t, cgconfigparser_exec_t)
+
+type cgconfig_initrc_exec_t;
+init_script_file(cgconfig_initrc_exec_t)
+
+type cgconfig_etc_t;
+files_config_file(cgconfig_etc_t)
+
+########################################
+#
+# cgred personal policy.
+#
+
+allow cgred_t self:capability { net_admin sys_ptrace dac_override };
+allow cgred_t self:netlink_socket { write bind create read };
+allow cgred_t self:unix_dgram_socket { write create connect };
+
+allow cgred_t cgrules_etc_t:file read_file_perms;
+
+manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
+files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
+
+kernel_read_system_state(cgred_t)
+
+domain_read_all_domains_state(cgred_t)
+
+files_getattr_all_files(cgred_t)
+files_getattr_all_sockets(cgred_t)
+files_read_all_symlinks(cgred_t)
+files_search_all(cgred_t)
+
+files_read_etc_files(cgred_t)
+
+fs_write_cgroup_files(cgred_t)
+
+logging_send_syslog_msg(cgred_t)
+
+miscfiles_read_localization(cgred_t)
+
+########################################
+#
+# cgconfig personal policy.
+#
+
+allow cgconfigparser_t self:capability { chown sys_admin };
+
+allow cgconfigparser_t cgconfig_etc_t:file read_file_perms;
+
+kernel_list_unlabeled(cgconfigparser_t)
+kernel_read_system_state(cgconfigparser_t)
+
+files_read_etc_files(cgconfigparser_t)
+
+fs_manage_cgroup_dirs(cgconfigparser_t)
+fs_manage_cgroup_files(cgconfigparser_t)
+fs_mount_cgroup(cgconfigparser_t)
+fs_mounton_cgroup(cgconfigparser_t)
+fs_unmount_cgroup(cgconfigparser_t)
-- 
1.7.0.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100607/582f4d7e/attachment.bin