[selinux-policy: 2722/3172] Rearrange cgroup interfaces in filesystem.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:02:12 UTC 2010 

commit 860c05d9de863257279699eaf605e1e109b01151
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Jun 8 09:10:45 2010 -0400

    Rearrange cgroup interfaces in filesystem.

 policy/modules/kernel/filesystem.if |   90 +++++++++++++++++-----------------
 1 files changed, 45 insertions(+), 45 deletions(-)
---
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 4052ab9..85b3bb4 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -559,7 +559,7 @@ interface(`fs_register_binary_executable_type',`
 
 ########################################
 ## <summary>
-##	Get attributes of cgroup filesystems.
+##	Mount cgroup filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -567,17 +567,17 @@ interface(`fs_register_binary_executable_type',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_getattr_cgroup',`
+interface(`fs_mount_cgroup', `
 	gen_require(`
 		type cgroup_t;
 	')
 
-	allow $1 cgroup_t:filesystem getattr;
+	allow $1 cgroup_t:filesystem mount;
 ')
 
 ########################################
 ## <summary>
-##	Mount cgroup filesystems.
+##	Remount cgroup filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -585,17 +585,17 @@ interface(`fs_getattr_cgroup',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_mount_cgroup', `
+interface(`fs_remount_cgroup', `
 	gen_require(`
 		type cgroup_t;
 	')
 
-	allow $1 cgroup_t:filesystem mount;
+	allow $1 cgroup_t:filesystem remount;
 ')
 
 ########################################
 ## <summary>
-##	Mount on cgroup directories.
+##	Unmount cgroup filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -603,17 +603,17 @@ interface(`fs_mount_cgroup', `
 ##	</summary>
 ## </param>
 #
-interface(`fs_mounton_cgroup', `
+interface(`fs_unmount_cgroup', `
 	gen_require(`
 		type cgroup_t;
 	')
 
-	allow $1 cgroup_t:dir mounton;
+	allow $1 cgroup_t:filesystem unmount;
 ')
 
 ########################################
 ## <summary>
-##	Remount cgroup filesystems.
+##	Get attributes of cgroup filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -621,17 +621,17 @@ interface(`fs_mounton_cgroup', `
 ##	</summary>
 ## </param>
 #
-interface(`fs_remount_cgroup', `
+interface(`fs_getattr_cgroup',`
 	gen_require(`
 		type cgroup_t;
 	')
 
-	allow $1 cgroup_t:filesystem remount;
+	allow $1 cgroup_t:filesystem getattr;
 ')
 
 ########################################
 ## <summary>
-##	Unmount cgroup filesystems.
+##	Search cgroup directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -639,17 +639,18 @@ interface(`fs_remount_cgroup', `
 ##	</summary>
 ## </param>
 #
-interface(`fs_unmount_cgroup', `
+interface(`fs_search_cgroup_dirs',`
 	gen_require(`
 		type cgroup_t;
+
 	')
 
-	allow $1 cgroup_t:filesystem unmount;
+	search_dirs_pattern($1, cgroup_t, cgroup_t)
 ')
 
 ########################################
 ## <summary>
-##	Delete cgroup directories.
+##	list cgroup directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -657,17 +658,17 @@ interface(`fs_unmount_cgroup', `
 ##	</summary>
 ## </param>
 #
-interface(`fs_delete_cgroup_dirs', `
+interface(`fs_list_cgroup_dirs', `
 	gen_require(`
 		type cgroup_t;
 	')
 
-	delete_dirs_pattern($1, cgroup_t, cgroup_t)
+	list_dirs_pattern($1, cgroup_t, cgroup_t)
 ')
 
 ########################################
 ## <summary>
-##	list cgroup directories.
+##	Delete cgroup directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -675,12 +676,12 @@ interface(`fs_delete_cgroup_dirs', `
 ##	</summary>
 ## </param>
 #
-interface(`fs_list_cgroup_dirs', `
+interface(`fs_delete_cgroup_dirs', `
 	gen_require(`
 		type cgroup_t;
 	')
 
-	list_dirs_pattern($1, cgroup_t, cgroup_t)
+	delete_dirs_pattern($1, cgroup_t, cgroup_t)
 ')
 
 ########################################
@@ -704,7 +705,7 @@ interface(`fs_manage_cgroup_dirs',`
 
 ########################################
 ## <summary>
-##	Search cgroup directories.
+##	Read cgroup files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -712,18 +713,18 @@ interface(`fs_manage_cgroup_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_search_cgroup_dirs',`
+interface(`fs_read_cgroup_files',`
 	gen_require(`
 		type cgroup_t;
 
 	')
 
-	search_dirs_pattern($1, cgroup_t, cgroup_t)
+	read_files_pattern($1, cgroup_t, cgroup_t)
 ')
 
 ########################################
 ## <summary>
-##	Manage cgroup files.
+##	Write cgroup files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -731,18 +732,17 @@ interface(`fs_search_cgroup_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_manage_cgroup_files',`
+interface(`fs_write_cgroup_files', `
 	gen_require(`
 		type cgroup_t;
-
 	')
 
-	manage_files_pattern($1, cgroup_t, cgroup_t)
+	write_files_pattern($1, cgroup_t, cgroup_t)
 ')
 
 ########################################
 ## <summary>
-##	Read cgroup files.
+##	Read and write cgroup files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -750,37 +750,38 @@ interface(`fs_manage_cgroup_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_read_cgroup_files',`
+interface(`fs_rw_cgroup_files',`
 	gen_require(`
 		type cgroup_t;
 
 	')
 
-	read_files_pattern($1, cgroup_t, cgroup_t)
+	rw_files_pattern($1, cgroup_t, cgroup_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write cgroup files.
+##	Do not audit attempts to open,
+##	get attributes, read and write
+##	cgroup files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
-interface(`fs_rw_cgroup_files',`
+interface(`fs_dontaudit_rw_cgroup_files',`
 	gen_require(`
 		type cgroup_t;
-
 	')
 
-	rw_files_pattern($1, cgroup_t, cgroup_t)
+	dontaudit $1 cgroup_t:file rw_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Write cgroup files.
+##	Manage cgroup files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -788,32 +789,31 @@ interface(`fs_rw_cgroup_files',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_write_cgroup_files', `
+interface(`fs_manage_cgroup_files',`
 	gen_require(`
 		type cgroup_t;
+
 	')
 
-	write_files_pattern($1, cgroup_t, cgroup_t)
+	manage_files_pattern($1, cgroup_t, cgroup_t)
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to open,
-##	get attributes, read and write
-##	cgroup files.
+##	Mount on cgroup directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`fs_dontaudit_rw_cgroup_files',`
+interface(`fs_mounton_cgroup', `
 	gen_require(`
 		type cgroup_t;
 	')
 
-	dontaudit $1 cgroup_t:file rw_file_perms;
+	allow $1 cgroup_t:dir mounton;
 ')
 
 ########################################

More information about the scm-commits mailing list