[selinux-policy: 2722/3172] Rearrange cgroup interfaces in filesystem.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:02:12 UTC 2010
commit 860c05d9de863257279699eaf605e1e109b01151
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Jun 8 09:10:45 2010 -0400
Rearrange cgroup interfaces in filesystem.
policy/modules/kernel/filesystem.if | 90 +++++++++++++++++-----------------
1 files changed, 45 insertions(+), 45 deletions(-)
---
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 4052ab9..85b3bb4 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -559,7 +559,7 @@ interface(`fs_register_binary_executable_type',`
########################################
## <summary>
-## Get attributes of cgroup filesystems.
+## Mount cgroup filesystems.
## </summary>
## <param name="domain">
## <summary>
@@ -567,17 +567,17 @@ interface(`fs_register_binary_executable_type',`
## </summary>
## </param>
#
-interface(`fs_getattr_cgroup',`
+interface(`fs_mount_cgroup', `
gen_require(`
type cgroup_t;
')
- allow $1 cgroup_t:filesystem getattr;
+ allow $1 cgroup_t:filesystem mount;
')
########################################
## <summary>
-## Mount cgroup filesystems.
+## Remount cgroup filesystems.
## </summary>
## <param name="domain">
## <summary>
@@ -585,17 +585,17 @@ interface(`fs_getattr_cgroup',`
## </summary>
## </param>
#
-interface(`fs_mount_cgroup', `
+interface(`fs_remount_cgroup', `
gen_require(`
type cgroup_t;
')
- allow $1 cgroup_t:filesystem mount;
+ allow $1 cgroup_t:filesystem remount;
')
########################################
## <summary>
-## Mount on cgroup directories.
+## Unmount cgroup filesystems.
## </summary>
## <param name="domain">
## <summary>
@@ -603,17 +603,17 @@ interface(`fs_mount_cgroup', `
## </summary>
## </param>
#
-interface(`fs_mounton_cgroup', `
+interface(`fs_unmount_cgroup', `
gen_require(`
type cgroup_t;
')
- allow $1 cgroup_t:dir mounton;
+ allow $1 cgroup_t:filesystem unmount;
')
########################################
## <summary>
-## Remount cgroup filesystems.
+## Get attributes of cgroup filesystems.
## </summary>
## <param name="domain">
## <summary>
@@ -621,17 +621,17 @@ interface(`fs_mounton_cgroup', `
## </summary>
## </param>
#
-interface(`fs_remount_cgroup', `
+interface(`fs_getattr_cgroup',`
gen_require(`
type cgroup_t;
')
- allow $1 cgroup_t:filesystem remount;
+ allow $1 cgroup_t:filesystem getattr;
')
########################################
## <summary>
-## Unmount cgroup filesystems.
+## Search cgroup directories.
## </summary>
## <param name="domain">
## <summary>
@@ -639,17 +639,18 @@ interface(`fs_remount_cgroup', `
## </summary>
## </param>
#
-interface(`fs_unmount_cgroup', `
+interface(`fs_search_cgroup_dirs',`
gen_require(`
type cgroup_t;
+
')
- allow $1 cgroup_t:filesystem unmount;
+ search_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Delete cgroup directories.
+## list cgroup directories.
## </summary>
## <param name="domain">
## <summary>
@@ -657,17 +658,17 @@ interface(`fs_unmount_cgroup', `
## </summary>
## </param>
#
-interface(`fs_delete_cgroup_dirs', `
+interface(`fs_list_cgroup_dirs', `
gen_require(`
type cgroup_t;
')
- delete_dirs_pattern($1, cgroup_t, cgroup_t)
+ list_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## list cgroup directories.
+## Delete cgroup directories.
## </summary>
## <param name="domain">
## <summary>
@@ -675,12 +676,12 @@ interface(`fs_delete_cgroup_dirs', `
## </summary>
## </param>
#
-interface(`fs_list_cgroup_dirs', `
+interface(`fs_delete_cgroup_dirs', `
gen_require(`
type cgroup_t;
')
- list_dirs_pattern($1, cgroup_t, cgroup_t)
+ delete_dirs_pattern($1, cgroup_t, cgroup_t)
')
########################################
@@ -704,7 +705,7 @@ interface(`fs_manage_cgroup_dirs',`
########################################
## <summary>
-## Search cgroup directories.
+## Read cgroup files.
## </summary>
## <param name="domain">
## <summary>
@@ -712,18 +713,18 @@ interface(`fs_manage_cgroup_dirs',`
## </summary>
## </param>
#
-interface(`fs_search_cgroup_dirs',`
+interface(`fs_read_cgroup_files',`
gen_require(`
type cgroup_t;
')
- search_dirs_pattern($1, cgroup_t, cgroup_t)
+ read_files_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Manage cgroup files.
+## Write cgroup files.
## </summary>
## <param name="domain">
## <summary>
@@ -731,18 +732,17 @@ interface(`fs_search_cgroup_dirs',`
## </summary>
## </param>
#
-interface(`fs_manage_cgroup_files',`
+interface(`fs_write_cgroup_files', `
gen_require(`
type cgroup_t;
-
')
- manage_files_pattern($1, cgroup_t, cgroup_t)
+ write_files_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Read cgroup files.
+## Read and write cgroup files.
## </summary>
## <param name="domain">
## <summary>
@@ -750,37 +750,38 @@ interface(`fs_manage_cgroup_files',`
## </summary>
## </param>
#
-interface(`fs_read_cgroup_files',`
+interface(`fs_rw_cgroup_files',`
gen_require(`
type cgroup_t;
')
- read_files_pattern($1, cgroup_t, cgroup_t)
+ rw_files_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Read and write cgroup files.
+## Do not audit attempts to open,
+## get attributes, read and write
+## cgroup files.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`fs_rw_cgroup_files',`
+interface(`fs_dontaudit_rw_cgroup_files',`
gen_require(`
type cgroup_t;
-
')
- rw_files_pattern($1, cgroup_t, cgroup_t)
+ dontaudit $1 cgroup_t:file rw_file_perms;
')
########################################
## <summary>
-## Write cgroup files.
+## Manage cgroup files.
## </summary>
## <param name="domain">
## <summary>
@@ -788,32 +789,31 @@ interface(`fs_rw_cgroup_files',`
## </summary>
## </param>
#
-interface(`fs_write_cgroup_files', `
+interface(`fs_manage_cgroup_files',`
gen_require(`
type cgroup_t;
+
')
- write_files_pattern($1, cgroup_t, cgroup_t)
+ manage_files_pattern($1, cgroup_t, cgroup_t)
')
########################################
## <summary>
-## Do not audit attempts to open,
-## get attributes, read and write
-## cgroup files.
+## Mount on cgroup directories.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`fs_dontaudit_rw_cgroup_files',`
+interface(`fs_mounton_cgroup', `
gen_require(`
type cgroup_t;
')
- dontaudit $1 cgroup_t:file rw_file_perms;
+ allow $1 cgroup_t:dir mounton;
')
########################################
More information about the scm-commits
mailing list