From: jason@perfinion.com (Jason Zaman)
Date: Wed, 17 May 2017 00:56:49 +0800
Subject: [refpolicy] [PATCH 5/6] cgmanager: add policy from gentoo
In-Reply-To: <b0bae51f-0560-a201-34b8-96ea71ea85cb@ieee.org>
References: <20170507174343.30160-1-jason@perfinion.com>
	<20170507174343.30160-5-jason@perfinion.com>
	<b0bae51f-0560-a201-34b8-96ea71ea85cb@ieee.org>
Message-ID: <20170516165649.GB9284@meriadoc.perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, May 11, 2017 at 07:34:11PM -0400, Chris PeBenito wrote:
> On 05/07/2017 01:43 PM, Jason Zaman wrote:
> > ---
> >  cgmanager.fc |  9 +++++++++
> >  cgmanager.if | 22 ++++++++++++++++++++
> >  cgmanager.te | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >  3 files changed, 97 insertions(+)
> >  create mode 100644 cgmanager.fc
> >  create mode 100644 cgmanager.if
> >  create mode 100644 cgmanager.te
> >
> > diff --git a/cgmanager.fc b/cgmanager.fc
> > new file mode 100644
> > index 0000000..d53e92f
> > --- /dev/null
> > +++ b/cgmanager.fc
> > @@ -0,0 +1,9 @@
> > +/usr/sbin/cgmanager		--	gen_context(system_u:object_r:cgmanager_exec_t,s0)
> > +/usr/sbin/cgproxy		--	gen_context(system_u:object_r:cgmanager_exec_t,s0)
> > +/usr/sbin/cgm-release-agent	--	gen_context(system_u:object_r:cgmanager_exec_t,s0)
> > +
> > +/sys/fs/cgroup/cgmanager(/.*)?		gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
> > +
> > +/run/cgmanager(/.*)?			gen_context(system_u:object_r:cgmanager_run_t,s0)
> > +/run/cgmanager.pid			gen_context(system_u:object_r:cgmanager_run_t,s0)
> > +/run/cgmanager/fs(/.*)?			<<none>>
> > diff --git a/cgmanager.if b/cgmanager.if
> > new file mode 100644
> > index 0000000..ad459a6
> > --- /dev/null
> > +++ b/cgmanager.if
> > @@ -0,0 +1,22 @@
> > +## <summary>Control Group manager daemon.</summary>
> > +
> > +########################################
> > +## <summary>
> > +##	Connect to cgmanager with a unix
> > +##	domain stream socket.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`cgmanager_stream_connect',`
> > +	gen_require(`
> > +		type cgmanager_t, cgmanager_cgroup_t;
> > +	')
> > +
> > +	fs_search_cgroup_dirs($1)
> > +	list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t)
> > +	stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)
> > +')
> > diff --git a/cgmanager.te b/cgmanager.te
> > new file mode 100644
> > index 0000000..5c32295
> > --- /dev/null
> > +++ b/cgmanager.te
> > @@ -0,0 +1,66 @@
> > +policy_module(cgmanager, 1.0.0)
> > +
> > +########################################
> > +#
> > +# Declarations
> > +#
> > +
> > +type cgmanager_t;
> > +type cgmanager_exec_t;
> > +init_daemon_domain(cgmanager_t, cgmanager_exec_t)
> > +
> > +type cgmanager_run_t;
> > +files_pid_file(cgmanager_run_t)
> > +
> > +type cgmanager_cgroup_t;
> > +files_type(cgmanager_cgroup_t)
> > +
> > +########################################
> > +#
> > +# CGManager local policy
> > +#
> > +
> > +allow cgmanager_t self:capability { sys_admin dac_override };
> > +allow cgmanager_t self:fifo_file rw_fifo_file_perms;
> > +
> > +manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> > +manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> > +manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> > +files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
> > +allow cgmanager_t cgmanager_run_t:dir mounton;
> > +
> > +manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> > +manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> > +manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> > +fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
> > +
> > +kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
> 
> This is started from the kernel?

Yeah, cgmanager sets this:
# grep release_agent /proc/6060/mounts
none,name=openrc /run/cgmanager/fs/none,name=openrc cgroup rw,relatime,release_agent=/lib64/rc/sh/cgroup-release-agent.sh,name=openrc 0 0
pids /run/cgmanager/fs/pids cgroup rw,relatime,pids,release_agent=/run/cgmanager/agents/cgm-release-agent.pids 0 0
none,name=systemd /run/cgmanager/fs/none,name=systemd cgroup rw,relatime,release_agent=/run/cgmanager/agents/cgm-release-agent.systemd,name=systemd 0 0

which are symlinks to cgm-release-agent so it can handle when things exit.

Dont merge this patch, I just realized an update of cgmanager must have
moved the path for that binary so i'll send an update.

-- Jason
> 
> 
> > +kernel_read_system_state(cgmanager_t)
> > +
> > +corecmd_exec_bin(cgmanager_t)
> > +can_exec(cgmanager_t, cgmanager_exec_t)
> > +
> > +domain_read_all_domains_state(cgmanager_t)
> > +
> > +files_read_etc_files(cgmanager_t)
> > +
> > +# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
> > +files_mounton_all_mountpoints(cgmanager_t)
> > +files_unmount_all_file_type_fs(cgmanager_t)
> > +fs_unmount_xattr_fs(cgmanager_t)
> > +
> > +fs_manage_cgroup_dirs(cgmanager_t)
> > +fs_manage_cgroup_files(cgmanager_t)
> > +
> > +fs_getattr_tmpfs(cgmanager_t)
> > +
> > +fs_manage_tmpfs_dirs(cgmanager_t)
> > +fs_manage_tmpfs_files(cgmanager_t)
> > +
> > +fs_mount_cgroup(cgmanager_t)
> > +fs_mount_tmpfs(cgmanager_t)
> > +fs_mounton_tmpfs(cgmanager_t)
> > +fs_remount_cgroup(cgmanager_t)
> > +fs_remount_tmpfs(cgmanager_t)
> > +fs_unmount_cgroup(cgmanager_t)
> > +fs_unmount_tmpfs(cgmanager_t)
> >
> 
> 
> -- 
> Chris PeBenito