From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ cgroups revisited 1/4] First lets clean up what we currently have.
Date: Wed, 28 Apr 2010 11:58:33 +0200 [thread overview]
Message-ID: <20100428095830.GA6461@localhost.localdomain> (raw)
Remove the cgroup declarations from the kernel module and add a new cgroupfs
declaration in filesystems module.
Rename all group interfaces in filesystems interfaces file to reflect cgroupfs changes.
Modify the calls to cgroup filesystem policy in the virt module.
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 a2c146b... 5a34915... M policy/modules/kernel/filesystem.if
:100644 100644 0c413e2... 275a1e5... M policy/modules/kernel/filesystem.te
:100644 100644 3ef6a62... 44d2b58... M policy/modules/kernel/kernel.te
:100644 100644 a2989cd... c0f8293... M policy/modules/services/virt.te
policy/modules/kernel/filesystem.if | 107 +++++++++++++++++------------------
policy/modules/kernel/filesystem.te | 5 ++
policy/modules/kernel/kernel.te | 9 ---
policy/modules/services/virt.te | 4 +-
4 files changed, 58 insertions(+), 67 deletions(-)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index a2c146b..5a34915 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -567,12 +567,12 @@ interface(`fs_register_binary_executable_type',`
## </summary>
## </param>
#
-interface(`fs_mount_cgroup', `
+interface(`fs_mount_cgroupfs', `
gen_require(`
- type cgroup_t;
+ type cgroupfs_t;
')
- allow $1 cgroup_t:filesystem mount;
+ allow $1 cgroupfs_t:filesystem mount;
')
########################################
@@ -586,12 +586,12 @@ interface(`fs_mount_cgroup', `
## </summary>
## </param>
#
-interface(`fs_remount_cgroup', `
+interface(`fs_remount_cgroupfs', `
gen_require(`
- type cgroup_t;
+ type cgroupfs_t;
')
- allow $1 cgroup_t:filesystem remount;
+ allow $1 cgroupfs_t:filesystem remount;
')
########################################
@@ -604,12 +604,12 @@ interface(`fs_remount_cgroup', `
## </summary>
## </param>
#
-interface(`fs_unmount_cgroup', `
+interface(`fs_unmount_cgroupfs', `
gen_require(`
- type cgroup_t;
+ type cgroupfs_t;
')
- allow $1 cgroup_t:filesystem unmount;
+ allow $1 cgroupfs_t:filesystem unmount;
')
########################################
@@ -623,56 +623,56 @@ interface(`fs_unmount_cgroup', `
## </param>
## <rolecap/>
#
-interface(`fs_getattr_cgroup',`
+interface(`fs_getattr_cgroupfs', `
gen_require(`
- type cifs_t;
+ type cgroupfs_t;
')
- allow $1 cifs_t:filesystem getattr;
+ allow $1 cgroupfs_t:filesystem getattr;
')
########################################
## <summary>
-## list dirs on cgroup
-## file systems.
+## list dirs on cgroup
+## file systems.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
-interface(`fs_list_cgroup_dirs', `
- gen_require(`
- type cgroup_t;
-
- ')
+interface(`fs_list_cgroupfs_dirs', `
+ gen_require(`
+ type cgroupfs_t;
+ ')
- list_dirs_pattern($1, cgroup_t, cgroup_t)
+ list_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
')
########################################
## <summary>
-## Do not audit attempts to read
-## dirs on a CIFS or SMB filesystem.
+## Manage dirs on cgroup file systems.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`fs_dontaudit_list_cifs_dirs',`
+interface(`fs_manage_cgroupfs_dirs', `
gen_require(`
- type cifs_t;
+ type cgroupfs_t;
+
')
- dontaudit $1 cifs_t:dir list_dir_perms;
+ manage_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
')
########################################
## <summary>
-## Manage dirs on cgroup file systems.
+## Set attributes of files on cgroup
+## file systems.
## </summary>
## <param name="domain">
## <summary>
@@ -680,19 +680,17 @@ interface(`fs_dontaudit_list_cifs_dirs',`
## </summary>
## </param>
#
-interface(`fs_manage_cgroup_dirs',`
+interface(`fs_setattr_cgroupfs_files', `
gen_require(`
- type cgroup_t;
-
+ type cgroupfs_t;
')
- manage_dirs_pattern($1, cgroup_t, cgroup_t)
+ setattr_files_pattern($1, cgroupfs_t, cgroupfs_t)
')
########################################
## <summary>
-## Set attributes of files on cgroup
-## file systems.
+## Read files on cgroup file systems.
## </summary>
## <param name="domain">
## <summary>
@@ -700,19 +698,18 @@ interface(`fs_manage_cgroup_dirs',`
## </summary>
## </param>
#
-interface(`fs_setattr_cgroup_files',`
+interface(`fs_read_cgroupfs_files', `
gen_require(`
- type cgroup_t;
+ type cgroupfs_t;
')
- setattr_files_pattern($1, cgroup_t, cgroup_t)
+ read_files_pattern($1, cgroupfs_t, cgroupfs_t)
')
########################################
## <summary>
-## Read files on cgroup
-## file systems.
+## Write files on cgroup file systems.
## </summary>
## <param name="domain">
## <summary>
@@ -720,18 +717,18 @@ interface(`fs_setattr_cgroup_files',`
## </summary>
## </param>
#
-interface(`fs_read_cgroup_files',`
+interface(`fs_write_cgroupfs_files', `
gen_require(`
- type cgroup_t;
+ type cgroupfs_t;
')
- read_files_pattern($1, cgroup_t, cgroup_t)
+ write_files_pattern($1, cgroupfs_t, cgroupfs_t)
')
########################################
## <summary>
-## Write files on cgroup
+## Read and write files on cgroup
## file systems.
## </summary>
## <param name="domain">
@@ -740,33 +737,31 @@ interface(`fs_read_cgroup_files',`
## </summary>
## </param>
#
-interface(`fs_write_cgroup_files', `
+interface(`fs_rw_cgroupfs_files', `
gen_require(`
- type cgroup_t;
-
+ type cgroupfs_t;
')
- write_files_pattern($1, cgroup_t, cgroup_t)
+ rw_files_pattern($1, cgroupfs_t, cgroupfs_t)
')
########################################
## <summary>
-## Read and write files on cgroup
-## file systems.
+## Do not audit attempts to read
+## dirs on a CIFS or SMB filesystem.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`fs_rw_cgroup_files',`
+interface(`fs_dontaudit_list_cifs_dirs',`
gen_require(`
- type cgroup_t;
-
+ type cifs_t;
')
- rw_files_pattern($1, cgroup_t, cgroup_t)
+ dontaudit $1 cifs_t:dir list_dir_perms;
')
########################################
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 0c413e2..275a1e5 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -68,6 +68,11 @@ fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
+type cgroupfs_t;
+fs_type(cgroupfs_t)
+files_type(cgroupfs_t)
+genfscon cgroup / gen_context(system_u:object_r:cgroupfs_t,s0)
+
type configfs_t;
fs_type(configfs_t)
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 3ef6a62..44d2b58 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -46,15 +46,6 @@ role system_r types kernel_t;
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
#
-# cgroup fs
-#
-
-type cgroup_t;
-fs_type(cgroup_t)
-allow cgroup_t self:filesystem associate;
-genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
-
-#
# DebugFS
#
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index a2989cd..c0f8293 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -265,8 +265,8 @@ fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
-fs_manage_cgroup_dirs(virtd_t)
-fs_rw_cgroup_files(virtd_t)
+fs_manage_cgroupfs_dirs(virtd_t)
+fs_rw_cgroupfs_files(virtd_t)
mcs_process_set_categories(virtd_t)
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100428/f61e6009/attachment.bin
next reply other threads:[~2010-04-28 9:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-28 9:58 Dominick Grift [this message]
2010-05-13 14:36 ` [refpolicy] [ cgroups revisited 1/4] First lets clean up what we currently have Christopher J. PeBenito
2010-05-13 15:20 ` Daniel J Walsh
2010-05-13 18:29 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100428095830.GA6461@localhost.localdomain \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.