From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 07 Jul 2010 08:18:56 -0400
Subject: [refpolicy] [ cgroup patch redone 1/1] Allow cgred to setsched
 all allow initrc (/usr/bin/cgclear) setsched all allow cgred sys_admin
 capability
In-Reply-To: <20100706141136.GA17216@localhost.localdomain>
References: <20100705120337.GA3421@localhost.localdomain>	<4C331FB9.4010408@tresys.com>
	<20100706141136.GA17216@localhost.localdomain>
Message-ID: <4C3470B0.5030008@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/06/10 10:11, Dominick Grift wrote:
> On Tue, Jul 06, 2010 at 08:21:13AM -0400, Christopher J. PeBenito wrote:
>> On 07/05/10 08:03, Dominick Grift wrote:
>>> Allow cgred to setsched all
>>> Allow initrc (/usr/bin/cgclear) setsched all
>>> Allow cgred sys_admin capability
>>
>> Based on what I see from the cgclear man page, it seems like it
>> should be running in the cgconfig_t domain.
>
> In recent times i have confined /usr/bin/cgclear but i later decided to undo it (it is probably in my "git log" though).
>
> cgclear isnt such a problem to run confined but this app can also be run by users.

This seems like even more of a reason for it to run in cgconfig_t.

> A similar app is cgexec this program basically "extends" init script, but it can also be used to users.

But the purpose of cgconfig_t is for configuring cgroups, right? 
Clearing cgroups is a configuration action too.

> Confining both cgclear and cgexec is possible but it make thing probably more complicated then they need to be.
>
> There are other cg apps called from cgconfig init script as well like: cgset, cgclassify, cgcreate. These are really /usr/bin user apps.
>
> Looking at the initrc policy, initrc has pretty much access so i personally do not have a problem adding this as well to avoid unneeded complications.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com