From: pebenito@gentoo.org (Chris PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [ cgroup patch (RETRY) 1/1] Confine /sbin/cgclear.
Date: Mon, 09 Aug 2010 09:12:36 -0400 [thread overview]
Message-ID: <4C5FFEC4.6020407@gentoo.org> (raw)
In-Reply-To: <20100808100537.GA4015@localhost.localdomain>
On 08/08/10 06:05, Dominick Grift wrote:
> Libcgroup moved cgclear to /sbin.
> Confine it so that initrc_t can domain transition to the cgclear_t domain. That way we do not have to extend the initrc_t domains policy.
> We might want to add cgroup_run_cgclear to sysadm module.
Merged.
> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 c17388d... 420c9d3... M policy/modules/services/cgroup.fc
> :100644 100644 2d1eaf3... 66d68bc... M policy/modules/services/cgroup.if
> :100644 100644 bb3a671... 2bfc041... M policy/modules/services/cgroup.te
> :100644 100644 29f9757... bd45076... M policy/modules/system/init.te
> policy/modules/services/cgroup.fc | 4 ++
> policy/modules/services/cgroup.if | 66 +++++++++++++++++++++++++++++++++----
> policy/modules/services/cgroup.te | 31 +++++++++++++++--
> policy/modules/system/init.te | 6 +--
> 4 files changed, 93 insertions(+), 14 deletions(-)
>
> diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc
> index c17388d..420c9d3 100644
> --- a/policy/modules/services/cgroup.fc
> +++ b/policy/modules/services/cgroup.fc
> @@ -1,10 +1,14 @@
> /etc/cgconfig.conf -- gen_context(system_u:object_r:cgconfig_etc_t,s0)
> /etc/cgrules.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0)
>
> +/etc/sysconfig/cgconfig -- gen_context(system_u:object_r:cgconfig_etc_t,s0)
> +/etc/sysconfig/cgred.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0)
> +
> /etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
> /etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
>
> /sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
> /sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
> +/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
>
> /var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
> diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
> index 2d1eaf3..66d68bc 100644
> --- a/policy/modules/services/cgroup.if
> +++ b/policy/modules/services/cgroup.if
> @@ -3,6 +3,26 @@
> ########################################
> ##<summary>
> ## Execute a domain transition to run
> +## CG Clear.
> +##</summary>
> +##<param name="domain">
> +##<summary>
> +## Domain allowed to transition.
> +##</summary>
> +##</param>
> +#
> +interface(`cgroup_domtrans_cgclear',`
> + gen_require(`
> + type cgclear_t, cgclear_exec_t;
> + ')
> +
> + domtrans_pattern($1, cgclear_exec_t, cgclear_t)
> + corecmd_search_bin($1)
> +')
> +
> +########################################
> +##<summary>
> +## Execute a domain transition to run
> ## CG config parser.
> ##</summary>
> ##<param name="domain">
> @@ -36,7 +56,6 @@ interface(`cgroup_initrc_domtrans_cgconfig',`
> type cgconfig_initrc_exec_t;
> ')
>
> - files_search_etc($1)
> init_labeled_script_domtrans($1, cgconfig_initrc_exec_t)
> ')
>
> @@ -82,6 +101,34 @@ interface(`cgroup_initrc_domtrans_cgred',`
>
> ########################################
> ##<summary>
> +## Execute a domain transition to
> +## run CG Clear and allow the
> +## specified role the CG Clear
> +## domain.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +##</param>
> +##<param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +##</param>
> +##<rolecap/>
> +#
> +interface(`cgroup_run_cgclear',`
> + gen_require(`
> + type cgclear_t;
> + ')
> +
> + cgroup_domtrans_cgclear($1)
> + role $2 types cgclear_t;
> +')
> +
> +########################################
> +##<summary>
> ## Connect to CG rules engine daemon
> ## over unix stream sockets.
> ##</summary>
> @@ -91,7 +138,7 @@ interface(`cgroup_initrc_domtrans_cgred',`
> ## </summary>
> ##</param>
> #
> -interface(`cgroup_stream_connect', `
> +interface(`cgroup_stream_connect_cgred', `
> gen_require(`
> type cgred_var_run_t, cgred_t;
> ')
> @@ -121,14 +168,17 @@ interface(`cgroup_admin',`
> gen_require(`
> type cgred_t, cgconfig_t, cgred_var_run_t;
> type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
> - type cgrules_etc_t;
> + type cgrules_etc_t, cgclear_t, cgclear_exec_t;
> ')
>
> - allow $1 cgconfig_t:process { ptrace signal_perms getattr };
> - read_files_pattern($1, cgconfig_t, cgconfig_t)
> + allow $1 cgclear_t:process { ptrace signal_perms };
> + ps_process_pattern($1, cgclear_t)
>
> - allow $1 cgred_t:process { ptrace signal_perms getattr };
> - read_files_pattern($1, cgred_t, cgred_t)
> + allow $1 cgconfig_t:process { ptrace signal_perms };
> + ps_process_pattern($1, cgconfig_t)
> +
> + allow $1 cgred_t:process { ptrace signal_perms };
> + ps_process_pattern($1, cgred_t)
>
> admin_pattern($1, cgconfig_etc_t)
> admin_pattern($1, cgrules_etc_t)
> @@ -144,4 +194,6 @@ interface(`cgroup_admin',`
>
> cgroup_initrc_domtrans_cgred($1)
> role_transition $2 cgred_initrc_exec_t system_r;
> +
> + cgroup_run_cgclear($1, $2)
> ')
> diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
> index bb3a671..2bfc041 100644
> --- a/policy/modules/services/cgroup.te
> +++ b/policy/modules/services/cgroup.te
> @@ -5,6 +5,10 @@ policy_module(cgroup, 1.0.0)
> # Declarations
> #
>
> +type cgclear_t;
> +type cgclear_exec_t;
> +init_daemon_domain(cgclear_t, cgclear_exec_t)
> +
> type cgred_t;
> type cgred_exec_t;
> init_daemon_domain(cgred_t, cgred_exec_t)
> @@ -30,6 +34,21 @@ files_config_file(cgconfig_etc_t)
>
> ########################################
> #
> +# cgclear personal policy.
> +#
> +
> +allow cgclear_t self:capability sys_admin;
> +
> +kernel_read_system_state(cgclear_t)
> +
> +domain_setpriority_all_domains(cgclear_t)
> +
> +fs_manage_cgroup_dirs(cgclear_t)
> +fs_manage_cgroup_files(cgclear_t)
> +fs_unmount_cgroup(cgclear_t)
> +
> +########################################
> +#
> # cgconfig personal policy.
> #
>
> @@ -37,38 +56,44 @@ allow cgconfig_t self:capability { chown sys_admin };
>
> allow cgconfig_t cgconfig_etc_t:file read_file_perms;
>
> +# search will do.
> kernel_list_unlabeled(cgconfig_t)
> kernel_read_system_state(cgconfig_t)
>
> +# /etc/nsswitch.conf, /etc/passwd
> files_read_etc_files(cgconfig_t)
>
> fs_manage_cgroup_dirs(cgconfig_t)
> fs_manage_cgroup_files(cgconfig_t)
> fs_mount_cgroup(cgconfig_t)
> fs_mounton_cgroup(cgconfig_t)
> -fs_unmount_cgroup(cgconfig_t)
>
> ########################################
> #
> # cgred personal policy.
> #
>
> -allow cgred_t self:capability { net_admin sys_ptrace dac_override };
> +allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
> allow cgred_t self:netlink_socket { write bind create read };
> allow cgred_t self:unix_dgram_socket { write create connect };
>
> allow cgred_t cgrules_etc_t:file read_file_perms;
>
> +# rc script creates pid file
> +manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
> manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
> -files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
> +files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })
>
> kernel_read_system_state(cgred_t)
>
> domain_read_all_domains_state(cgred_t)
> +domain_setpriority_all_domains(cgred_t)
>
> files_getattr_all_files(cgred_t)
> files_getattr_all_sockets(cgred_t)
> files_read_all_symlinks(cgred_t)
> +
> +# /etc/group
> files_read_etc_files(cgred_t)
>
> fs_write_cgroup_files(cgred_t)
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 29f9757..bd45076 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -338,9 +338,7 @@ files_mounton_isid_type_dirs(initrc_t)
> files_list_default(initrc_t)
> files_mounton_default(initrc_t)
>
> -fs_delete_cgroup_dirs(initrc_t)
> -fs_list_cgroup_dirs(initrc_t)
> -fs_rw_cgroup_files(initrc_t)
> +fs_write_cgroup_files(initrc_t)
> fs_list_inotifyfs(initrc_t)
> fs_register_binary_executable_type(initrc_t)
> # rhgb-console writes to ramfs
> @@ -570,7 +568,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> - cgroup_stream_connect(initrc_t)
> + cgroup_stream_connect_cgred(initrc_t)
> ')
>
> optional_policy(`
prev parent reply other threads:[~2010-08-09 13:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-08 10:05 [refpolicy] [ cgroup patch (RETRY) 1/1] Confine /sbin/cgclear Dominick Grift
2010-08-09 13:12 ` Chris PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C5FFEC4.6020407@gentoo.org \
--to=pebenito@gentoo.org \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.