From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 31 May 2017 21:05:20 -0400
Subject: [refpolicy] [PATCH 5/6] cgmanager: add policy from gentoo
In-Reply-To: <20170526155801.5441-5-jason@perfinion.com>
References: <20170526155801.5441-1-jason@perfinion.com>
	<20170526155801.5441-5-jason@perfinion.com>
Message-ID: <b915f316-1f8d-53da-d37d-21fe4dfb2f2f@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/26/2017 11:58 AM, Jason Zaman wrote:
> ---
>  cgmanager.fc |  9 ++++++++
>  cgmanager.if | 22 ++++++++++++++++++++
>  cgmanager.te | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 98 insertions(+)
>  create mode 100644 cgmanager.fc
>  create mode 100644 cgmanager.if
>  create mode 100644 cgmanager.te
>
> diff --git a/cgmanager.fc b/cgmanager.fc
> new file mode 100644
> index 0000000..b02ca99
> --- /dev/null
> +++ b/cgmanager.fc
> @@ -0,0 +1,9 @@
> +/usr/sbin/cgmanager				--	gen_context(system_u:object_r:cgmanager_exec_t,s0)
> +/usr/sbin/cgproxy				--	gen_context(system_u:object_r:cgmanager_exec_t,s0)
> +/usr/libexec/cgmanager/cgm-release-agent	--	gen_context(system_u:object_r:cgmanager_exec_t,s0)
> +
> +/sys/fs/cgroup/cgmanager(/.*)?				gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
> +
> +/run/cgmanager(/.*)?					gen_context(system_u:object_r:cgmanager_run_t,s0)
> +/run/cgmanager.pid					gen_context(system_u:object_r:cgmanager_run_t,s0)
> +/run/cgmanager/fs(/.*)?					<<none>>
> diff --git a/cgmanager.if b/cgmanager.if
> new file mode 100644
> index 0000000..ad459a6
> --- /dev/null
> +++ b/cgmanager.if
> @@ -0,0 +1,22 @@
> +## <summary>Control Group manager daemon.</summary>
> +
> +########################################
> +## <summary>
> +##	Connect to cgmanager with a unix
> +##	domain stream socket.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`cgmanager_stream_connect',`
> +	gen_require(`
> +		type cgmanager_t, cgmanager_cgroup_t;
> +	')
> +
> +	fs_search_cgroup_dirs($1)
> +	list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t)
> +	stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)
> +')
> diff --git a/cgmanager.te b/cgmanager.te
> new file mode 100644
> index 0000000..d70e8ca
> --- /dev/null
> +++ b/cgmanager.te
> @@ -0,0 +1,67 @@
> +policy_module(cgmanager, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type cgmanager_t;
> +type cgmanager_exec_t;
> +init_daemon_domain(cgmanager_t, cgmanager_exec_t)
> +
> +type cgmanager_run_t;
> +files_pid_file(cgmanager_run_t)
> +
> +type cgmanager_cgroup_t;
> +files_type(cgmanager_cgroup_t)
> +
> +########################################
> +#
> +# CGManager local policy
> +#
> +
> +allow cgmanager_t self:capability { sys_admin dac_override };
> +allow cgmanager_t self:fifo_file rw_fifo_file_perms;
> +
> +manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> +manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> +manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> +files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
> +allow cgmanager_t cgmanager_run_t:dir mounton;
> +
> +manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> +manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> +manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> +fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")

The above interface doesn't exist.

> +# for the release agent
> +kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
> +kernel_read_system_state(cgmanager_t)
> +
> +corecmd_exec_bin(cgmanager_t)
> +can_exec(cgmanager_t, cgmanager_exec_t)
> +
> +domain_read_all_domains_state(cgmanager_t)
> +
> +files_read_etc_files(cgmanager_t)
> +
> +# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
> +files_mounton_all_mountpoints(cgmanager_t)
> +files_unmount_all_file_type_fs(cgmanager_t)
> +fs_unmount_xattr_fs(cgmanager_t)
> +
> +fs_manage_cgroup_dirs(cgmanager_t)
> +fs_manage_cgroup_files(cgmanager_t)
> +
> +fs_getattr_tmpfs(cgmanager_t)
> +
> +fs_manage_tmpfs_dirs(cgmanager_t)
> +fs_manage_tmpfs_files(cgmanager_t)
> +
> +fs_mount_cgroup(cgmanager_t)
> +fs_mount_tmpfs(cgmanager_t)
> +fs_mounton_tmpfs(cgmanager_t)
> +fs_remount_cgroup(cgmanager_t)
> +fs_remount_tmpfs(cgmanager_t)
> +fs_unmount_cgroup(cgmanager_t)
> +fs_unmount_tmpfs(cgmanager_t)
>


-- 
Chris PeBenito