From: domg472@gmail.com (Dominick Grift) Date: Mon, 11 Oct 2010 18:06:28 +0200 Subject: [refpolicy] [ patch 1/1] cgroup: cgred and cgconfig rc scripts in F14 need to read their config files. Message-ID: <20101011160624.GA16651@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com cgroup: remove file context specification for /sys/fs/cgroup for now. cgroup: cgred needs listen IPC unix_stream_socket. cgroup: cleanups. Signed-off-by: Dominick Grift --- :100644 100644 59bae6a... 451fd81... M policy/modules/kernel/filesystem.fc :100644 100644 d020c93... dfed218... M policy/modules/services/cgroup.if :100644 100644 8ca2333... f7311b6... M policy/modules/services/cgroup.te :100644 100644 8a105fd... 42fb68a... M policy/modules/system/init.te policy/modules/kernel/filesystem.fc | 3 +- policy/modules/services/cgroup.if | 69 ++++++++++++++++++++++++++--------- policy/modules/services/cgroup.te | 2 +- policy/modules/system/init.te | 2 + 4 files changed, 56 insertions(+), 20 deletions(-) diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc index 59bae6a..451fd81 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc @@ -2,5 +2,4 @@ /dev/shm/.* <> /cgroup -d gen_context(system_u:object_r:cgroup_t,s0) - -/sys/fs/cgroup(/.*)? <> +/cgroup/.* <> diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if index d020c93..dfed218 100644 --- a/policy/modules/services/cgroup.if +++ b/policy/modules/services/cgroup.if @@ -2,13 +2,12 @@ ######################################## ## -## Execute a domain transition to run -## CG Clear. +## Execute CG clear in the cgclear domain. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`cgroup_domtrans_cgclear',` @@ -22,13 +21,12 @@ interface(`cgroup_domtrans_cgclear',` ######################################## ## -## Execute a domain transition to run -## CG config parser. +## Execute CG config parser in the cgconfig domain. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`cgroup_domtrans_cgconfig',` @@ -61,13 +59,31 @@ interface(`cgroup_initrc_domtrans_cgconfig',` ######################################## ## -## Execute a domain transition to run -## CG rules engine daemon. +## Read CG config parser configuration files. ## ## +## +## Domain allowed access. +## +## +# +interface(`cgroup_read_cgconfig_config',` + gen_require(` + type cgconfig_etc_t; + ') + + allow $1 cgconfig_etc_t:file read_file_perms; + files_search_etc($1) +') + +######################################## ## -## Domain allowed to transition. +## Execute CG rules engine daemon in the cgred domain. ## +## +## +## Domain allowed to transition. +## ## # interface(`cgroup_domtrans_cgred',` @@ -102,8 +118,8 @@ interface(`cgroup_initrc_domtrans_cgred',` ######################################## ## ## Execute a domain transition to -## run CG Clear and allow the -## specified role the CG Clear +## run CG clear and allow the +## specified role the cgclear ## domain. ## ## @@ -130,7 +146,7 @@ interface(`cgroup_run_cgclear',` ######################################## ## ## Connect to CG rules engine daemon -## over unix stream sockets. +## with unix stream sockets. ## ## ## @@ -138,7 +154,7 @@ interface(`cgroup_run_cgclear',` ## ## # -interface(`cgroup_stream_connect_cgred', ` +interface(`cgroup_stream_connect_cgred',` gen_require(` type cgred_var_run_t, cgred_t; ') @@ -149,6 +165,25 @@ interface(`cgroup_stream_connect_cgred', ` ######################################## ## +## Read CG rules engine daemon configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cgroup_read_cgred_config',` + gen_require(` + type cgrules_etc_t; + ') + + allow $1 cgrules_etc_t:file read_file_perms; + files_search_etc($1) +') + +######################################## +## ## All of the rules required to administrate ## an cgroup environment. ## @@ -182,10 +217,10 @@ interface(`cgroup_admin',` admin_pattern($1, cgconfig_etc_t) admin_pattern($1, cgrules_etc_t) - files_search_etc($1) + files_list_etc($1) admin_pattern($1, cgred_var_run_t) - files_search_pids($1) + files_list_pids($1) cgroup_initrc_domtrans_cgconfig($1) domain_system_change_exemption($1) diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te index 8ca2333..f7311b6 100644 --- a/policy/modules/services/cgroup.te +++ b/policy/modules/services/cgroup.te @@ -76,10 +76,10 @@ fs_mounton_cgroup(cgconfig_t) allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override }; allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; +allow cgred_t self:unix_stream_socket listen; allow cgred_t cgrules_etc_t:file read_file_perms; -# rc script creates pid file manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file }) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 8a105fd..42fb68a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -571,6 +571,8 @@ optional_policy(` ') optional_policy(` + cgroup_read_cgconfig_config(initrc_t) + cgroup_read_cgred_config(initrc_t) cgroup_stream_connect_cgred(initrc_t) ') -- 1.7.2.3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101011/9bde211d/attachment-0001.bin