From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ patch v2 1/4] cgroup in filesystem.
Date: Mon, 7 Jun 2010 20:17:14 +0200 [thread overview]
Message-ID: <20100607181705.GA2809@localhost.localdomain> (raw)
Move cgroup_t declarations from kernel.te to filesystem.te
Redo cgroup interfaces in filesystem.if
Add file context specification for /cgroup mountpoint to filesystem.fc
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 b029773... 9306de6... M policy/modules/kernel/filesystem.fc
:100644 100644 a2c146b... 4052ab9... M policy/modules/kernel/filesystem.if
:100644 100644 774e0a1... cb889c3... M policy/modules/kernel/filesystem.te
:100644 100644 78fb6b2... 5b6c8b9... M policy/modules/kernel/kernel.te
policy/modules/kernel/filesystem.fc | 2 +
policy/modules/kernel/filesystem.if | 150 +++++++++++++++++++++++++----------
policy/modules/kernel/filesystem.te | 6 ++
policy/modules/kernel/kernel.te | 9 --
4 files changed, 116 insertions(+), 51 deletions(-)
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index b029773..9306de6 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -1 +1,3 @@
/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+
+/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index a2c146b..4052ab9 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -559,7 +559,25 @@ interface(`fs_register_binary_executable_type',`
########################################
## <summary>
-## Mount a cgroup filesystem.
+## Get attributes of cgroup filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_cgroup',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Mount cgroup filesystems.
## </summary>
## <param name="domain">
## <summary>
@@ -577,8 +595,25 @@ interface(`fs_mount_cgroup', `
########################################
## <summary>
-## Remount a cgroup filesystem This allows
-## some mount options to be changed.
+## Mount on cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mounton_cgroup', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir mounton;
+')
+
+########################################
+## <summary>
+## Remount cgroup filesystems.
## </summary>
## <param name="domain">
## <summary>
@@ -596,7 +631,7 @@ interface(`fs_remount_cgroup', `
########################################
## <summary>
-## Unmount a cgroup file system.
+## Unmount cgroup filesystems.
## </summary>
## <param name="domain">
## <summary>
@@ -614,65 +649,62 @@ interface(`fs_unmount_cgroup', `
########################################
## <summary>
-## Get the attributes of a cgroup filesystem.
+## Delete cgroup directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`fs_getattr_cgroup',`
+interface(`fs_delete_cgroup_dirs', `
gen_require(`
- type cifs_t;
+ type cgroup_t;
')
- allow $1 cifs_t:filesystem getattr;
+ delete_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## list dirs on cgroup
-## file systems.
+## list cgroup directories.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`fs_list_cgroup_dirs', `
- gen_require(`
- type cgroup_t;
-
- ')
+ gen_require(`
+ type cgroup_t;
+ ')
- list_dirs_pattern($1, cgroup_t, cgroup_t)
+ list_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Do not audit attempts to read
-## dirs on a CIFS or SMB filesystem.
+## Manage cgroup directories.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`fs_dontaudit_list_cifs_dirs',`
+interface(`fs_manage_cgroup_dirs',`
gen_require(`
- type cifs_t;
+ type cgroup_t;
+
')
- dontaudit $1 cifs_t:dir list_dir_perms;
+ manage_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Manage dirs on cgroup file systems.
+## Search cgroup directories.
## </summary>
## <param name="domain">
## <summary>
@@ -680,19 +712,18 @@ interface(`fs_dontaudit_list_cifs_dirs',`
## </summary>
## </param>
#
-interface(`fs_manage_cgroup_dirs',`
+interface(`fs_search_cgroup_dirs',`
gen_require(`
type cgroup_t;
')
- manage_dirs_pattern($1, cgroup_t, cgroup_t)
+ search_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Set attributes of files on cgroup
-## file systems.
+## Manage cgroup files.
## </summary>
## <param name="domain">
## <summary>
@@ -700,19 +731,18 @@ interface(`fs_manage_cgroup_dirs',`
## </summary>
## </param>
#
-interface(`fs_setattr_cgroup_files',`
+interface(`fs_manage_cgroup_files',`
gen_require(`
type cgroup_t;
')
- setattr_files_pattern($1, cgroup_t, cgroup_t)
+ manage_files_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Read files on cgroup
-## file systems.
+## Read cgroup files.
## </summary>
## <param name="domain">
## <summary>
@@ -731,8 +761,7 @@ interface(`fs_read_cgroup_files',`
########################################
## <summary>
-## Write files on cgroup
-## file systems.
+## Read and write cgroup files.
## </summary>
## <param name="domain">
## <summary>
@@ -740,19 +769,18 @@ interface(`fs_read_cgroup_files',`
## </summary>
## </param>
#
-interface(`fs_write_cgroup_files', `
+interface(`fs_rw_cgroup_files',`
gen_require(`
type cgroup_t;
')
- write_files_pattern($1, cgroup_t, cgroup_t)
+ rw_files_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Read and write files on cgroup
-## file systems.
+## Write cgroup files.
## </summary>
## <param name="domain">
## <summary>
@@ -760,13 +788,51 @@ interface(`fs_write_cgroup_files', `
## </summary>
## </param>
#
-interface(`fs_rw_cgroup_files',`
+interface(`fs_write_cgroup_files', `
gen_require(`
type cgroup_t;
+ ')
+
+ write_files_pattern($1, cgroup_t, cgroup_t)
+')
+########################################
+## <summary>
+## Do not audit attempts to open,
+## get attributes, read and write
+## cgroup files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
')
- rw_files_pattern($1, cgroup_t, cgroup_t)
+ dontaudit $1 cgroup_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read
+## dirs on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_cifs_dirs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:dir list_dir_perms;
')
########################################
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 774e0a1..cb889c3 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -68,6 +68,12 @@ fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
+type cgroup_t;
+fs_type(cgroup_t)
+files_type(cgroup_t)
+files_mountpoint(cgroup_t)
+genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+
type configfs_t;
fs_type(configfs_t)
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 78fb6b2..5b6c8b9 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -46,15 +46,6 @@ role system_r types kernel_t;
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
#
-# cgroup fs
-#
-
-type cgroup_t;
-fs_type(cgroup_t)
-allow cgroup_t self:filesystem associate;
-genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
-
-#
# DebugFS
#
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100607/f4bdc195/attachment.bin
reply other threads:[~2010-06-07 18:17 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100607181705.GA2809@localhost.localdomain \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.