* [refpolicy] [ patch v2 1/4] cgroup in filesystem.
@ 2010-06-07 18:17 Dominick Grift
0 siblings, 0 replies; only message in thread
From: Dominick Grift @ 2010-06-07 18:17 UTC (permalink / raw)
To: refpolicy
Move cgroup_t declarations from kernel.te to filesystem.te
Redo cgroup interfaces in filesystem.if
Add file context specification for /cgroup mountpoint to filesystem.fc
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 b029773... 9306de6... M policy/modules/kernel/filesystem.fc
:100644 100644 a2c146b... 4052ab9... M policy/modules/kernel/filesystem.if
:100644 100644 774e0a1... cb889c3... M policy/modules/kernel/filesystem.te
:100644 100644 78fb6b2... 5b6c8b9... M policy/modules/kernel/kernel.te
policy/modules/kernel/filesystem.fc | 2 +
policy/modules/kernel/filesystem.if | 150 +++++++++++++++++++++++++----------
policy/modules/kernel/filesystem.te | 6 ++
policy/modules/kernel/kernel.te | 9 --
4 files changed, 116 insertions(+), 51 deletions(-)
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index b029773..9306de6 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -1 +1,3 @@
/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+
+/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index a2c146b..4052ab9 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -559,7 +559,25 @@ interface(`fs_register_binary_executable_type',`
########################################
## <summary>
-## Mount a cgroup filesystem.
+## Get attributes of cgroup filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_cgroup',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Mount cgroup filesystems.
## </summary>
## <param name="domain">
## <summary>
@@ -577,8 +595,25 @@ interface(`fs_mount_cgroup', `
########################################
## <summary>
-## Remount a cgroup filesystem This allows
-## some mount options to be changed.
+## Mount on cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mounton_cgroup', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir mounton;
+')
+
+########################################
+## <summary>
+## Remount cgroup filesystems.
## </summary>
## <param name="domain">
## <summary>
@@ -596,7 +631,7 @@ interface(`fs_remount_cgroup', `
########################################
## <summary>
-## Unmount a cgroup file system.
+## Unmount cgroup filesystems.
## </summary>
## <param name="domain">
## <summary>
@@ -614,65 +649,62 @@ interface(`fs_unmount_cgroup', `
########################################
## <summary>
-## Get the attributes of a cgroup filesystem.
+## Delete cgroup directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`fs_getattr_cgroup',`
+interface(`fs_delete_cgroup_dirs', `
gen_require(`
- type cifs_t;
+ type cgroup_t;
')
- allow $1 cifs_t:filesystem getattr;
+ delete_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## list dirs on cgroup
-## file systems.
+## list cgroup directories.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`fs_list_cgroup_dirs', `
- gen_require(`
- type cgroup_t;
-
- ')
+ gen_require(`
+ type cgroup_t;
+ ')
- list_dirs_pattern($1, cgroup_t, cgroup_t)
+ list_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Do not audit attempts to read
-## dirs on a CIFS or SMB filesystem.
+## Manage cgroup directories.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`fs_dontaudit_list_cifs_dirs',`
+interface(`fs_manage_cgroup_dirs',`
gen_require(`
- type cifs_t;
+ type cgroup_t;
+
')
- dontaudit $1 cifs_t:dir list_dir_perms;
+ manage_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Manage dirs on cgroup file systems.
+## Search cgroup directories.
## </summary>
## <param name="domain">
## <summary>
@@ -680,19 +712,18 @@ interface(`fs_dontaudit_list_cifs_dirs',`
## </summary>
## </param>
#
-interface(`fs_manage_cgroup_dirs',`
+interface(`fs_search_cgroup_dirs',`
gen_require(`
type cgroup_t;
')
- manage_dirs_pattern($1, cgroup_t, cgroup_t)
+ search_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Set attributes of files on cgroup
-## file systems.
+## Manage cgroup files.
## </summary>
## <param name="domain">
## <summary>
@@ -700,19 +731,18 @@ interface(`fs_manage_cgroup_dirs',`
## </summary>
## </param>
#
-interface(`fs_setattr_cgroup_files',`
+interface(`fs_manage_cgroup_files',`
gen_require(`
type cgroup_t;
')
- setattr_files_pattern($1, cgroup_t, cgroup_t)
+ manage_files_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Read files on cgroup
-## file systems.
+## Read cgroup files.
## </summary>
## <param name="domain">
## <summary>
@@ -731,8 +761,7 @@ interface(`fs_read_cgroup_files',`
########################################
## <summary>
-## Write files on cgroup
-## file systems.
+## Read and write cgroup files.
## </summary>
## <param name="domain">
## <summary>
@@ -740,19 +769,18 @@ interface(`fs_read_cgroup_files',`
## </summary>
## </param>
#
-interface(`fs_write_cgroup_files', `
+interface(`fs_rw_cgroup_files',`
gen_require(`
type cgroup_t;
')
- write_files_pattern($1, cgroup_t, cgroup_t)
+ rw_files_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Read and write files on cgroup
-## file systems.
+## Write cgroup files.
## </summary>
## <param name="domain">
## <summary>
@@ -760,13 +788,51 @@ interface(`fs_write_cgroup_files', `
## </summary>
## </param>
#
-interface(`fs_rw_cgroup_files',`
+interface(`fs_write_cgroup_files', `
gen_require(`
type cgroup_t;
+ ')
+
+ write_files_pattern($1, cgroup_t, cgroup_t)
+')
+########################################
+## <summary>
+## Do not audit attempts to open,
+## get attributes, read and write
+## cgroup files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
')
- rw_files_pattern($1, cgroup_t, cgroup_t)
+ dontaudit $1 cgroup_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read
+## dirs on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_cifs_dirs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:dir list_dir_perms;
')
########################################
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 774e0a1..cb889c3 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -68,6 +68,12 @@ fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
+type cgroup_t;
+fs_type(cgroup_t)
+files_type(cgroup_t)
+files_mountpoint(cgroup_t)
+genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+
type configfs_t;
fs_type(configfs_t)
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 78fb6b2..5b6c8b9 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -46,15 +46,6 @@ role system_r types kernel_t;
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
#
-# cgroup fs
-#
-
-type cgroup_t;
-fs_type(cgroup_t)
-allow cgroup_t self:filesystem associate;
-genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
-
-#
# DebugFS
#
--
1.7.0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100607/f4bdc195/attachment.bin
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2010-06-07 18:17 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-06-07 18:17 [refpolicy] [ patch v2 1/4] cgroup in filesystem Dominick Grift
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.