From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ cgroups revisited 2/4] Now implement libcgroup policy.
Date: Wed, 28 Apr 2010 12:00:14 +0200 [thread overview]
Message-ID: <20100428100011.GA6487@localhost.localdomain> (raw)
This is a set of scripts that automate cgroup management.
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 5a34915... 3b65a38... M policy/modules/kernel/filesystem.if
:000000 100644 0000000... dd006ff... A policy/modules/services/cgroup.fc
:000000 100644 0000000... abcab97... A policy/modules/services/cgroup.if
:000000 100644 0000000... 67facee... A policy/modules/services/cgroup.te
policy/modules/kernel/filesystem.if | 19 +++++
policy/modules/services/cgroup.fc | 11 +++
policy/modules/services/cgroup.if | 126 +++++++++++++++++++++++++++++++++++
policy/modules/services/cgroup.te | 111 ++++++++++++++++++++++++++++++
4 files changed, 267 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 5a34915..3b65a38 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -633,6 +633,25 @@ interface(`fs_getattr_cgroupfs', `
########################################
## <summary>
+## Delete dirs on cgroup
+## file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_delete_cgroupfs_dirs', `
+ gen_require(`
+ type cgroupfs_t;
+ ')
+
+ delete_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
+')
+
+########################################
+## <summary>
## list dirs on cgroup
## file systems.
## </summary>
diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc
new file mode 100644
index 0000000..dd006ff
--- /dev/null
+++ b/policy/modules/services/cgroup.fc
@@ -0,0 +1,11 @@
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
+
+/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
+
+/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
+/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t,s0)
+/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
+
+/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
+
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
new file mode 100644
index 0000000..abcab97
--- /dev/null
+++ b/policy/modules/services/cgroup.if
@@ -0,0 +1,126 @@
+## <summary>Control group rules engine daemon.</summary>
+## <desc>
+## <p>
+## cgrulesengd is a daemon, which distributes processes
+## to control groups. When any process changes its
+## effective UID or GID, cgred inspects list of
+## rules loaded from cgrules.conf file and moves the
+## process to the appropriate control group.
+## </p>
+## <p>
+## The list of rules is read during the daemon startup and
+## are cached in daemons memory. The daemon reloads the
+## list of rules when it receives SIGUSR2 signal.
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Delete cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_delete_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ delete_dirs_pattern($1, cgroup_t, cgroup_t)
+ cgroup_search_cgroup_dirs($1)
+')
+
+########################################
+## <summary>
+## List cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_list_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_manage_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_rw_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Search cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_search_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write cgred sock file in /var/run.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_stream_connect', `
+ gen_require(`
+ type cgred_var_run_t, cgred_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t)
+')
+
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
new file mode 100644
index 0000000..67facee
--- /dev/null
+++ b/policy/modules/services/cgroup.te
@@ -0,0 +1,111 @@
+
+policy_module(cgroup, 1.0.0)
+
+########################################
+#
+# cgroup global declarations.
+#
+
+type cgroup_t;
+files_mountpoint(cgroup_t)
+
+########################################
+#
+# cgclear personal declarations.
+#
+
+type cgclear_t;
+type cgclear_exec_t;
+init_daemon_domain(cgclear_t, cgclear_exec_t)
+
+########################################
+#
+# cgconfig personal declarations.
+#
+
+type cgconfigparser_t;
+type cgconfigparser_exec_t;
+init_daemon_domain(cgconfigparser_t, cgconfigparser_exec_t)
+
+type cgconfig_initrc_exec_t;
+init_script_file(cgconfig_initrc_exec_t)
+
+########################################
+#
+# cgred personal declarations.
+#
+
+type cgred_t;
+type cgred_exec_t;
+init_daemon_domain(cgred_t, cgred_exec_t)
+
+type cgred_initrc_exec_t;
+init_script_file(cgred_initrc_exec_t)
+
+type cgred_var_run_t;
+files_pid_file(cgred_var_run_t)
+
+########################################
+#
+# cgclear personal policy.
+#
+
+kernel_read_system_state(cgclear_t)
+
+fs_delete_cgroupfs_dirs(cgclear_t)
+fs_list_cgroupfs_dirs(cgclear_t)
+fs_rw_cgroupfs_files(cgclear_t)
+fs_unmount_cgroupfs(cgclear_t)
+
+cgroup_delete_cgroup_dirs(cgclear_t)
+
+########################################
+#
+# cgconfig personal policy.
+#
+
+manage_dirs_pattern(cgconfigparser_t, cgroup_t, cgroup_t)
+manage_files_pattern(cgconfigparser_t, cgroup_t, cgroup_t)
+allow cgconfigparser_t cgroup_t:dir mounton;
+
+kernel_list_unlabeled(cgconfigparser_t)
+kernel_read_system_state(cgconfigparser_t)
+
+files_read_etc_files(cgconfigparser_t)
+
+fs_manage_cgroupfs_dirs(cgconfigparser_t)
+fs_mount_cgroupfs(cgconfigparser_t)
+fs_rw_cgroupfs_files(cgconfigparser_t)
+fs_setattr_cgroupfs_files(cgconfigparser_t)
+
+########################################
+#
+# cgred personal policy.
+#
+
+allow cgred_t self:capability { net_admin sys_ptrace dac_override };
+allow cgred_t self:netlink_socket { write bind create read };
+allow cgred_t self:unix_dgram_socket { write create connect };
+
+manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
+files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
+
+kernel_read_system_state(cgred_t)
+
+domain_read_all_domains_state(cgred_t)
+
+files_read_etc_files(cgred_t)
+
+files_search_all(cgred_t)
+files_getattr_all_files(cgred_t)
+files_getattr_all_dirs(cgred_t)
+files_getattr_all_sockets(cgred_t)
+files_getattr_all_pipes(cgred_t)
+files_read_all_symlinks(cgred_t)
+
+fs_write_cgroupfs_files(cgred_t)
+
+logging_send_syslog_msg(cgred_t)
+
+miscfiles_read_localization(cgred_t)
+
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100428/736f358a/attachment.bin
reply other threads:[~2010-04-28 10:00 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100428100011.GA6487@localhost.localdomain \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.