FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 12-18-2009, 07:50 PM
Dominick Grift
 
Default libcg policy

The policy below works for me. But there are variables. like for example
i choose to mount cgroup fs in /mnt/ some mount it to /dev others to /proc

Also interface naming could be better. And unfortunatly alot if done in
init scripts.

/etc/rc.d/init.d/cgconfig --
gen_context(system_ubject_r:cgconfig_initrc_exec _t, s0)
/etc/rc.d/init.d/cgred --
gen_context(system_ubject_r:cgrulesengd_initrc_e xec_t, s0)

/sbin/cgrulesengd -- gen_context(system_ubject_r:cgrulesengd_exec_t, s0)
/sbin/cgconfigparser --
gen_context(system_ubject_r:cgconfigparser_exec_ t, s0)

policy_module(libcgroup, 1.0.0)

########################################
#
# cgrulesengd personal declarations.
#

type cgrulesengd_t;
type cgrulesengd_exec_t;
init_daemon_domain(cgrulesengd_t, cgrulesengd_exec_t)

type cgrulesengd_initrc_exec_t;
init_script_file(cgrulesengd_initrc_exec_t)

type cgrulesengd_var_run_t;
files_pid_file(cgrulesengd_var_run_t)

permissive cgrulesengd_t;

########################################
#
# cgconfig personal declarations.
#

type cgconfigparser_t;
type cgconfigparser_exec_t;
init_daemon_domain(cgconfigparser_t, cgconfigparser_exec_t)

type cgconfig_initrc_exec_t;
init_script_file(cgconfig_initrc_exec_t)

permissive cgconfigparser_t;

########################################
#
# cgrulesengd personal policy.
#

allow cgrulesengd_t self:capability { net_admin sys_ptrace dac_override };
allow cgrulesengd_t self:netlink_socket { write bind create read };
allow cgrulesengd_t self:unix_dgram_socket { write create connect };

manage_sock_files_pattern(cgrulesengd_t, cgrulesengd_var_run_t,
cgrulesengd_var_run_t)
files_pid_filetrans(cgrulesengd_t, cgrulesengd_var_run_t, sock_file)

domain_read_all_domains_state(cgrulesengd_t)

files_read_etc_files(cgrulesengd_t)

files_search_all(cgrulesengd_t)
files_getattr_all_files(cgrulesengd_t)
files_getattr_all_dirs(cgrulesengd_t)
files_getattr_all_sockets(cgrulesengd_t)
files_getattr_all_pipes(cgrulesengd_t)
files_getattr_all_symlinks(cgrulesengd_t)
# read all link files.

kernel_read_system_state(cgrulesengd_t)

logging_send_syslog_msg(cgrulesengd_t)

miscfiles_read_localization(cgrulesengd_t)

optional_policy(`
fs_write_cgroup_files(cgrulesengd_t)
')

########################################
#
# cgconfig personal policy.
#

optional_policy(`
fs_manage_cgroup_dirs(cgconfigparser_t)
fs_rw_cgroup_files(cgconfigparser_t)
fs_setattr_cgroup_files(cgconfigparser_t)
fs_mount_cgroup_fs(cgconfigparser_t)
')

files_mounton_mnt(cgconfigparser_t)
files_manage_mnt_dirs(cgconfigparser_t)

files_read_etc_files(cgconfigparser_t)
## <summary>Control group rules engine daemon.</summary>
## <desc>
## <p>
## cgrulesengd is a daemon, which distributes processes
## to control groups. When any process changes its
## effective UID or GID, cgrulesengd inspects list of
## rules loaded from cgrules.conf file and moves the
## process to the appropriate control group.
## </p>
## <p>
## The list of rules is read during the daemon startup and
## are cached in daemon’s memory. The daemon reloads the
## list of rules when it receives SIGUSR2 signal.
## </p>
## </desc>

########################################
## <summary>
## Read and write cgrulesengd sock file in /var/run.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`libcgroup_cgrulesengd_rw_pid_sock_file' , `
gen_require(`
type cgrulesengd_var_run_t;
')

rw_sock_files_pattern($1, cgrulesengd_var_run_t, cgrulesengd_var_run_t)
files_search_pids($1)
')

########################################
## <summary>
## Unix stream socket connect to cgrulesengd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`libcgroup_cgrulesengd_stream_connect', `
gen_require(`
type cgrulesengd_t;
')

allow $1 cgrulesengd_t:unix_stream_socket connectto;
')

# /mnt/cgroups/cpu
kernel_list_unlabeled(cgconfigparser_t)
kernel_read_system_state(cgconfigparser_t)
-------------------------------------------





-------------------------------------------
patch to filesystem
-------------------------------------------

## <summary>Patch to facilitate interface to interact with cgroup
fs.</summary>
## <desc>
## <p>
## Add interfaces to allow for interaction with cgroupfs
## for initrc (cfconfig) and for cfrulesengd.
## </p>
## </desc>

########################################
## <summary>
## Mount a cgroup filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_mount_cgroup_fs', `
gen_require(`
type cgroup_t;
')

allow $1 cgroup_t:filesystem mount;
')

########################################
## <summary>
## Remount a cgroup filesystem This allows
## some mount options to be changed.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_remount_cgroup_fs', `
gen_require(`
type cgroup_t;
')

allow $1 cgroup_t:filesystem remount;
')

########################################
## <summary>
## Unmount a cgroup file system.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_unmount_cgroup_fs', `
gen_require(`
type cgroup_t;
')

allow $1 cgroup_t:filesystem unmount;
')

########################################
## <summary>
## Read and write files on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_rw_cgroup_files',`
gen_require(`
type cgroup_t;

')

rw_files_pattern($1, cgroup_t, cgroup_t)
fs_search_cgroup_dirs($1)
')

########################################
## <summary>
## Set attributes of files on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_setattr_cgroup_files',`
gen_require(`
type cgroup_t;

')

setattr_files_pattern($1, cgroup_t, cgroup_t)
fs_search_cgroup_dirs($1)
')

########################################
## <summary>
## Manage dirs on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_manage_cgroup_dirs',`
gen_require(`
type cgroup_t;

')

manage_dirs_pattern($1, cgroup_t, cgroup_t)
')

########################################
## <summary>
## Search dirs on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_search_cgroup_dirs', `
gen_require(`
type cgroup_t;

')

allow $1 cgroup_t:dir search;
')

########################################
## <summary>
## Write files on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_write_cgroup_files', `
gen_require(`
type cgroup_t;

')

write_files_pattern($1, cgroup_t, cgroup_t)
fs_search_cgroup_dirs($1)
')

########################################
## <summary>
## list dirs on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_list_cgroup_dirs', `
gen_require(`
type cgroup_t;

')

list_dirs_pattern($1, cgroup_t, cgroup_t)
')

########################################
## <summary>
## create dirs on cgroup
## file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_create_cgroup_dirs', `
gen_require(`
type cgroup_t;
')

create_dirs_pattern($1, cgroup_t, cgroup_t)
')

----------------------------------------------
patch to init
---------------------------------------------

policy_module(patch_initrc_to_allow_cgconf_cgrules engd_manage_files_on_cgroup_fs,
1.0.0)

########################################
#
# Declarations
#

optional_policy(`
gen_require(`
type initrc_t;
')

fs_manage_cgroup_dirs(initrc_t)
fs_rw_cgroup_files(initrc_t)
fs_setattr_cgroup_files(initrc_t)

libcgroup_cgrulesengd_rw_pid_sock_file(initrc_t)
libcgroup_cgrulesengd_stream_connect(initrc_t)
')

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 01:23 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org