[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

libcgroup policy (concept)



Attached policy targets some libcgroup stuff. The policy is largely
untested (i do  have it running on a few servers here but i get some avc
denials that i am not quite sure what to do with)

/etc/rc\.d/init\.d/cgconfig		--	gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0)
/etc/rc\.d/init\.d/cgred		--	gen_context(system_u:object_r:cgrulesengd_initrc_exec_t, s0)

/sbin/cgrulesengd			--	gen_context(system_u:object_r:cgrulesengd_exec_t, s0)
/sbin/cgconfigparser		--	gen_context(system_u:object_r:cgconfigparser_exec_t, s0)
## <summary>Control group rules engine daemon.</summary>
## <desc>
##	<p>
##		cgrulesengd is a daemon, which distributes processes
##		to control groups. When any process changes its
##		effective UID or GID, cgrulesengd inspects list of
##		rules loaded from cgrules.conf file and moves the
##		process to the appropriate control group.
##	</p>
##	<p>
##		The list of rules is read during the daemon startup and
##		are cached in daemon’s memory. The daemon reloads the
##		list of rules when it receives SIGUSR2 signal.
##	</p>
## </desc>

########################################
## <summary>
##	Read and write cgrulesengd sock file in /var/run.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`libcgroup_cgrulesengd_rw_pid_sock_file', `
	gen_require(`
		type cgrulesengd_var_run_t;
	')

	rw_sock_files_pattern($1, cgrulesengd_var_run_t, cgrulesengd_var_run_t)
	files_search_pids($1)
')

########################################
## <summary>
##	Unix stream socket connect to cgrulesengd.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`libcgroup_cgrulesengd_stream_connect', `
	gen_require(`
		type cgrulesengd_t;
	')

	allow $1 cgrulesengd_t:unix_stream_socket connectto;
')
policy_module(libcgroup, 1.0.0) 

########################################
#
# cgrulesengd personal declarations.
#

type cgrulesengd_t;
type cgrulesengd_exec_t;
init_daemon_domain(cgrulesengd_t, cgrulesengd_exec_t)

type cgrulesengd_initrc_exec_t;
init_script_file(cgrulesengd_initrc_exec_t)

type cgrulesengd_var_run_t;
files_pid_file(cgrulesengd_var_run_t)

permissive cgrulesengd_t;

########################################
#
# cgconfig personal declarations.
#

type cgconfigparser_t;
type cgconfigparser_exec_t;
init_daemon_domain(cgconfigparser_t, cgconfigparser_exec_t)

type cgconfig_initrc_exec_t;
init_script_file(cgconfig_initrc_exec_t)

permissive cgconfigparser_t;

########################################
#
# cgrulesengd personal policy.
#

allow cgrulesengd_t self:capability { net_admin sys_ptrace };
allow cgrulesengd_t self:netlink_socket { write bind create read };
allow cgrulesengd_t self:unix_dgram_socket { write create connect };

manage_sock_files_pattern(cgrulesengd_t, cgrulesengd_var_run_t, cgrulesengd_var_run_t)
files_pid_filetrans(cgrulesengd_t, cgrulesengd_var_run_t, sock_file)

domain_read_all_domains_state(cgrulesengd_t)

files_read_etc_files(cgrulesengd_t)

kernel_read_system_state(cgrulesengd_t)

logging_send_syslog_msg(cgrulesengd_t)

miscfiles_read_localization(cgrulesengd_t)

optional_policy(`
	fs_write_cgroup_files(cgrulesengd_t)
')

########################################
#
# cgconfig personal policy.
#

optional_policy(`
	fs_manage_cgroup_dirs(cgconfigparser_t)
	fs_rw_cgroup_files(cgconfigparser_t)
	fs_setattr_cgroup_files(cgconfigparser_t)
	fs_mount_cgroup_fs(cgconfigparser_t)
')

files_mounton_mnt(cgconfigparser_t)
files_manage_mnt_dirs(cgconfigparser_t)

files_read_etc_files(cgconfigparser_t)

# /mnt/cgroups/cpu
kernel_list_unlabeled(cgconfigparser_t)
kernel_read_system_state(cgconfigparser_t)
## <summary>Patch to facilitate interface to interact with cgroup fs.</summary>
## <desc>
##	<p>
##		Add interfaces to allow for interaction with cgroupfs
##		for initrc (cfconfig) and for cfrulesengd.
##	</p>
## </desc>

########################################
## <summary>
##	Mount a cgroup filesystem.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`fs_mount_cgroup_fs', `
	gen_require(`
		type cgroup_t;
	')

	allow $1 cgroup_t:filesystem mount;
')

########################################
## <summary>
##	Remount a cgroup filesystem  This allows
##	some mount options to be changed.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`fs_remount_cgroup_fs', `
	gen_require(`
		type cgroup_t;
	')

	allow $1 cgroup_t:filesystem remount;
')

########################################
## <summary>
##	Unmount a cgroup file system.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`fs_unmount_cgroup_fs', `
	gen_require(`
		type cgroup_t;
	')

	allow $1 cgroup_t:filesystem unmount;
')

########################################
## <summary>
##	Read and write files on cgroup
##	file systems.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`fs_rw_cgroup_files',`
	gen_require(`
		type cgroup_t;

	')

	rw_files_pattern($1, cgroup_t, cgroup_t)
	fs_search_cgroup_dirs($1)
')

########################################
## <summary>
##	Set attributes of files on cgroup
##	file systems.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`fs_setattr_cgroup_files',`
	gen_require(`
		type cgroup_t;

	')

	setattr_files_pattern($1, cgroup_t, cgroup_t)
	fs_search_cgroup_dirs($1)
')

########################################
## <summary>
##	Manage dirs on cgroup
##	file systems.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`fs_manage_cgroup_dirs',`
	gen_require(`
		type cgroup_t;

	')

	manage_dirs_pattern($1, cgroup_t, cgroup_t)
')

########################################
## <summary>
##	Search dirs on cgroup
##	file systems.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`fs_search_cgroup_dirs', `
	gen_require(`
		type cgroup_t;

	')

	allow $1 cgroup_t:dir search;
')

########################################
## <summary>
##	Search dirs on cgroup
##	file systems.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`fs_write_cgroup_files', `
	gen_require(`
		type cgroup_t;

	')

	write_files_pattern($1, cgroup_t, cgroup_t)
	fs_search_cgroup_dirs($1)
')
policy_module(patch_fs_interact_with_cgroup_fs_for_initrc_and_cgconfig, 1.0.0) 

########################################
#
# Declarations
#

# see interface file.
## <summary>Allows cgconfig and cgrulesengd init scripts to interact with files and dirs on cgroup fs.</summary>
## <desc>
##	<p>
##		Allows cgconfig and cgrulesengd init scripts to
##		interact with files and dirs on cgroup fs.
##	</p>
## </desc>

policy_module(patch_initrc_to_allow_cgconf_cgrulesengd_manage_files_on_cgroup_fs, 1.0.0) 

########################################
#
# Declarations
#

optional_policy(`
	gen_require(`
		type initrc_t;
	')

	fs_manage_cgroup_dirs(initrc_t)
	fs_rw_cgroup_files(initrc_t)
	fs_setattr_cgroup_files(initrc_t)

	libcgroup_cgrulesengd_rw_pid_sock_file(initrc_t)
	libcgroup_cgrulesengd_stream_connect(initrc_t)
')

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]