libcg policy
Dominick Grift
domg472 at gmail.com
Fri Dec 18 20:50:54 UTC 2009
The policy below works for me. But there are variables. like for example
i choose to mount cgroup fs in /mnt/ some mount it to /dev others to /proc
Also interface naming could be better. And unfortunatly alot if done in
init scripts.
/etc/rc\.d/init\.d/cgconfig --
gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0)
/etc/rc\.d/init\.d/cgred --
gen_context(system_u:object_r:cgrulesengd_initrc_exec_t, s0)
/sbin/cgrulesengd -- gen_context(system_u:object_r:cgrulesengd_exec_t, s0)
/sbin/cgconfigparser --
gen_context(system_u:object_r:cgconfigparser_exec_t, s0)
policy_module(libcgroup, 1.0.0)
########################################
#
# cgrulesengd personal declarations.
#
type cgrulesengd_t;
type cgrulesengd_exec_t;
init_daemon_domain(cgrulesengd_t, cgrulesengd_exec_t)
type cgrulesengd_initrc_exec_t;
init_script_file(cgrulesengd_initrc_exec_t)
type cgrulesengd_var_run_t;
files_pid_file(cgrulesengd_var_run_t)
permissive cgrulesengd_t;
########################################
#
# cgconfig personal declarations.
#
type cgconfigparser_t;
type cgconfigparser_exec_t;
init_daemon_domain(cgconfigparser_t, cgconfigparser_exec_t)
type cgconfig_initrc_exec_t;
init_script_file(cgconfig_initrc_exec_t)
permissive cgconfigparser_t;
########################################
#
# cgrulesengd personal policy.
#
allow cgrulesengd_t self:capability { net_admin sys_ptrace dac_override };
allow cgrulesengd_t self:netlink_socket { write bind create read };
allow cgrulesengd_t self:unix_dgram_socket { write create connect };
manage_sock_files_pattern(cgrulesengd_t, cgrulesengd_var_run_t,
cgrulesengd_var_run_t)
files_pid_filetrans(cgrulesengd_t, cgrulesengd_var_run_t, sock_file)
domain_read_all_domains_state(cgrulesengd_t)
files_read_etc_files(cgrulesengd_t)
files_search_all(cgrulesengd_t)
files_getattr_all_files(cgrulesengd_t)
files_getattr_all_dirs(cgrulesengd_t)
files_getattr_all_sockets(cgrulesengd_t)
files_getattr_all_pipes(cgrulesengd_t)
files_getattr_all_symlinks(cgrulesengd_t)
# read all link files.
kernel_read_system_state(cgrulesengd_t)
logging_send_syslog_msg(cgrulesengd_t)
miscfiles_read_localization(cgrulesengd_t)
optional_policy(`
fs_write_cgroup_files(cgrulesengd_t)
')
########################################
#
# cgconfig personal policy.
#
optional_policy(`
fs_manage_cgroup_dirs(cgconfigparser_t)
fs_rw_cgroup_files(cgconfigparser_t)
fs_setattr_cgroup_files(cgconfigparser_t)
fs_mount_cgroup_fs(cgconfigparser_t)
')
files_mounton_mnt(cgconfigparser_t)
files_manage_mnt_dirs(cgconfigparser_t)
files_read_etc_files(cgconfigparser_t)
## <summary>Control group rules engine daemon.</summary>
## <desc>
## <p>
## cgrulesengd is a daemon, which distributes processes
## to control groups. When any process changes its
## effective UID or GID, cgrulesengd inspects list of
## rules loaded from cgrules.conf file and moves the
## process to the appropriate control group.
## </p>
## <p>
## The list of rules is read during the daemon startup and
## are cached in daemon’s memory. The daemon reloads the
## list of rules when it receives SIGUSR2 signal.
## </p>
## </desc>
########################################
## <summary>
## Read and write cgrulesengd sock file in /var/run.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`libcgroup_cgrulesengd_rw_pid_sock_file', `
gen_require(`
type cgrulesengd_var_run_t;
')
rw_sock_files_pattern($1, cgrulesengd_var_run_t, cgrulesengd_var_run_t)
files_search_pids($1)
')
########################################
## <summary>
## Unix stream socket connect to cgrulesengd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`libcgroup_cgrulesengd_stream_connect', `
gen_require(`
type cgrulesengd_t;
')
allow $1 cgrulesengd_t:unix_stream_socket connectto;
')
# /mnt/cgroups/cpu
kernel_list_unlabeled(cgconfigparser_t)
kernel_read_system_state(cgconfigparser_t)
-------------------------------------------
-------------------------------------------
patch to filesystem
-------------------------------------------
## <summary>Patch to facilitate interface to interact with cgroup
fs.</summary>
## <desc>
## <p>
## Add interfaces to allow for interaction with cgroupfs
## for initrc (cfconfig) and for cfrulesengd.
## </p>
## </desc>
########################################
## <summary>
## Mount a cgroup filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_mount_cgroup_fs', `
gen_require(`
type cgroup_t;
')
allow $1 cgroup_t:filesystem mount;
')
########################################
## <summary>
## Remount a cgroup filesystem This allows
## some mount options to be changed.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_remount_cgroup_fs', `
gen_require(`
type cgroup_t;
')
allow $1 cgroup_t:filesystem remount;
')
########################################
## <summary>
## Unmount a cgroup file system.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_unmount_cgroup_fs', `
gen_require(`
type cgroup_t;
')
allow $1 cgroup_t:filesystem unmount;
')
########################################
## <summary>
## Read and write files on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_rw_cgroup_files',`
gen_require(`
type cgroup_t;
')
rw_files_pattern($1, cgroup_t, cgroup_t)
fs_search_cgroup_dirs($1)
')
########################################
## <summary>
## Set attributes of files on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_setattr_cgroup_files',`
gen_require(`
type cgroup_t;
')
setattr_files_pattern($1, cgroup_t, cgroup_t)
fs_search_cgroup_dirs($1)
')
########################################
## <summary>
## Manage dirs on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_manage_cgroup_dirs',`
gen_require(`
type cgroup_t;
')
manage_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
## Search dirs on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_search_cgroup_dirs', `
gen_require(`
type cgroup_t;
')
allow $1 cgroup_t:dir search;
')
########################################
## <summary>
## Write files on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_write_cgroup_files', `
gen_require(`
type cgroup_t;
')
write_files_pattern($1, cgroup_t, cgroup_t)
fs_search_cgroup_dirs($1)
')
########################################
## <summary>
## list dirs on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_list_cgroup_dirs', `
gen_require(`
type cgroup_t;
')
list_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
## create dirs on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_create_cgroup_dirs', `
gen_require(`
type cgroup_t;
')
create_dirs_pattern($1, cgroup_t, cgroup_t)
')
----------------------------------------------
patch to init
---------------------------------------------
policy_module(patch_initrc_to_allow_cgconf_cgrulesengd_manage_files_on_cgroup_fs,
1.0.0)
########################################
#
# Declarations
#
optional_policy(`
gen_require(`
type initrc_t;
')
fs_manage_cgroup_dirs(initrc_t)
fs_rw_cgroup_files(initrc_t)
fs_setattr_cgroup_files(initrc_t)
libcgroup_cgrulesengd_rw_pid_sock_file(initrc_t)
libcgroup_cgrulesengd_stream_connect(initrc_t)
')
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091218/3bfabfa1/attachment.sig>
More information about the fedora-selinux-list
mailing list