FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 11-25-2009, 07:00 PM
Dominick Grift
 
Default libcgroup policy (concept)

Attached policy targets some libcgroup stuff. The policy is largely
untested (i do have it running on a few servers here but i get some avc
denials that i am not quite sure what to do with)

/etc/rc.d/init.d/cgconfig -- gen_context(system_ubject_r:cgconfig_initrc_exec _t, s0)
/etc/rc.d/init.d/cgred -- gen_context(system_ubject_r:cgrulesengd_initrc_e xec_t, s0)

/sbin/cgrulesengd -- gen_context(system_ubject_r:cgrulesengd_exec_t, s0)
/sbin/cgconfigparser -- gen_context(system_ubject_r:cgconfigparser_exec_ t, s0)
## <summary>Control group rules engine daemon.</summary>
## <desc>
## <p>
## cgrulesengd is a daemon, which distributes processes
## to control groups. When any process changes its
## effective UID or GID, cgrulesengd inspects list of
## rules loaded from cgrules.conf file and moves the
## process to the appropriate control group.
## </p>
## <p>
## The list of rules is read during the daemon startup and
## are cached in daemonā??s memory. The daemon reloads the
## list of rules when it receives SIGUSR2 signal.
## </p>
## </desc>

########################################
## <summary>
## Read and write cgrulesengd sock file in /var/run.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`libcgroup_cgrulesengd_rw_pid_sock_file' , `
gen_require(`
type cgrulesengd_var_run_t;
')

rw_sock_files_pattern($1, cgrulesengd_var_run_t, cgrulesengd_var_run_t)
files_search_pids($1)
')

########################################
## <summary>
## Unix stream socket connect to cgrulesengd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`libcgroup_cgrulesengd_stream_connect', `
gen_require(`
type cgrulesengd_t;
')

allow $1 cgrulesengd_t:unix_stream_socket connectto;
')

policy_module(libcgroup, 1.0.0)

########################################
#
# cgrulesengd personal declarations.
#

type cgrulesengd_t;
type cgrulesengd_exec_t;
init_daemon_domain(cgrulesengd_t, cgrulesengd_exec_t)

type cgrulesengd_initrc_exec_t;
init_script_file(cgrulesengd_initrc_exec_t)

type cgrulesengd_var_run_t;
files_pid_file(cgrulesengd_var_run_t)

permissive cgrulesengd_t;

########################################
#
# cgconfig personal declarations.
#

type cgconfigparser_t;
type cgconfigparser_exec_t;
init_daemon_domain(cgconfigparser_t, cgconfigparser_exec_t)

type cgconfig_initrc_exec_t;
init_script_file(cgconfig_initrc_exec_t)

permissive cgconfigparser_t;

########################################
#
# cgrulesengd personal policy.
#

allow cgrulesengd_t self:capability { net_admin sys_ptrace };
allow cgrulesengd_t self:netlink_socket { write bind create read };
allow cgrulesengd_t self:unix_dgram_socket { write create connect };

manage_sock_files_pattern(cgrulesengd_t, cgrulesengd_var_run_t, cgrulesengd_var_run_t)
files_pid_filetrans(cgrulesengd_t, cgrulesengd_var_run_t, sock_file)

domain_read_all_domains_state(cgrulesengd_t)

files_read_etc_files(cgrulesengd_t)

kernel_read_system_state(cgrulesengd_t)

logging_send_syslog_msg(cgrulesengd_t)

miscfiles_read_localization(cgrulesengd_t)

optional_policy(`
fs_write_cgroup_files(cgrulesengd_t)
')

########################################
#
# cgconfig personal policy.
#

optional_policy(`
fs_manage_cgroup_dirs(cgconfigparser_t)
fs_rw_cgroup_files(cgconfigparser_t)
fs_setattr_cgroup_files(cgconfigparser_t)
fs_mount_cgroup_fs(cgconfigparser_t)
')

files_mounton_mnt(cgconfigparser_t)
files_manage_mnt_dirs(cgconfigparser_t)

files_read_etc_files(cgconfigparser_t)

# /mnt/cgroups/cpu
kernel_list_unlabeled(cgconfigparser_t)
kernel_read_system_state(cgconfigparser_t)

## <summary>Patch to facilitate interface to interact with cgroup fs.</summary>
## <desc>
## <p>
## Add interfaces to allow for interaction with cgroupfs
## for initrc (cfconfig) and for cfrulesengd.
## </p>
## </desc>

########################################
## <summary>
## Mount a cgroup filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_mount_cgroup_fs', `
gen_require(`
type cgroup_t;
')

allow $1 cgroup_t:filesystem mount;
')

########################################
## <summary>
## Remount a cgroup filesystem This allows
## some mount options to be changed.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_remount_cgroup_fs', `
gen_require(`
type cgroup_t;
')

allow $1 cgroup_t:filesystem remount;
')

########################################
## <summary>
## Unmount a cgroup file system.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_unmount_cgroup_fs', `
gen_require(`
type cgroup_t;
')

allow $1 cgroup_t:filesystem unmount;
')

########################################
## <summary>
## Read and write files on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_rw_cgroup_files',`
gen_require(`
type cgroup_t;

')

rw_files_pattern($1, cgroup_t, cgroup_t)
fs_search_cgroup_dirs($1)
')

########################################
## <summary>
## Set attributes of files on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_setattr_cgroup_files',`
gen_require(`
type cgroup_t;

')

setattr_files_pattern($1, cgroup_t, cgroup_t)
fs_search_cgroup_dirs($1)
')

########################################
## <summary>
## Manage dirs on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_manage_cgroup_dirs',`
gen_require(`
type cgroup_t;

')

manage_dirs_pattern($1, cgroup_t, cgroup_t)
')

########################################
## <summary>
## Search dirs on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_search_cgroup_dirs', `
gen_require(`
type cgroup_t;

')

allow $1 cgroup_t:dir search;
')

########################################
## <summary>
## Search dirs on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_write_cgroup_files', `
gen_require(`
type cgroup_t;

')

write_files_pattern($1, cgroup_t, cgroup_t)
fs_search_cgroup_dirs($1)
')
policy_module(patch_fs_interact_with_cgroup_fs_for _initrc_and_cgconfig, 1.0.0)

########################################
#
# Declarations
#

# see interface file.

## <summary>Allows cgconfig and cgrulesengd init scripts to interact with files and dirs on cgroup fs.</summary>
## <desc>
## <p>
## Allows cgconfig and cgrulesengd init scripts to
## interact with files and dirs on cgroup fs.
## </p>
## </desc>

policy_module(patch_initrc_to_allow_cgconf_cgrules engd_manage_files_on_cgroup_fs, 1.0.0)

########################################
#
# Declarations
#

optional_policy(`
gen_require(`
type initrc_t;
')

fs_manage_cgroup_dirs(initrc_t)
fs_rw_cgroup_files(initrc_t)
fs_setattr_cgroup_files(initrc_t)

libcgroup_cgrulesengd_rw_pid_sock_file(initrc_t)
libcgroup_cgrulesengd_stream_connect(initrc_t)
')
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-01-2009, 03:17 PM
Dominick Grift
 
Default libcgroup policy (concept)

On 11/25/2009 09:00 PM, Dominick Grift wrote:
> Attached policy targets some libcgroup stuff. The policy is largely
> untested (i do have it running on a few servers here but i get some avc
> denials that i am not quite sure what to do with)
>

virtd_t also needs access to cgroup_t: i heard people suggest this is a
el6 blocker bug.

see my selinux-modules.git repository for fixes for this.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:13 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org