From: pebenito@gentoo.org (Chris PeBenito) Date: Mon, 09 Aug 2010 09:12:36 -0400 Subject: [refpolicy] [ cgroup patch (RETRY) 1/1] Confine /sbin/cgclear. In-Reply-To: <20100808100537.GA4015@localhost.localdomain> References: <20100808100537.GA4015@localhost.localdomain> Message-ID: <4C5FFEC4.6020407@gentoo.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/08/10 06:05, Dominick Grift wrote: > Libcgroup moved cgclear to /sbin. > Confine it so that initrc_t can domain transition to the cgclear_t domain. That way we do not have to extend the initrc_t domains policy. > We might want to add cgroup_run_cgclear to sysadm module. Merged. > Signed-off-by: Dominick Grift > --- > :100644 100644 c17388d... 420c9d3... M policy/modules/services/cgroup.fc > :100644 100644 2d1eaf3... 66d68bc... M policy/modules/services/cgroup.if > :100644 100644 bb3a671... 2bfc041... M policy/modules/services/cgroup.te > :100644 100644 29f9757... bd45076... M policy/modules/system/init.te > policy/modules/services/cgroup.fc | 4 ++ > policy/modules/services/cgroup.if | 66 +++++++++++++++++++++++++++++++++---- > policy/modules/services/cgroup.te | 31 +++++++++++++++-- > policy/modules/system/init.te | 6 +-- > 4 files changed, 93 insertions(+), 14 deletions(-) > > diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc > index c17388d..420c9d3 100644 > --- a/policy/modules/services/cgroup.fc > +++ b/policy/modules/services/cgroup.fc > @@ -1,10 +1,14 @@ > /etc/cgconfig.conf -- gen_context(system_u:object_r:cgconfig_etc_t,s0) > /etc/cgrules.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0) > > +/etc/sysconfig/cgconfig -- gen_context(system_u:object_r:cgconfig_etc_t,s0) > +/etc/sysconfig/cgred.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0) > + > /etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0) > /etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0) > > /sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0) > /sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) > +/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) > > /var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) > diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if > index 2d1eaf3..66d68bc 100644 > --- a/policy/modules/services/cgroup.if > +++ b/policy/modules/services/cgroup.if > @@ -3,6 +3,26 @@ > ######################################## > ## > ## Execute a domain transition to run > +## CG Clear. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`cgroup_domtrans_cgclear',` > + gen_require(` > + type cgclear_t, cgclear_exec_t; > + ') > + > + domtrans_pattern($1, cgclear_exec_t, cgclear_t) > + corecmd_search_bin($1) > +') > + > +######################################## > +## > +## Execute a domain transition to run > ## CG config parser. > ## > ## > @@ -36,7 +56,6 @@ interface(`cgroup_initrc_domtrans_cgconfig',` > type cgconfig_initrc_exec_t; > ') > > - files_search_etc($1) > init_labeled_script_domtrans($1, cgconfig_initrc_exec_t) > ') > > @@ -82,6 +101,34 @@ interface(`cgroup_initrc_domtrans_cgred',` > > ######################################## > ## > +## Execute a domain transition to > +## run CG Clear and allow the > +## specified role the CG Clear > +## domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +# > +interface(`cgroup_run_cgclear',` > + gen_require(` > + type cgclear_t; > + ') > + > + cgroup_domtrans_cgclear($1) > + role $2 types cgclear_t; > +') > + > +######################################## > +## > ## Connect to CG rules engine daemon > ## over unix stream sockets. > ## > @@ -91,7 +138,7 @@ interface(`cgroup_initrc_domtrans_cgred',` > ## > ## > # > -interface(`cgroup_stream_connect', ` > +interface(`cgroup_stream_connect_cgred', ` > gen_require(` > type cgred_var_run_t, cgred_t; > ') > @@ -121,14 +168,17 @@ interface(`cgroup_admin',` > gen_require(` > type cgred_t, cgconfig_t, cgred_var_run_t; > type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t; > - type cgrules_etc_t; > + type cgrules_etc_t, cgclear_t, cgclear_exec_t; > ') > > - allow $1 cgconfig_t:process { ptrace signal_perms getattr }; > - read_files_pattern($1, cgconfig_t, cgconfig_t) > + allow $1 cgclear_t:process { ptrace signal_perms }; > + ps_process_pattern($1, cgclear_t) > > - allow $1 cgred_t:process { ptrace signal_perms getattr }; > - read_files_pattern($1, cgred_t, cgred_t) > + allow $1 cgconfig_t:process { ptrace signal_perms }; > + ps_process_pattern($1, cgconfig_t) > + > + allow $1 cgred_t:process { ptrace signal_perms }; > + ps_process_pattern($1, cgred_t) > > admin_pattern($1, cgconfig_etc_t) > admin_pattern($1, cgrules_etc_t) > @@ -144,4 +194,6 @@ interface(`cgroup_admin',` > > cgroup_initrc_domtrans_cgred($1) > role_transition $2 cgred_initrc_exec_t system_r; > + > + cgroup_run_cgclear($1, $2) > ') > diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te > index bb3a671..2bfc041 100644 > --- a/policy/modules/services/cgroup.te > +++ b/policy/modules/services/cgroup.te > @@ -5,6 +5,10 @@ policy_module(cgroup, 1.0.0) > # Declarations > # > > +type cgclear_t; > +type cgclear_exec_t; > +init_daemon_domain(cgclear_t, cgclear_exec_t) > + > type cgred_t; > type cgred_exec_t; > init_daemon_domain(cgred_t, cgred_exec_t) > @@ -30,6 +34,21 @@ files_config_file(cgconfig_etc_t) > > ######################################## > # > +# cgclear personal policy. > +# > + > +allow cgclear_t self:capability sys_admin; > + > +kernel_read_system_state(cgclear_t) > + > +domain_setpriority_all_domains(cgclear_t) > + > +fs_manage_cgroup_dirs(cgclear_t) > +fs_manage_cgroup_files(cgclear_t) > +fs_unmount_cgroup(cgclear_t) > + > +######################################## > +# > # cgconfig personal policy. > # > > @@ -37,38 +56,44 @@ allow cgconfig_t self:capability { chown sys_admin }; > > allow cgconfig_t cgconfig_etc_t:file read_file_perms; > > +# search will do. > kernel_list_unlabeled(cgconfig_t) > kernel_read_system_state(cgconfig_t) > > +# /etc/nsswitch.conf, /etc/passwd > files_read_etc_files(cgconfig_t) > > fs_manage_cgroup_dirs(cgconfig_t) > fs_manage_cgroup_files(cgconfig_t) > fs_mount_cgroup(cgconfig_t) > fs_mounton_cgroup(cgconfig_t) > -fs_unmount_cgroup(cgconfig_t) > > ######################################## > # > # cgred personal policy. > # > > -allow cgred_t self:capability { net_admin sys_ptrace dac_override }; > +allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override }; > allow cgred_t self:netlink_socket { write bind create read }; > allow cgred_t self:unix_dgram_socket { write create connect }; > > allow cgred_t cgrules_etc_t:file read_file_perms; > > +# rc script creates pid file > +manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) > manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) > -files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file) > +files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file }) > > kernel_read_system_state(cgred_t) > > domain_read_all_domains_state(cgred_t) > +domain_setpriority_all_domains(cgred_t) > > files_getattr_all_files(cgred_t) > files_getattr_all_sockets(cgred_t) > files_read_all_symlinks(cgred_t) > + > +# /etc/group > files_read_etc_files(cgred_t) > > fs_write_cgroup_files(cgred_t) > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index 29f9757..bd45076 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -338,9 +338,7 @@ files_mounton_isid_type_dirs(initrc_t) > files_list_default(initrc_t) > files_mounton_default(initrc_t) > > -fs_delete_cgroup_dirs(initrc_t) > -fs_list_cgroup_dirs(initrc_t) > -fs_rw_cgroup_files(initrc_t) > +fs_write_cgroup_files(initrc_t) > fs_list_inotifyfs(initrc_t) > fs_register_binary_executable_type(initrc_t) > # rhgb-console writes to ramfs > @@ -570,7 +568,7 @@ optional_policy(` > ') > > optional_policy(` > - cgroup_stream_connect(initrc_t) > + cgroup_stream_connect_cgred(initrc_t) > ') > > optional_policy(`