From: jason@perfinion.com (Jason Zaman) Date: Fri, 26 May 2017 23:58:00 +0800 Subject: [refpolicy] [PATCH 5/6] cgmanager: add policy from gentoo In-Reply-To: <20170526155801.5441-1-jason@perfinion.com> References: <20170526155801.5441-1-jason@perfinion.com> Message-ID: <20170526155801.5441-5-jason@perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com --- cgmanager.fc | 9 ++++++++ cgmanager.if | 22 ++++++++++++++++++++ cgmanager.te | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 98 insertions(+) create mode 100644 cgmanager.fc create mode 100644 cgmanager.if create mode 100644 cgmanager.te diff --git a/cgmanager.fc b/cgmanager.fc new file mode 100644 index 0000000..b02ca99 --- /dev/null +++ b/cgmanager.fc @@ -0,0 +1,9 @@ +/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0) +/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0) +/usr/libexec/cgmanager/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0) + +/sys/fs/cgroup/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_cgroup_t,s0) + +/run/cgmanager(/.*)? gen_context(system_u:object_r:cgmanager_run_t,s0) +/run/cgmanager.pid gen_context(system_u:object_r:cgmanager_run_t,s0) +/run/cgmanager/fs(/.*)? <> diff --git a/cgmanager.if b/cgmanager.if new file mode 100644 index 0000000..ad459a6 --- /dev/null +++ b/cgmanager.if @@ -0,0 +1,22 @@ +## Control Group manager daemon. + +######################################## +## +## Connect to cgmanager with a unix +## domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`cgmanager_stream_connect',` + gen_require(` + type cgmanager_t, cgmanager_cgroup_t; + ') + + fs_search_cgroup_dirs($1) + list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t) + stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t) +') diff --git a/cgmanager.te b/cgmanager.te new file mode 100644 index 0000000..d70e8ca --- /dev/null +++ b/cgmanager.te @@ -0,0 +1,67 @@ +policy_module(cgmanager, 1.0.0) + +######################################## +# +# Declarations +# + +type cgmanager_t; +type cgmanager_exec_t; +init_daemon_domain(cgmanager_t, cgmanager_exec_t) + +type cgmanager_run_t; +files_pid_file(cgmanager_run_t) + +type cgmanager_cgroup_t; +files_type(cgmanager_cgroup_t) + +######################################## +# +# CGManager local policy +# + +allow cgmanager_t self:capability { sys_admin dac_override }; +allow cgmanager_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t) +manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t) +manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t) +files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir }) +allow cgmanager_t cgmanager_run_t:dir mounton; + +manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t) +manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t) +manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t) +fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager") + +# for the release agent +kernel_domtrans_to(cgmanager_t, cgmanager_exec_t) +kernel_read_system_state(cgmanager_t) + +corecmd_exec_bin(cgmanager_t) +can_exec(cgmanager_t, cgmanager_exec_t) + +domain_read_all_domains_state(cgmanager_t) + +files_read_etc_files(cgmanager_t) + +# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things +files_mounton_all_mountpoints(cgmanager_t) +files_unmount_all_file_type_fs(cgmanager_t) +fs_unmount_xattr_fs(cgmanager_t) + +fs_manage_cgroup_dirs(cgmanager_t) +fs_manage_cgroup_files(cgmanager_t) + +fs_getattr_tmpfs(cgmanager_t) + +fs_manage_tmpfs_dirs(cgmanager_t) +fs_manage_tmpfs_files(cgmanager_t) + +fs_mount_cgroup(cgmanager_t) +fs_mount_tmpfs(cgmanager_t) +fs_mounton_tmpfs(cgmanager_t) +fs_remount_cgroup(cgmanager_t) +fs_remount_tmpfs(cgmanager_t) +fs_unmount_cgroup(cgmanager_t) +fs_unmount_tmpfs(cgmanager_t) -- 2.13.0