From: dac.override@gmail.com (Dominick Grift) Date: Wed, 27 Apr 2016 12:35:35 +0200 Subject: [refpolicy] [PATCH] Add hwloc skel In-Reply-To: <1461745535-6857-1-git-send-email-grzegorz.andrejczuk@intel.com> References: <1461745535-6857-1-git-send-email-grzegorz.andrejczuk@intel.com> Message-ID: <1461753335-9985-1-git-send-email-dac.override@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Signed-off-by: Dominick Grift --- hwloc.fc | 3 ++ hwloc.if | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ hwloc.te | 28 +++++++++++++++++ 3 files changed, 134 insertions(+) create mode 100644 hwloc.fc create mode 100644 hwloc.if create mode 100644 hwloc.te diff --git a/hwloc.fc b/hwloc.fc new file mode 100644 index 0000000..81c6451 --- /dev/null +++ b/hwloc.fc @@ -0,0 +1,3 @@ +/usr/sbin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0) + +/var/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_var_run_t,s0) diff --git a/hwloc.if b/hwloc.if new file mode 100644 index 0000000..f0a5217 --- /dev/null +++ b/hwloc.if @@ -0,0 +1,103 @@ +## Dump topology and locality information from hardware tables. + +######################################## +## +## Execute hwloc dhwd in the hwloc dhwd domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`hwloc_domtrans_hwloc_dhwd',` + gen_require(` + type hwloc_dhwd_t, hwloc_dhwd_exec_t; + ') + + domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t) +') + +######################################## +## +## Execute hwloc dhwd in the hwloc dhwd domain, and +## allow the specified role the hwloc dhwd domain, +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`hwloc_run_hwloc_dhwd',` + gen_require(` + attribute_role hwloc_dhwd_roles; + ') + + hwloc_domtrans_hwloc_dhwd($1) + roleattribute $2 hwloc_dhwd_roles; +') + +######################################## +## +## Execute hwloc dhwd in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`hwloc_exec_hwloc_dhwd',` + gen_require(` + type hwloc_dhwd_exec_t; + ') + + can_exec($1, hwloc_dhwd_exec_t) +') + +######################################## +## +## Manage hwloc runtime. +## +## +## +## Domain allowed access. +## +## +# +interface(`hwloc_manage_runtime',` + gen_require(` + type hwloc_var_run_t; + ') + + files_rw_pid_dirs($1) + allow $1 hwloc_var_run_t:dir manage_dir_perms; + allow $1 hwloc_var_run_t:file manage_file_perms; + allow $1 hwloc_var_run_t:lnk_file manage_lnk_file_perms; +') + +######################################## +## +## Read hwloc runtime files. +## +## +## +## Domain allowed access. +## +## +# +interface(`hwloc_read_runtime_files',` + gen_require(` + type hwloc_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t) +') diff --git a/hwloc.te b/hwloc.te new file mode 100644 index 0000000..3465e3a --- /dev/null +++ b/hwloc.te @@ -0,0 +1,28 @@ +policy_module(hwloc, 1.0.0) + +######################################## +# +# Declarations +# + +attribute_role hwloc_dhwd_roles; +roleattribute system_r hwloc_dhwd_roles; + +type hwloc_dhwd_t; +type hwloc_dhwd_exec_t; +init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t) +role hwloc_dhwd_roles types hwloc_dhwd_t; + +type hwloc_var_run_t; +files_pid_file(hwloc_var_run_t) + +######################################## +# +# Local policy +# + +allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms; +allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms; +files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir) + +dev_read_sysfs(hwloc_dhwd_t) -- 2.5.5