* [refpolicy] [ cgroups revisited 2/4] Now implement libcgroup policy.
@ 2010-04-28 10:00 Dominick Grift
0 siblings, 0 replies; only message in thread
From: Dominick Grift @ 2010-04-28 10:00 UTC (permalink / raw)
To: refpolicy
This is a set of scripts that automate cgroup management.
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 5a34915... 3b65a38... M policy/modules/kernel/filesystem.if
:000000 100644 0000000... dd006ff... A policy/modules/services/cgroup.fc
:000000 100644 0000000... abcab97... A policy/modules/services/cgroup.if
:000000 100644 0000000... 67facee... A policy/modules/services/cgroup.te
policy/modules/kernel/filesystem.if | 19 +++++
policy/modules/services/cgroup.fc | 11 +++
policy/modules/services/cgroup.if | 126 +++++++++++++++++++++++++++++++++++
policy/modules/services/cgroup.te | 111 ++++++++++++++++++++++++++++++
4 files changed, 267 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 5a34915..3b65a38 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -633,6 +633,25 @@ interface(`fs_getattr_cgroupfs', `
########################################
## <summary>
+## Delete dirs on cgroup
+## file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_delete_cgroupfs_dirs', `
+ gen_require(`
+ type cgroupfs_t;
+ ')
+
+ delete_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
+')
+
+########################################
+## <summary>
## list dirs on cgroup
## file systems.
## </summary>
diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc
new file mode 100644
index 0000000..dd006ff
--- /dev/null
+++ b/policy/modules/services/cgroup.fc
@@ -0,0 +1,11 @@
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
+
+/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
+
+/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
+/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t,s0)
+/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
+
+/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
+
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
new file mode 100644
index 0000000..abcab97
--- /dev/null
+++ b/policy/modules/services/cgroup.if
@@ -0,0 +1,126 @@
+## <summary>Control group rules engine daemon.</summary>
+## <desc>
+## <p>
+## cgrulesengd is a daemon, which distributes processes
+## to control groups. When any process changes its
+## effective UID or GID, cgred inspects list of
+## rules loaded from cgrules.conf file and moves the
+## process to the appropriate control group.
+## </p>
+## <p>
+## The list of rules is read during the daemon startup and
+## are cached in daemons memory. The daemon reloads the
+## list of rules when it receives SIGUSR2 signal.
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Delete cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_delete_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ delete_dirs_pattern($1, cgroup_t, cgroup_t)
+ cgroup_search_cgroup_dirs($1)
+')
+
+########################################
+## <summary>
+## List cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_list_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_manage_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_rw_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Search cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_search_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write cgred sock file in /var/run.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_stream_connect', `
+ gen_require(`
+ type cgred_var_run_t, cgred_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t)
+')
+
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
new file mode 100644
index 0000000..67facee
--- /dev/null
+++ b/policy/modules/services/cgroup.te
@@ -0,0 +1,111 @@
+
+policy_module(cgroup, 1.0.0)
+
+########################################
+#
+# cgroup global declarations.
+#
+
+type cgroup_t;
+files_mountpoint(cgroup_t)
+
+########################################
+#
+# cgclear personal declarations.
+#
+
+type cgclear_t;
+type cgclear_exec_t;
+init_daemon_domain(cgclear_t, cgclear_exec_t)
+
+########################################
+#
+# cgconfig personal declarations.
+#
+
+type cgconfigparser_t;
+type cgconfigparser_exec_t;
+init_daemon_domain(cgconfigparser_t, cgconfigparser_exec_t)
+
+type cgconfig_initrc_exec_t;
+init_script_file(cgconfig_initrc_exec_t)
+
+########################################
+#
+# cgred personal declarations.
+#
+
+type cgred_t;
+type cgred_exec_t;
+init_daemon_domain(cgred_t, cgred_exec_t)
+
+type cgred_initrc_exec_t;
+init_script_file(cgred_initrc_exec_t)
+
+type cgred_var_run_t;
+files_pid_file(cgred_var_run_t)
+
+########################################
+#
+# cgclear personal policy.
+#
+
+kernel_read_system_state(cgclear_t)
+
+fs_delete_cgroupfs_dirs(cgclear_t)
+fs_list_cgroupfs_dirs(cgclear_t)
+fs_rw_cgroupfs_files(cgclear_t)
+fs_unmount_cgroupfs(cgclear_t)
+
+cgroup_delete_cgroup_dirs(cgclear_t)
+
+########################################
+#
+# cgconfig personal policy.
+#
+
+manage_dirs_pattern(cgconfigparser_t, cgroup_t, cgroup_t)
+manage_files_pattern(cgconfigparser_t, cgroup_t, cgroup_t)
+allow cgconfigparser_t cgroup_t:dir mounton;
+
+kernel_list_unlabeled(cgconfigparser_t)
+kernel_read_system_state(cgconfigparser_t)
+
+files_read_etc_files(cgconfigparser_t)
+
+fs_manage_cgroupfs_dirs(cgconfigparser_t)
+fs_mount_cgroupfs(cgconfigparser_t)
+fs_rw_cgroupfs_files(cgconfigparser_t)
+fs_setattr_cgroupfs_files(cgconfigparser_t)
+
+########################################
+#
+# cgred personal policy.
+#
+
+allow cgred_t self:capability { net_admin sys_ptrace dac_override };
+allow cgred_t self:netlink_socket { write bind create read };
+allow cgred_t self:unix_dgram_socket { write create connect };
+
+manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
+files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
+
+kernel_read_system_state(cgred_t)
+
+domain_read_all_domains_state(cgred_t)
+
+files_read_etc_files(cgred_t)
+
+files_search_all(cgred_t)
+files_getattr_all_files(cgred_t)
+files_getattr_all_dirs(cgred_t)
+files_getattr_all_sockets(cgred_t)
+files_getattr_all_pipes(cgred_t)
+files_read_all_symlinks(cgred_t)
+
+fs_write_cgroupfs_files(cgred_t)
+
+logging_send_syslog_msg(cgred_t)
+
+miscfiles_read_localization(cgred_t)
+
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100428/736f358a/attachment.bin
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2010-04-28 10:00 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-04-28 10:00 [refpolicy] [ cgroups revisited 2/4] Now implement libcgroup policy Dominick Grift
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.