Confine /sbin/cgclear.

Libcgroup moved cgclear to /sbin.
Confine it so that initrc_t can domain transition to the cgclear_t domain. That way we do not have to extend the initrc_t domains policy.
We might want to add cgroup_run_cgclear to sysadm module.

Signed-off-by: Dominick Grift <domg472@gmail.com>

policy/modules/services/cgroup.fc

@@ -1,10 +1,14 @@
 /etc/cgconfig.conf		--	gen_context(system_u:object_r:cgconfig_etc_t,s0)
 /etc/cgrules.conf		--	gen_context(system_u:object_r:cgrules_etc_t,s0)
 
+/etc/sysconfig/cgconfig		--	gen_context(system_u:object_r:cgconfig_etc_t,s0)
+/etc/sysconfig/cgred.conf	--	gen_context(system_u:object_r:cgrules_etc_t,s0)
+
 /etc/rc\.d/init\.d/cgconfig	--	gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/cgred	--	gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
 
 /sbin/cgconfigparser		--	gen_context(system_u:object_r:cgconfig_exec_t,s0)
 /sbin/cgrulesengd		--	gen_context(system_u:object_r:cgred_exec_t,s0)
+/sbin/cgclear			--	gen_context(system_u:object_r:cgclear_exec_t,s0)
 
 /var/run/cgred.*			gen_context(system_u:object_r:cgred_var_run_t,s0)

policy/modules/services/cgroup.if

@@ -1,5 +1,25 @@
 ## <summary>libcg is a library that abstracts the control group file system in Linux.</summary>
 
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	CG Clear.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_domtrans_cgclear',`
+	gen_require(`
+		type cgclear_t, cgclear_exec_t;
+	')
+
+	domtrans_pattern($1, cgclear_exec_t, cgclear_t)
+	corecmd_search_bin($1)
+')
+
 ########################################
 ## <summary>
 ##	Execute a domain transition to run
@@ -36,7 +56,6 @@ interface(`cgroup_initrc_domtrans_cgconfig',`
 		type cgconfig_initrc_exec_t;
 	')
 
-	files_search_etc($1)
 	init_labeled_script_domtrans($1, cgconfig_initrc_exec_t)
 ')
 
@@ -80,6 +99,34 @@ interface(`cgroup_initrc_domtrans_cgred',`
 	init_labeled_script_domtrans($1, cgred_initrc_exec_t)
 ')
 
+########################################
+## <summary>
+##	Execute a domain transition to
+##	run CG Clear and allow the
+##	specified role the CG Clear
+##	domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`cgroup_run_cgclear',`
+	gen_require(`
+		type cgclear_t;
+	')
+
+	cgroup_domtrans_cgclear($1)
+	role $2 types cgclear_t;
+')
+
 ########################################
 ## <summary>
 ##	Connect to CG rules engine daemon
@@ -91,7 +138,7 @@ interface(`cgroup_initrc_domtrans_cgred',`
 ##	</summary>
 ## </param>
 #
-interface(`cgroup_stream_connect', `
+interface(`cgroup_stream_connect_cgred', `
 	gen_require(`
 		type cgred_var_run_t, cgred_t;
 	')
@@ -121,14 +168,17 @@ interface(`cgroup_admin',`
 	gen_require(`
 		type cgred_t, cgconfig_t, cgred_var_run_t;
 		type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
-		type cgrules_etc_t;
+		type cgrules_etc_t, cgclear_t, cgclear_exec_t;
 	')
 
-	allow $1 cgconfig_t:process { ptrace signal_perms getattr };
+	allow $1 cgclear_t:process { ptrace signal_perms };
-	read_files_pattern($1, cgconfig_t, cgconfig_t)
+	ps_process_pattern($1, cgclear_t)
 
-	allow $1 cgred_t:process { ptrace signal_perms getattr };
+	allow $1 cgconfig_t:process { ptrace signal_perms };
-	read_files_pattern($1, cgred_t, cgred_t)
+	ps_process_pattern($1, cgconfig_t)
+
+	allow $1 cgred_t:process { ptrace signal_perms };
+	ps_process_pattern($1, cgred_t)
 
 	admin_pattern($1, cgconfig_etc_t)
 	admin_pattern($1, cgrules_etc_t)
@@ -144,4 +194,6 @@ interface(`cgroup_admin',`
 
 	cgroup_initrc_domtrans_cgred($1)
 	role_transition $2 cgred_initrc_exec_t system_r;
+
+	cgroup_run_cgclear($1, $2)
 ')

policy/modules/services/cgroup.te

@@ -5,6 +5,10 @@ policy_module(cgroup, 1.0.0)
 # Declarations
 #
 
+type cgclear_t;
+type cgclear_exec_t;
+init_daemon_domain(cgclear_t, cgclear_exec_t)
+
 type cgred_t;
 type cgred_exec_t;
 init_daemon_domain(cgred_t, cgred_exec_t)
@@ -28,6 +32,21 @@ init_script_file(cgconfig_initrc_exec_t)
 type cgconfig_etc_t;
 files_config_file(cgconfig_etc_t)
 
+########################################
+#
+# cgclear personal policy.
+#
+
+allow cgclear_t self:capability sys_admin;
+
+kernel_read_system_state(cgclear_t)
+
+domain_setpriority_all_domains(cgclear_t)
+
+fs_manage_cgroup_dirs(cgclear_t)
+fs_manage_cgroup_files(cgclear_t)
+fs_unmount_cgroup(cgclear_t)
+
 ########################################
 #
 # cgconfig personal policy.
@@ -37,38 +56,44 @@ allow cgconfig_t self:capability { chown sys_admin };
 
 allow cgconfig_t cgconfig_etc_t:file read_file_perms;
 
+# search will do.
 kernel_list_unlabeled(cgconfig_t)
 kernel_read_system_state(cgconfig_t)
 
+# /etc/nsswitch.conf, /etc/passwd
 files_read_etc_files(cgconfig_t)
 
 fs_manage_cgroup_dirs(cgconfig_t)
 fs_manage_cgroup_files(cgconfig_t)
 fs_mount_cgroup(cgconfig_t)
 fs_mounton_cgroup(cgconfig_t)
-fs_unmount_cgroup(cgconfig_t)
 
 ########################################
 #
 # cgred personal policy.
 #
 
-allow cgred_t self:capability { net_admin sys_ptrace dac_override };
+allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
 allow cgred_t self:netlink_socket { write bind create read };
 allow cgred_t self:unix_dgram_socket { write create connect };
 
 allow cgred_t cgrules_etc_t:file read_file_perms;
 
+# rc script creates pid file 
+manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
 manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
-files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
+files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })
 
 kernel_read_system_state(cgred_t)
 
 domain_read_all_domains_state(cgred_t)
+domain_setpriority_all_domains(cgred_t)
 
 files_getattr_all_files(cgred_t)
 files_getattr_all_sockets(cgred_t)
 files_read_all_symlinks(cgred_t)
+
+# /etc/group
 files_read_etc_files(cgred_t)
 
 fs_write_cgroup_files(cgred_t)

policy/modules/system/init.te

@@ -338,9 +338,7 @@ files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
 
-fs_delete_cgroup_dirs(initrc_t)
+fs_write_cgroup_files(initrc_t)
-fs_list_cgroup_dirs(initrc_t)
-fs_rw_cgroup_files(initrc_t)
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
@@ -570,7 +568,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	cgroup_stream_connect(initrc_t)
+	cgroup_stream_connect_cgred(initrc_t)
 ')
 
 optional_policy(`