[refpolicy] [ cgroup patch redone 1/1] Allow cgred to setsched all allow initrc (/usr/bin/cgclear) setsched all allow cgred sys_admin capability

All of lore.kernel.org
 help / color / mirror / Atom feed

From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ cgroup patch redone 1/1] Allow cgred to setsched all allow initrc (/usr/bin/cgclear) setsched all allow cgred sys_admin capability
Date: Wed, 07 Jul 2010 08:18:56 -0400	[thread overview]
Message-ID: <4C3470B0.5030008@tresys.com> (raw)
In-Reply-To: <20100706141136.GA17216@localhost.localdomain>

On 07/06/10 10:11, Dominick Grift wrote:
> On Tue, Jul 06, 2010 at 08:21:13AM -0400, Christopher J. PeBenito wrote:
>> On 07/05/10 08:03, Dominick Grift wrote:
>>> Allow cgred to setsched all
>>> Allow initrc (/usr/bin/cgclear) setsched all
>>> Allow cgred sys_admin capability
>>
>> Based on what I see from the cgclear man page, it seems like it
>> should be running in the cgconfig_t domain.
>
> In recent times i have confined /usr/bin/cgclear but i later decided to undo it (it is probably in my "git log" though).
>
> cgclear isnt such a problem to run confined but this app can also be run by users.

This seems like even more of a reason for it to run in cgconfig_t.

> A similar app is cgexec this program basically "extends" init script, but it can also be used to users.

But the purpose of cgconfig_t is for configuring cgroups, right? 
Clearing cgroups is a configuration action too.

> Confining both cgclear and cgexec is possible but it make thing probably more complicated then they need to be.
>
> There are other cg apps called from cgconfig init script as well like: cgset, cgclassify, cgcreate. These are really /usr/bin user apps.
>
> Looking at the initrc policy, initrc has pretty much access so i personally do not have a problem adding this as well to avoid unneeded complications.\x18

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

     prev parent reply	other threads:[~2010-07-07 12:18 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-07-05 12:03 [refpolicy] [ cgroup patch redone 1/1] Allow cgred to setsched all allow initrc (/usr/bin/cgclear) setsched all allow cgred sys_admin capability Dominick Grift
2010-07-06 12:21 ` Christopher J. PeBenito
2010-07-06 14:11   ` Dominick Grift
2010-07-07 12:18     ` Christopher J. PeBenito [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4C3470B0.5030008@tresys.com \
    --to=cpebenito@tresys.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.