[refpolicy] [ cgroup patch redone 1/1] Allow cgred to setsched all allow initrc (/usr/bin/cgclear) setsched all allow cgred sys_admin capability

From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ cgroup patch redone 1/1] Allow cgred to setsched all allow initrc (/usr/bin/cgclear) setsched all allow cgred sys_admin capability
Date: Tue, 6 Jul 2010 16:11:38 +0200	[thread overview]
Message-ID: <20100706141136.GA17216@localhost.localdomain> (raw)
In-Reply-To: <4C331FB9.4010408@tresys.com>

On Tue, Jul 06, 2010 at 08:21:13AM -0400, Christopher J. PeBenito wrote:
> On 07/05/10 08:03, Dominick Grift wrote:
> >Allow cgred to setsched all
> >Allow initrc (/usr/bin/cgclear) setsched all
> >Allow cgred sys_admin capability
> 
> Based on what I see from the cgclear man page, it seems like it
> should be running in the cgconfig_t domain.

In recent times i have confined /usr/bin/cgclear but i later decided to undo it (it is probably in my "git log" though).

cgclear isnt such a problem to run confined but this app can also be run by users.

A similar app is cgexec this program basically "extends" init script, but it can also be used to users.

Confining both cgclear and cgexec is possible but it make thing probably more complicated then they need to be.

There are other cg apps called from cgconfig init script as well like: cgset, cgclassify, cgcreate. These are really /usr/bin user apps.

Looking at the initrc policy, initrc has pretty much access so i personally do not have a problem adding this as well to avoid unneeded complications.\x18

> 
> >Signed-off-by: Dominick Grift<domg472@gmail.com>
> >---
> >:100644 100644 bb3a671... 6ae88ca... M	policy/modules/services/cgroup.te
> >:100644 100644 d9d2789... 5926603... M	policy/modules/system/init.te
> >  policy/modules/services/cgroup.te |    3 ++-
> >  policy/modules/system/init.te     |    1 +
> >  2 files changed, 3 insertions(+), 1 deletions(-)
> >
> >diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
> >index bb3a671..6ae88ca 100644
> >--- a/policy/modules/services/cgroup.te
> >+++ b/policy/modules/services/cgroup.te
> >@@ -53,7 +53,7 @@ fs_unmount_cgroup(cgconfig_t)
> >  # cgred personal policy.
> >  #
> >
> >-allow cgred_t self:capability { net_admin sys_ptrace dac_override };
> >+allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
> >  allow cgred_t self:netlink_socket { write bind create read };
> >  allow cgred_t self:unix_dgram_socket { write create connect };
> >
> >@@ -65,6 +65,7 @@ files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
> >  kernel_read_system_state(cgred_t)
> >
> >  domain_read_all_domains_state(cgred_t)
> >+domain_setpriority_all_domains(cgred_t)
> >
> >  files_getattr_all_files(cgred_t)
> >  files_getattr_all_sockets(cgred_t)
> >diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> >index d9d2789..5926603 100644
> >--- a/policy/modules/system/init.te
> >+++ b/policy/modules/system/init.te
> >@@ -575,6 +575,7 @@ optional_policy(`
> >
> >  optional_policy(`
> >  	cgroup_stream_connect(initrc_t)
> >+	domain_setpriority_all_domains(initrc_t)
> >  ')
> >
> >  optional_policy(`
> >
> >
> >
> >_______________________________________________
> >refpolicy mailing list
> >refpolicy at oss.tresys.com
> >http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100706/416e1b02/attachment.bin 