This is a diff between what i currently have implemented and what Fedora has implemented.
This works for me IN enforcing mode.
Signed-off-by: Dominick Grift <domg472(a)gmail.com>
---
:100644 100644 11e5cd9... 2ba1a74... M policy/modules/kernel/filesystem.if
:100644 100644 480f526... 70c2b44... M policy/modules/services/cgroup.fc
:100644 100644 95d1a68... 03b7ffc... M policy/modules/services/cgroup.if
:100644 100644 9c5d9b0... d0c5a19... M policy/modules/services/cgroup.te
:100644 100644 9ecb76c... d15bb0f... M policy/modules/system/init.te
:100644 100644 c068936... 7c5ed53... M policy/modules/system/userdomain.if
policy/modules/kernel/filesystem.if | 95 ++++++++++-----
policy/modules/services/cgroup.fc | 15 ++-
policy/modules/services/cgroup.if | 232 +++++++++++++++++++++++++++++++++--
policy/modules/services/cgroup.te | 47 +++++---
policy/modules/system/init.te | 9 +-
policy/modules/system/userdomain.if | 6 +
6 files changed, 337 insertions(+), 67 deletions(-)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 11e5cd9..2ba1a74 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -559,6 +559,24 @@ interface(`fs_register_binary_executable_type',`
########################################
## <summary>
+## Delete directories on cgroupfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_delete_cgroupfs_dirs', `
+ gen_require(`
+ type cgroupfs_t;
+ ')
+
+ delete_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
+')
+
+########################################
+## <summary>
## Mount a cgroup filesystem.
## </summary>
## <param name="domain">
@@ -621,53 +639,32 @@ interface(`fs_unmount_cgroupfs', `
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`fs_getattr_cgroupfs',`
gen_require(`
- type cifs_t;
+ type cgroupfs_t;
')
- allow $1 cifs_t:filesystem getattr;
-')
-
-########################################
-## <summary>
-## list dirs on cgroup
-## file systems.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`fs_list_cgroupfs_dirs', `
- gen_require(`
- type cgroupfs_t;
-
- ')
-
- list_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
+ allow $1 cgroupfs_t:filesystem getattr;
')
########################################
## <summary>
-## Do not audit attempts to read
-## dirs on a CIFS or SMB filesystem.
+## list dirs on cgroup
+## file systems.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`fs_dontaudit_list_cifs_dirs',`
+interface(`fs_list_cgroupfs_dirs', `
gen_require(`
- type cifs_t;
+ type cgroupfs_t;
')
- dontaudit $1 cifs_t:dir list_dir_perms;
+ list_dirs_pattern($1, cgroupfs_t, cgroupfs_t)
')
########################################
@@ -743,7 +740,6 @@ interface(`fs_read_cgroupfs_files',`
interface(`fs_write_cgroupfs_files', `
gen_require(`
type cgroupfs_t;
-
')
write_files_pattern($1, cgroupfs_t, cgroupfs_t)
@@ -771,6 +767,45 @@ interface(`fs_rw_cgroupfs_files',`
########################################
## <summary>
+## Do not audit attempts to getattr,
+## open, read and write files on cgroup
+## file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_cgroupfs_files',`
+ gen_require(`
+ type cgroupfs_t;
+ ')
+
+ dontaudit $1 cgroupfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read
+## dirs on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_cifs_dirs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## Mount a CIFS or SMB network filesystem.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc
index 480f526..70c2b44 100644
--- a/policy/modules/services/cgroup.fc
+++ b/policy/modules/services/cgroup.fc
@@ -1,9 +1,12 @@
-/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0)
-/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t, s0)
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
-/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t, s0)
-/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t, s0)
+/etc/cgconfig.conf -- gen_context(system_u:object_r:cgconfig_etc_t,s0)
+/etc/cgrules.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0)
-/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t, s0)
+/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
-/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t, s0)
+/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t,s0)
+/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
+
+/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
index 95d1a68..03b7ffc 100644
--- a/policy/modules/services/cgroup.if
+++ b/policy/modules/services/cgroup.if
@@ -1,21 +1,181 @@
-## <summary>Control group rules engine daemon.</summary>
+## <summary>libcg is a library that abstracts the control group file system in
Linux.</summary>
## <desc>
## <p>
-## cgrulesengd is a daemon, which distributes processes
-## to control groups. When any process changes its
-## effective UID or GID, cgred inspects list of
-## rules loaded from cgrules.conf file and moves the
-## process to the appropriate control group.
-## </p>
-## <p>
-## The list of rules is read during the daemon startup and
-## are cached in daemons memory. The daemon reloads the
-## list of rules when it receives SIGUSR2 signal.
+## libcg aims to provide programmers easily usable APIs to use the control group file
system.
## </p>
## </desc>
########################################
## <summary>
+## Execute a domain transition to run cgconfig.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_domtrans_cgconfigparser',`
+ gen_require(`
+ type cgconfigparser_t, cgconfigparser_exec_t;
+ ')
+
+ domtrans_pattern($1, cgconfigparser_exec_t, cgconfigparser_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+## Execute cgconfigparser server in the
+## cgconfigparser domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_initrc_domtrans_cgconfigparser',`
+ gen_require(`
+ type cgconfig_initrc_exec_t;
+ ')
+
+ files_search_etc($1)
+ init_labeled_script_domtrans($1, cgconfig_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run cgred.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_domtrans_cgred',`
+ gen_require(`
+ type cgred_t, cgred_exec_t;
+ ')
+
+ domtrans_pattern($1, cgred_exec_t, cgred_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+## Execute cgred server in the
+## cgred domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_initrc_domtrans_cgred',`
+ gen_require(`
+ type cgred_initrc_exec_t;
+ ')
+
+ files_search_etc($1)
+ init_labeled_script_domtrans($1, cgred_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Delete cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_delete_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ delete_dirs_pattern($1, cgroup_t, cgroup_t)
+ cgroup_search_cgroup_dirs($1)
+')
+
+########################################
+## <summary>
+## List cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_list_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_manage_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_rw_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Search cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_search_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Read and write cgred sock file in /var/run.
## </summary>
## <param name="domain">
@@ -29,7 +189,55 @@ interface(`cgroup_stream_connect', `
type cgred_var_run_t, cgred_t;
')
- files_search_pids($1)
stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t)
+ files_search_pids($1)
')
+########################################
+## <summary>
+## All of the rules required to administrate
+## an cgroup environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cgroup_admin',`
+ gen_require(`
+ type cgred_t, cgconfigparser_t, cgred_var_run_t;
+ type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
+ type cgred_etc_t, cgroup_t, cgroupfs_t;
+ ')
+
+ allow $1 cgconfigparser_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, cgconfigparser_t, cgconfigparser_t)
+
+ allow $1 cgred_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, cgred_t, cgred_t)
+
+ admin_pattern($1, cgroup_t)
+ admin_pattern($1, cgroupfs_t)
+
+ files_search_etc($1)
+ admin_pattern($1, cgconfig_etc_t)
+ admin_pattern($1, cgred_etc_t)
+
+ files_list_var($1)
+ admin_pattern($1, cgred_var_run_t)
+
+ cgroup_initrc_domtrans_cgconfigparser($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cgconfig_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ cgroup_initrc_domtrans_cgred($1)
+ role_transition $2 cgred_initrc_exec_t system_r;
+')
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
index 9c5d9b0..d0c5a19 100644
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
@@ -1,7 +1,16 @@
+
policy_module(cgroup, 1.0.0)
########################################
#
+# cgroup global declarations.
+#
+
+type cgroup_t;
+files_mountpoint(cgroup_t)
+
+########################################
+#
# cgred personal declarations.
#
@@ -15,8 +24,8 @@ init_script_file(cgred_initrc_exec_t)
type cgred_var_run_t;
files_pid_file(cgred_var_run_t)
-type cgroup_t;
-files_mountpoint(cgroup_t)
+type cgrules_etc_t;
+files_config_file(cgrules_etc_t)
########################################
#
@@ -30,8 +39,8 @@ init_daemon_domain(cgconfigparser_t, cgconfigparser_exec_t)
type cgconfig_initrc_exec_t;
init_script_file(cgconfig_initrc_exec_t)
-permissive cgconfigparser_t;
-permissive cgred_t;
+type cgconfig_etc_t;
+files_config_file(cgconfig_etc_t)
########################################
#
@@ -42,36 +51,40 @@ allow cgred_t self:capability { net_admin sys_ptrace dac_override };
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
-manage_sock_files_pattern(cgred_t, cgred_var_run_t,
-cgred_var_run_t)
+allow cgred_t cgrules_etc_t:file read_file_perms;
+
+manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
-domain_read_all_domains_state(cgred_t)
+kernel_read_system_state(cgred_t)
-files_read_etc_files(cgred_t)
+domain_read_all_domains_state(cgred_t)
files_search_all(cgred_t)
files_getattr_all_files(cgred_t)
files_getattr_all_dirs(cgred_t)
files_getattr_all_sockets(cgred_t)
files_getattr_all_pipes(cgred_t)
-files_getattr_all_symlinks(cgred_t)
-# read all link files.
+files_read_all_symlinks(cgred_t)
-kernel_read_system_state(cgred_t)
+# /etc/group
+files_read_etc_files(cgred_t)
+
+fs_write_cgroupfs_files(cgred_t)
logging_send_syslog_msg(cgred_t)
miscfiles_read_localization(cgred_t)
-optional_policy(`
- fs_write_cgroupfs_files(cgred_t)
-')
-
########################################
#
# cgconfig personal policy.
#
+
+allow cgconfigparser_t self:capability { chown sys_admin };
+
+allow cgconfigparser_t cgconfig_etc_t:file read_file_perms;
+
manage_dirs_pattern(cgconfigparser_t, cgroup_t, cgroup_t)
manage_files_pattern(cgconfigparser_t, cgroup_t, cgroup_t)
allow cgconfigparser_t cgroup_t:dir mounton;
@@ -79,9 +92,11 @@ allow cgconfigparser_t cgroup_t:dir mounton;
kernel_list_unlabeled(cgconfigparser_t)
kernel_read_system_state(cgconfigparser_t)
+# /etc/nsswitch.conf
files_read_etc_files(cgconfigparser_t)
fs_manage_cgroupfs_dirs(cgconfigparser_t)
+fs_mount_cgroupfs(cgconfigparser_t)
fs_rw_cgroupfs_files(cgconfigparser_t)
+fs_unmount_cgroupfs(cgconfigparser_t)
fs_setattr_cgroupfs_files(cgconfigparser_t)
-fs_mount_cgroupfs(cgconfigparser_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 9ecb76c..d15bb0f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -403,9 +403,6 @@ fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
fs_search_all(initrc_t)
fs_getattr_nfsd_files(initrc_t)
-fs_rw_cgroupfs_files(initrc_t)
-fs_setattr_cgroupfs_files(initrc_t)
-fs_manage_cgroupfs_dirs(initrc_t)
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
@@ -551,6 +548,12 @@ ifdef(`distro_redhat',`
fs_read_tmpfs_symlinks(initrc_t)
fs_rw_tmpfs_chr_files(initrc_t)
+ # /sbin/cgclear
+ fs_delete_cgroupfs_dirs(initrc_t)
+ fs_list_cgroupfs_dirs(initrc_t)
+ # w for /bin/cgcexec and rw for /sbin/cgclear
+ fs_rw_cgroupfs_files(initrc_t)
+
storage_manage_fixed_disk(initrc_t)
storage_dev_filetrans_fixed_disk(initrc_t)
storage_getattr_removable_dev(initrc_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index c068936..7c5ed53 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -116,6 +116,7 @@ template(`userdom_base_user_template',`
files_exec_usr_files($1_t)
fs_list_cgroupfs_dirs($1_usertype)
+ fs_dontaudit_rw_cgroupfs_files($1_usertype)
storage_rw_fuse($1_usertype)
@@ -139,6 +140,10 @@ template(`userdom_base_user_template',`
')
optional_policy(`
+ cgroup_list_cgroup_dirs($1_usertype)
+ ')
+
+ optional_policy(`
ssh_rw_stream_sockets($1_usertype)
ssh_delete_tmp($1_t)
ssh_signal($1_t)
@@ -554,6 +559,7 @@ template(`userdom_common_user_template',`
files_read_config_files($1_usertype)
fs_read_noxattr_fs_files($1_usertype)
fs_read_noxattr_fs_symlinks($1_usertype)
+ fs_rw_cgroupfs_files($1_usertype)
logging_send_syslog_msg($1_usertype)
logging_send_audit_msgs($1_usertype)
--
1.7.0.1