[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
Date:	Thu, 27 Aug 2015 18:00:18
Message-Id:	`1440698375.0e45905f66e4db5450838600491521a25fbcb3fb.perfinion@gentoo`

1

commit:     0e45905f66e4db5450838600491521a25fbcb3fb

2

Author:     Jason Zaman <jason <AT> perfinion <DOT> com>

3

AuthorDate: Wed Aug 26 06:19:58 2015 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Thu Aug 27 17:59:35 2015 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0e45905f

7

8

Add policy for cgmanager

9

10

 policy/modules/contrib/cgmanager.fc |  3 ++

11

 policy/modules/contrib/cgmanager.if | 22 +++++++++++++

12

 policy/modules/contrib/cgmanager.te | 66 +++++++++++++++++++++++++++++++++++++

13

 3 files changed, 91 insertions(+)

14

15

diff --git a/policy/modules/contrib/cgmanager.fc b/policy/modules/contrib/cgmanager.fc

16

new file mode 100644

17

index 0000000..8ea4a46

18

--- /dev/null

19

+++ b/policy/modules/contrib/cgmanager.fc

20

@@ -0,0 +1,3 @@

21

+/usr/sbin/cgmanager		-- gen_context(system_u:object_r:cgmanager_exec_t,s0)

22

+/usr/sbin/cgproxy		-- gen_context(system_u:object_r:cgmanager_exec_t,s0)

23

+/usr/sbin/cgm-release-agent	-- gen_context(system_u:object_r:cgmanager_exec_t,s0)

24

25

diff --git a/policy/modules/contrib/cgmanager.if b/policy/modules/contrib/cgmanager.if

26

new file mode 100644

27

index 0000000..ad459a6

28

--- /dev/null

29

+++ b/policy/modules/contrib/cgmanager.if

30

@@ -0,0 +1,22 @@

31

+## <summary>Control Group manager daemon.</summary>

32

+

33

+########################################

34

+## <summary>

35

+##	Connect to cgmanager with a unix

36

+##	domain stream socket.

37

+## </summary>

38

+## <param name="domain">

39

+##	<summary>

40

+##	Domain allowed access.

41

+##	</summary>

42

+## </param>

43

+#

44

+interface(`cgmanager_stream_connect',`

45

+	gen_require(`

46

+		type cgmanager_t, cgmanager_cgroup_t;

47

+	')

48

+

49

+	fs_search_cgroup_dirs($1)

50

+	list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t)

51

+	stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)

52

+')

53

54

diff --git a/policy/modules/contrib/cgmanager.te b/policy/modules/contrib/cgmanager.te

55

new file mode 100644

56

index 0000000..5c32295

57

--- /dev/null

58

+++ b/policy/modules/contrib/cgmanager.te

59

@@ -0,0 +1,66 @@

60

+policy_module(cgmanager, 1.0.0)

61

+

62

+########################################

63

+#

64

+# Declarations

65

+#

66

+

67

+type cgmanager_t;

68

+type cgmanager_exec_t;

69

+init_daemon_domain(cgmanager_t, cgmanager_exec_t)

70

+

71

+type cgmanager_run_t;

72

+files_pid_file(cgmanager_run_t)

73

+

74

+type cgmanager_cgroup_t;

75

+files_type(cgmanager_cgroup_t)

76

+

77

+########################################

78

+#

79

+# CGManager local policy

80

+#

81

+

82

+allow cgmanager_t self:capability { sys_admin dac_override };

83

+allow cgmanager_t self:fifo_file rw_fifo_file_perms;

84

+

85

+manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)

86

+manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)

87

+manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)

88

+files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })

89

+allow cgmanager_t cgmanager_run_t:dir mounton;

90

+

91

+manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)

92

+manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)

93

+manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)

94

+fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")

95

+

96

+kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)

97

+kernel_read_system_state(cgmanager_t)

98

+

99

+corecmd_exec_bin(cgmanager_t)

100

+can_exec(cgmanager_t, cgmanager_exec_t)

101

+

102

+domain_read_all_domains_state(cgmanager_t)

103

+

104

+files_read_etc_files(cgmanager_t)

105

+

106

+# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things

107

+files_mounton_all_mountpoints(cgmanager_t)

108

+files_unmount_all_file_type_fs(cgmanager_t)

109

+fs_unmount_xattr_fs(cgmanager_t)

110

+

111

+fs_manage_cgroup_dirs(cgmanager_t)

112

+fs_manage_cgroup_files(cgmanager_t)

113

+

114

+fs_getattr_tmpfs(cgmanager_t)

115

+

116

+fs_manage_tmpfs_dirs(cgmanager_t)

117

+fs_manage_tmpfs_files(cgmanager_t)

118

+

119

+fs_mount_cgroup(cgmanager_t)

120

+fs_mount_tmpfs(cgmanager_t)

121

+fs_mounton_tmpfs(cgmanager_t)

122

+fs_remount_cgroup(cgmanager_t)

123

+fs_remount_tmpfs(cgmanager_t)

124

+fs_unmount_cgroup(cgmanager_t)

125

+fs_unmount_tmpfs(cgmanager_t)

1	commit: 0e45905f66e4db5450838600491521a25fbcb3fb
2	Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3	AuthorDate: Wed Aug 26 06:19:58 2015 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Thu Aug 27 17:59:35 2015 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0e45905f
7
8	Add policy for cgmanager
9
10	policy/modules/contrib/cgmanager.fc \| 3 ++
11	policy/modules/contrib/cgmanager.if \| 22 +++++++++++++
12	policy/modules/contrib/cgmanager.te \| 66 +++++++++++++++++++++++++++++++++++++
13	3 files changed, 91 insertions(+)
14
15	diff --git a/policy/modules/contrib/cgmanager.fc b/policy/modules/contrib/cgmanager.fc
16	new file mode 100644
17	index 0000000..8ea4a46
18	--- /dev/null
19	+++ b/policy/modules/contrib/cgmanager.fc
20	@@ -0,0 +1,3 @@
21	+/usr/sbin/cgmanager -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
22	+/usr/sbin/cgproxy -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
23	+/usr/sbin/cgm-release-agent -- gen_context(system_u:object_r:cgmanager_exec_t,s0)
24
25	diff --git a/policy/modules/contrib/cgmanager.if b/policy/modules/contrib/cgmanager.if
26	new file mode 100644
27	index 0000000..ad459a6
28	--- /dev/null
29	+++ b/policy/modules/contrib/cgmanager.if
30	@@ -0,0 +1,22 @@
31	+## <summary>Control Group manager daemon.</summary>
32	+
33	+########################################
34	+## <summary>
35	+## Connect to cgmanager with a unix
36	+## domain stream socket.
37	+## </summary>
38	+## <param name="domain">
39	+## <summary>
40	+## Domain allowed access.
41	+## </summary>
42	+## </param>
43	+#
44	+interface(`cgmanager_stream_connect',`
45	+ gen_require(`
46	+ type cgmanager_t, cgmanager_cgroup_t;
47	+ ')
48	+
49	+ fs_search_cgroup_dirs($1)
50	+ list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t)
51	+ stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)
52	+')
53
54	diff --git a/policy/modules/contrib/cgmanager.te b/policy/modules/contrib/cgmanager.te
55	new file mode 100644
56	index 0000000..5c32295
57	--- /dev/null
58	+++ b/policy/modules/contrib/cgmanager.te
59	@@ -0,0 +1,66 @@
60	+policy_module(cgmanager, 1.0.0)
61	+
62	+########################################
63	+#
64	+# Declarations
65	+#
66	+
67	+type cgmanager_t;
68	+type cgmanager_exec_t;
69	+init_daemon_domain(cgmanager_t, cgmanager_exec_t)
70	+
71	+type cgmanager_run_t;
72	+files_pid_file(cgmanager_run_t)
73	+
74	+type cgmanager_cgroup_t;
75	+files_type(cgmanager_cgroup_t)
76	+
77	+########################################
78	+#
79	+# CGManager local policy
80	+#
81	+
82	+allow cgmanager_t self:capability { sys_admin dac_override };
83	+allow cgmanager_t self:fifo_file rw_fifo_file_perms;
84	+
85	+manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
86	+manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
87	+manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
88	+files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
89	+allow cgmanager_t cgmanager_run_t:dir mounton;
90	+
91	+manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
92	+manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
93	+manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
94	+fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
95	+
96	+kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
97	+kernel_read_system_state(cgmanager_t)
98	+
99	+corecmd_exec_bin(cgmanager_t)
100	+can_exec(cgmanager_t, cgmanager_exec_t)
101	+
102	+domain_read_all_domains_state(cgmanager_t)
103	+
104	+files_read_etc_files(cgmanager_t)
105	+
106	+# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
107	+files_mounton_all_mountpoints(cgmanager_t)
108	+files_unmount_all_file_type_fs(cgmanager_t)
109	+fs_unmount_xattr_fs(cgmanager_t)
110	+
111	+fs_manage_cgroup_dirs(cgmanager_t)
112	+fs_manage_cgroup_files(cgmanager_t)
113	+
114	+fs_getattr_tmpfs(cgmanager_t)
115	+
116	+fs_manage_tmpfs_dirs(cgmanager_t)
117	+fs_manage_tmpfs_files(cgmanager_t)
118	+
119	+fs_mount_cgroup(cgmanager_t)
120	+fs_mount_tmpfs(cgmanager_t)
121	+fs_mounton_tmpfs(cgmanager_t)
122	+fs_remount_cgroup(cgmanager_t)
123	+fs_remount_tmpfs(cgmanager_t)
124	+fs_unmount_cgroup(cgmanager_t)
125	+fs_unmount_tmpfs(cgmanager_t)

Gentoo Archives: gentoo-commits