All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [ cgroup patch redone 1/1] Allow cgred to setsched all allow initrc (/usr/bin/cgclear) setsched all allow cgred sys_admin capability
@ 2010-07-05 12:03 Dominick Grift
  2010-07-06 12:21 ` Christopher J. PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2010-07-05 12:03 UTC (permalink / raw)
  To: refpolicy

Allow cgred to setsched all
Allow initrc (/usr/bin/cgclear) setsched all
Allow cgred sys_admin capability

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 bb3a671... 6ae88ca... M	policy/modules/services/cgroup.te
:100644 100644 d9d2789... 5926603... M	policy/modules/system/init.te
 policy/modules/services/cgroup.te |    3 ++-
 policy/modules/system/init.te     |    1 +
 2 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
index bb3a671..6ae88ca 100644
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
@@ -53,7 +53,7 @@ fs_unmount_cgroup(cgconfig_t)
 # cgred personal policy.
 #
 
-allow cgred_t self:capability { net_admin sys_ptrace dac_override };
+allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
 allow cgred_t self:netlink_socket { write bind create read };
 allow cgred_t self:unix_dgram_socket { write create connect };
 
@@ -65,6 +65,7 @@ files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
 kernel_read_system_state(cgred_t)
 
 domain_read_all_domains_state(cgred_t)
+domain_setpriority_all_domains(cgred_t)
 
 files_getattr_all_files(cgred_t)
 files_getattr_all_sockets(cgred_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d9d2789..5926603 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -575,6 +575,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect(initrc_t)
+	domain_setpriority_all_domains(initrc_t)
 ')
 
 optional_policy(`
-- 
1.7.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100705/772a0623/attachment.bin 

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [refpolicy] [ cgroup patch redone 1/1] Allow cgred to setsched all allow initrc (/usr/bin/cgclear) setsched all allow cgred sys_admin capability
  2010-07-05 12:03 [refpolicy] [ cgroup patch redone 1/1] Allow cgred to setsched all allow initrc (/usr/bin/cgclear) setsched all allow cgred sys_admin capability Dominick Grift
@ 2010-07-06 12:21 ` Christopher J. PeBenito
  2010-07-06 14:11   ` Dominick Grift
  0 siblings, 1 reply; 4+ messages in thread
From: Christopher J. PeBenito @ 2010-07-06 12:21 UTC (permalink / raw)
  To: refpolicy

On 07/05/10 08:03, Dominick Grift wrote:
> Allow cgred to setsched all
> Allow initrc (/usr/bin/cgclear) setsched all
> Allow cgred sys_admin capability

Based on what I see from the cgclear man page, it seems like it should 
be running in the cgconfig_t domain.

> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 bb3a671... 6ae88ca... M	policy/modules/services/cgroup.te
> :100644 100644 d9d2789... 5926603... M	policy/modules/system/init.te
>   policy/modules/services/cgroup.te |    3 ++-
>   policy/modules/system/init.te     |    1 +
>   2 files changed, 3 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
> index bb3a671..6ae88ca 100644
> --- a/policy/modules/services/cgroup.te
> +++ b/policy/modules/services/cgroup.te
> @@ -53,7 +53,7 @@ fs_unmount_cgroup(cgconfig_t)
>   # cgred personal policy.
>   #
>
> -allow cgred_t self:capability { net_admin sys_ptrace dac_override };
> +allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
>   allow cgred_t self:netlink_socket { write bind create read };
>   allow cgred_t self:unix_dgram_socket { write create connect };
>
> @@ -65,6 +65,7 @@ files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
>   kernel_read_system_state(cgred_t)
>
>   domain_read_all_domains_state(cgred_t)
> +domain_setpriority_all_domains(cgred_t)
>
>   files_getattr_all_files(cgred_t)
>   files_getattr_all_sockets(cgred_t)
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index d9d2789..5926603 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -575,6 +575,7 @@ optional_policy(`
>
>   optional_policy(`
>   	cgroup_stream_connect(initrc_t)
> +	domain_setpriority_all_domains(initrc_t)
>   ')
>
>   optional_policy(`
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [refpolicy] [ cgroup patch redone 1/1] Allow cgred to setsched all allow initrc (/usr/bin/cgclear) setsched all allow cgred sys_admin capability
  2010-07-06 12:21 ` Christopher J. PeBenito
@ 2010-07-06 14:11   ` Dominick Grift
  2010-07-07 12:18     ` Christopher J. PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2010-07-06 14:11 UTC (permalink / raw)
  To: refpolicy

On Tue, Jul 06, 2010 at 08:21:13AM -0400, Christopher J. PeBenito wrote:
> On 07/05/10 08:03, Dominick Grift wrote:
> >Allow cgred to setsched all
> >Allow initrc (/usr/bin/cgclear) setsched all
> >Allow cgred sys_admin capability
> 
> Based on what I see from the cgclear man page, it seems like it
> should be running in the cgconfig_t domain.

In recent times i have confined /usr/bin/cgclear but i later decided to undo it (it is probably in my "git log" though).

cgclear isnt such a problem to run confined but this app can also be run by users.

A similar app is cgexec this program basically "extends" init script, but it can also be used to users.

Confining both cgclear and cgexec is possible but it make thing probably more complicated then they need to be.

There are other cg apps called from cgconfig init script as well like: cgset, cgclassify, cgcreate. These are really /usr/bin user apps.

Looking at the initrc policy, initrc has pretty much access so i personally do not have a problem adding this as well to avoid unneeded complications.\x18

> 
> >Signed-off-by: Dominick Grift<domg472@gmail.com>
> >---
> >:100644 100644 bb3a671... 6ae88ca... M	policy/modules/services/cgroup.te
> >:100644 100644 d9d2789... 5926603... M	policy/modules/system/init.te
> >  policy/modules/services/cgroup.te |    3 ++-
> >  policy/modules/system/init.te     |    1 +
> >  2 files changed, 3 insertions(+), 1 deletions(-)
> >
> >diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
> >index bb3a671..6ae88ca 100644
> >--- a/policy/modules/services/cgroup.te
> >+++ b/policy/modules/services/cgroup.te
> >@@ -53,7 +53,7 @@ fs_unmount_cgroup(cgconfig_t)
> >  # cgred personal policy.
> >  #
> >
> >-allow cgred_t self:capability { net_admin sys_ptrace dac_override };
> >+allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
> >  allow cgred_t self:netlink_socket { write bind create read };
> >  allow cgred_t self:unix_dgram_socket { write create connect };
> >
> >@@ -65,6 +65,7 @@ files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
> >  kernel_read_system_state(cgred_t)
> >
> >  domain_read_all_domains_state(cgred_t)
> >+domain_setpriority_all_domains(cgred_t)
> >
> >  files_getattr_all_files(cgred_t)
> >  files_getattr_all_sockets(cgred_t)
> >diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> >index d9d2789..5926603 100644
> >--- a/policy/modules/system/init.te
> >+++ b/policy/modules/system/init.te
> >@@ -575,6 +575,7 @@ optional_policy(`
> >
> >  optional_policy(`
> >  	cgroup_stream_connect(initrc_t)
> >+	domain_setpriority_all_domains(initrc_t)
> >  ')
> >
> >  optional_policy(`
> >
> >
> >
> >_______________________________________________
> >refpolicy mailing list
> >refpolicy at oss.tresys.com
> >http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100706/416e1b02/attachment.bin 

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [refpolicy] [ cgroup patch redone 1/1] Allow cgred to setsched all allow initrc (/usr/bin/cgclear) setsched all allow cgred sys_admin capability
  2010-07-06 14:11   ` Dominick Grift
@ 2010-07-07 12:18     ` Christopher J. PeBenito
  0 siblings, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2010-07-07 12:18 UTC (permalink / raw)
  To: refpolicy

On 07/06/10 10:11, Dominick Grift wrote:
> On Tue, Jul 06, 2010 at 08:21:13AM -0400, Christopher J. PeBenito wrote:
>> On 07/05/10 08:03, Dominick Grift wrote:
>>> Allow cgred to setsched all
>>> Allow initrc (/usr/bin/cgclear) setsched all
>>> Allow cgred sys_admin capability
>>
>> Based on what I see from the cgclear man page, it seems like it
>> should be running in the cgconfig_t domain.
>
> In recent times i have confined /usr/bin/cgclear but i later decided to undo it (it is probably in my "git log" though).
>
> cgclear isnt such a problem to run confined but this app can also be run by users.

This seems like even more of a reason for it to run in cgconfig_t.

> A similar app is cgexec this program basically "extends" init script, but it can also be used to users.

But the purpose of cgconfig_t is for configuring cgroups, right? 
Clearing cgroups is a configuration action too.

> Confining both cgclear and cgexec is possible but it make thing probably more complicated then they need to be.
>
> There are other cg apps called from cgconfig init script as well like: cgset, cgclassify, cgcreate. These are really /usr/bin user apps.
>
> Looking at the initrc policy, initrc has pretty much access so i personally do not have a problem adding this as well to avoid unneeded complications.\x18

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-07-07 12:18 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-07-05 12:03 [refpolicy] [ cgroup patch redone 1/1] Allow cgred to setsched all allow initrc (/usr/bin/cgclear) setsched all allow cgred sys_admin capability Dominick Grift
2010-07-06 12:21 ` Christopher J. PeBenito
2010-07-06 14:11   ` Dominick Grift
2010-07-07 12:18     ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.