From: domg472@gmail.com (Dominick Grift)
Date: Fri, 8 Oct 2010 23:28:01 +0200
Subject: [refpolicy] [ patch 1/1] Cgroup: needs to mount to /sys/fs/cgroup.
Message-ID: <20101008210254.GA28941@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

I am not sure why libcgroup is moving locations for cgroupfs. Seems they now use /cgroup again, where they were using /sys/fs/cgroup a version before.

But since we added initial support for /sys/fs/cgroup, we might as well make that work i guess.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 99482ca... ab8b7aa... M	policy/modules/kernel/devices.if
:100644 100644 59bae6a... f0cce08... M	policy/modules/kernel/filesystem.fc
:100644 100644 0dff98e... d5b1551... M	policy/modules/kernel/filesystem.te
 policy/modules/kernel/devices.if    |   18 ++++++++++++++++++
 policy/modules/kernel/filesystem.fc |    4 +++-
 policy/modules/kernel/filesystem.te |    1 +
 3 files changed, 22 insertions(+), 1 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 99482ca..ab8b7aa 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3613,6 +3613,24 @@ interface(`dev_manage_smartcard',`
 
 ########################################
 ## <summary>
+##	Associate to sysfs filesystems.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	Type to be associated.
+##	</summary>
+## </param>
+#
+interface(`dev_associate_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of sysfs directories.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index 59bae6a..f0cce08 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -2,5 +2,7 @@
 /dev/shm/.*		<<none>>
 
 /cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
+/cgroup/.*	<<none>>
 
-/sys/fs/cgroup(/.*)?	<<none>>
+/sys/fs/cgroup	-d	gen_context(system_u:object_r:cgroup_t,s0)
+/sys/fs/cgroup/.*	<<none>>
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 0dff98e..d5b1551 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -71,6 +71,7 @@ type cgroup_t;
 fs_type(cgroup_t)
 files_type(cgroup_t)
 files_mountpoint(cgroup_t)
+dev_associate_sysfs(cgroup_t)
 genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
 
 type configfs_t;
-- 
1.7.2.3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101008/b643373b/attachment.bin