From: domg472@gmail.com (Dominick Grift) Date: Sun, 8 Aug 2010 12:05:41 +0200 Subject: [refpolicy] [ cgroup patch (RETRY) 1/1] Confine /sbin/cgclear. Message-ID: <20100808100537.GA4015@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Libcgroup moved cgclear to /sbin. Confine it so that initrc_t can domain transition to the cgclear_t domain. That way we do not have to extend the initrc_t domains policy. We might want to add cgroup_run_cgclear to sysadm module. Signed-off-by: Dominick Grift --- :100644 100644 c17388d... 420c9d3... M policy/modules/services/cgroup.fc :100644 100644 2d1eaf3... 66d68bc... M policy/modules/services/cgroup.if :100644 100644 bb3a671... 2bfc041... M policy/modules/services/cgroup.te :100644 100644 29f9757... bd45076... M policy/modules/system/init.te policy/modules/services/cgroup.fc | 4 ++ policy/modules/services/cgroup.if | 66 +++++++++++++++++++++++++++++++++---- policy/modules/services/cgroup.te | 31 +++++++++++++++-- policy/modules/system/init.te | 6 +-- 4 files changed, 93 insertions(+), 14 deletions(-) diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc index c17388d..420c9d3 100644 --- a/policy/modules/services/cgroup.fc +++ b/policy/modules/services/cgroup.fc @@ -1,10 +1,14 @@ /etc/cgconfig.conf -- gen_context(system_u:object_r:cgconfig_etc_t,s0) /etc/cgrules.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0) +/etc/sysconfig/cgconfig -- gen_context(system_u:object_r:cgconfig_etc_t,s0) +/etc/sysconfig/cgred.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0) + /etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0) /etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0) /sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0) /sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) +/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) /var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if index 2d1eaf3..66d68bc 100644 --- a/policy/modules/services/cgroup.if +++ b/policy/modules/services/cgroup.if @@ -3,6 +3,26 @@ ######################################## ## ## Execute a domain transition to run +## CG Clear. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`cgroup_domtrans_cgclear',` + gen_require(` + type cgclear_t, cgclear_exec_t; + ') + + domtrans_pattern($1, cgclear_exec_t, cgclear_t) + corecmd_search_bin($1) +') + +######################################## +## +## Execute a domain transition to run ## CG config parser. ## ## @@ -36,7 +56,6 @@ interface(`cgroup_initrc_domtrans_cgconfig',` type cgconfig_initrc_exec_t; ') - files_search_etc($1) init_labeled_script_domtrans($1, cgconfig_initrc_exec_t) ') @@ -82,6 +101,34 @@ interface(`cgroup_initrc_domtrans_cgred',` ######################################## ## +## Execute a domain transition to +## run CG Clear and allow the +## specified role the CG Clear +## domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`cgroup_run_cgclear',` + gen_require(` + type cgclear_t; + ') + + cgroup_domtrans_cgclear($1) + role $2 types cgclear_t; +') + +######################################## +## ## Connect to CG rules engine daemon ## over unix stream sockets. ## @@ -91,7 +138,7 @@ interface(`cgroup_initrc_domtrans_cgred',` ## ## # -interface(`cgroup_stream_connect', ` +interface(`cgroup_stream_connect_cgred', ` gen_require(` type cgred_var_run_t, cgred_t; ') @@ -121,14 +168,17 @@ interface(`cgroup_admin',` gen_require(` type cgred_t, cgconfig_t, cgred_var_run_t; type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t; - type cgrules_etc_t; + type cgrules_etc_t, cgclear_t, cgclear_exec_t; ') - allow $1 cgconfig_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, cgconfig_t, cgconfig_t) + allow $1 cgclear_t:process { ptrace signal_perms }; + ps_process_pattern($1, cgclear_t) - allow $1 cgred_t:process { ptrace signal_perms getattr }; - read_files_pattern($1, cgred_t, cgred_t) + allow $1 cgconfig_t:process { ptrace signal_perms }; + ps_process_pattern($1, cgconfig_t) + + allow $1 cgred_t:process { ptrace signal_perms }; + ps_process_pattern($1, cgred_t) admin_pattern($1, cgconfig_etc_t) admin_pattern($1, cgrules_etc_t) @@ -144,4 +194,6 @@ interface(`cgroup_admin',` cgroup_initrc_domtrans_cgred($1) role_transition $2 cgred_initrc_exec_t system_r; + + cgroup_run_cgclear($1, $2) ') diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te index bb3a671..2bfc041 100644 --- a/policy/modules/services/cgroup.te +++ b/policy/modules/services/cgroup.te @@ -5,6 +5,10 @@ policy_module(cgroup, 1.0.0) # Declarations # +type cgclear_t; +type cgclear_exec_t; +init_daemon_domain(cgclear_t, cgclear_exec_t) + type cgred_t; type cgred_exec_t; init_daemon_domain(cgred_t, cgred_exec_t) @@ -30,6 +34,21 @@ files_config_file(cgconfig_etc_t) ######################################## # +# cgclear personal policy. +# + +allow cgclear_t self:capability sys_admin; + +kernel_read_system_state(cgclear_t) + +domain_setpriority_all_domains(cgclear_t) + +fs_manage_cgroup_dirs(cgclear_t) +fs_manage_cgroup_files(cgclear_t) +fs_unmount_cgroup(cgclear_t) + +######################################## +# # cgconfig personal policy. # @@ -37,38 +56,44 @@ allow cgconfig_t self:capability { chown sys_admin }; allow cgconfig_t cgconfig_etc_t:file read_file_perms; +# search will do. kernel_list_unlabeled(cgconfig_t) kernel_read_system_state(cgconfig_t) +# /etc/nsswitch.conf, /etc/passwd files_read_etc_files(cgconfig_t) fs_manage_cgroup_dirs(cgconfig_t) fs_manage_cgroup_files(cgconfig_t) fs_mount_cgroup(cgconfig_t) fs_mounton_cgroup(cgconfig_t) -fs_unmount_cgroup(cgconfig_t) ######################################## # # cgred personal policy. # -allow cgred_t self:capability { net_admin sys_ptrace dac_override }; +allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override }; allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; allow cgred_t cgrules_etc_t:file read_file_perms; +# rc script creates pid file +manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) -files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file) +files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file }) kernel_read_system_state(cgred_t) domain_read_all_domains_state(cgred_t) +domain_setpriority_all_domains(cgred_t) files_getattr_all_files(cgred_t) files_getattr_all_sockets(cgred_t) files_read_all_symlinks(cgred_t) + +# /etc/group files_read_etc_files(cgred_t) fs_write_cgroup_files(cgred_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 29f9757..bd45076 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -338,9 +338,7 @@ files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) -fs_delete_cgroup_dirs(initrc_t) -fs_list_cgroup_dirs(initrc_t) -fs_rw_cgroup_files(initrc_t) +fs_write_cgroup_files(initrc_t) fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs @@ -570,7 +568,7 @@ optional_policy(` ') optional_policy(` - cgroup_stream_connect(initrc_t) + cgroup_stream_connect_cgred(initrc_t) ') optional_policy(` -- 1.7.2.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100808/b8cd3fed/attachment.bin