Confine /sbin/cgclear.
Libcgroup moved cgclear to /sbin. Confine it so that initrc_t can domain transition to the cgclear_t domain. That way we do not have to extend the initrc_t domains policy. We might want to add cgroup_run_cgclear to sysadm module. Signed-off-by: Dominick Grift <domg472@gmail.com>
This commit is contained in:
parent
a0546c9d1c
commit
61d7ee58a4
@ -1,10 +1,14 @@
|
||||
/etc/cgconfig.conf -- gen_context(system_u:object_r:cgconfig_etc_t,s0)
|
||||
/etc/cgrules.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0)
|
||||
|
||||
/etc/sysconfig/cgconfig -- gen_context(system_u:object_r:cgconfig_etc_t,s0)
|
||||
/etc/sysconfig/cgred.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0)
|
||||
|
||||
/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
|
||||
|
||||
/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
|
||||
/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
|
||||
/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
|
||||
|
||||
/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
|
||||
|
@ -1,5 +1,25 @@
|
||||
## <summary>libcg is a library that abstracts the control group file system in Linux.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run
|
||||
## CG Clear.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cgroup_domtrans_cgclear',`
|
||||
gen_require(`
|
||||
type cgclear_t, cgclear_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, cgclear_exec_t, cgclear_t)
|
||||
corecmd_search_bin($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run
|
||||
@ -36,7 +56,6 @@ interface(`cgroup_initrc_domtrans_cgconfig',`
|
||||
type cgconfig_initrc_exec_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
init_labeled_script_domtrans($1, cgconfig_initrc_exec_t)
|
||||
')
|
||||
|
||||
@ -80,6 +99,34 @@ interface(`cgroup_initrc_domtrans_cgred',`
|
||||
init_labeled_script_domtrans($1, cgred_initrc_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to
|
||||
## run CG Clear and allow the
|
||||
## specified role the CG Clear
|
||||
## domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`cgroup_run_cgclear',`
|
||||
gen_require(`
|
||||
type cgclear_t;
|
||||
')
|
||||
|
||||
cgroup_domtrans_cgclear($1)
|
||||
role $2 types cgclear_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to CG rules engine daemon
|
||||
@ -91,7 +138,7 @@ interface(`cgroup_initrc_domtrans_cgred',`
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`cgroup_stream_connect', `
|
||||
interface(`cgroup_stream_connect_cgred', `
|
||||
gen_require(`
|
||||
type cgred_var_run_t, cgred_t;
|
||||
')
|
||||
@ -121,14 +168,17 @@ interface(`cgroup_admin',`
|
||||
gen_require(`
|
||||
type cgred_t, cgconfig_t, cgred_var_run_t;
|
||||
type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
|
||||
type cgrules_etc_t;
|
||||
type cgrules_etc_t, cgclear_t, cgclear_exec_t;
|
||||
')
|
||||
|
||||
allow $1 cgconfig_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, cgconfig_t, cgconfig_t)
|
||||
allow $1 cgclear_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, cgclear_t)
|
||||
|
||||
allow $1 cgred_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, cgred_t, cgred_t)
|
||||
allow $1 cgconfig_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, cgconfig_t)
|
||||
|
||||
allow $1 cgred_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, cgred_t)
|
||||
|
||||
admin_pattern($1, cgconfig_etc_t)
|
||||
admin_pattern($1, cgrules_etc_t)
|
||||
@ -144,4 +194,6 @@ interface(`cgroup_admin',`
|
||||
|
||||
cgroup_initrc_domtrans_cgred($1)
|
||||
role_transition $2 cgred_initrc_exec_t system_r;
|
||||
|
||||
cgroup_run_cgclear($1, $2)
|
||||
')
|
||||
|
@ -5,6 +5,10 @@ policy_module(cgroup, 1.0.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type cgclear_t;
|
||||
type cgclear_exec_t;
|
||||
init_daemon_domain(cgclear_t, cgclear_exec_t)
|
||||
|
||||
type cgred_t;
|
||||
type cgred_exec_t;
|
||||
init_daemon_domain(cgred_t, cgred_exec_t)
|
||||
@ -28,6 +32,21 @@ init_script_file(cgconfig_initrc_exec_t)
|
||||
type cgconfig_etc_t;
|
||||
files_config_file(cgconfig_etc_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# cgclear personal policy.
|
||||
#
|
||||
|
||||
allow cgclear_t self:capability sys_admin;
|
||||
|
||||
kernel_read_system_state(cgclear_t)
|
||||
|
||||
domain_setpriority_all_domains(cgclear_t)
|
||||
|
||||
fs_manage_cgroup_dirs(cgclear_t)
|
||||
fs_manage_cgroup_files(cgclear_t)
|
||||
fs_unmount_cgroup(cgclear_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# cgconfig personal policy.
|
||||
@ -37,38 +56,44 @@ allow cgconfig_t self:capability { chown sys_admin };
|
||||
|
||||
allow cgconfig_t cgconfig_etc_t:file read_file_perms;
|
||||
|
||||
# search will do.
|
||||
kernel_list_unlabeled(cgconfig_t)
|
||||
kernel_read_system_state(cgconfig_t)
|
||||
|
||||
# /etc/nsswitch.conf, /etc/passwd
|
||||
files_read_etc_files(cgconfig_t)
|
||||
|
||||
fs_manage_cgroup_dirs(cgconfig_t)
|
||||
fs_manage_cgroup_files(cgconfig_t)
|
||||
fs_mount_cgroup(cgconfig_t)
|
||||
fs_mounton_cgroup(cgconfig_t)
|
||||
fs_unmount_cgroup(cgconfig_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# cgred personal policy.
|
||||
#
|
||||
|
||||
allow cgred_t self:capability { net_admin sys_ptrace dac_override };
|
||||
allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
|
||||
allow cgred_t self:netlink_socket { write bind create read };
|
||||
allow cgred_t self:unix_dgram_socket { write create connect };
|
||||
|
||||
allow cgred_t cgrules_etc_t:file read_file_perms;
|
||||
|
||||
# rc script creates pid file
|
||||
manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
|
||||
manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
|
||||
files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
|
||||
files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_system_state(cgred_t)
|
||||
|
||||
domain_read_all_domains_state(cgred_t)
|
||||
domain_setpriority_all_domains(cgred_t)
|
||||
|
||||
files_getattr_all_files(cgred_t)
|
||||
files_getattr_all_sockets(cgred_t)
|
||||
files_read_all_symlinks(cgred_t)
|
||||
|
||||
# /etc/group
|
||||
files_read_etc_files(cgred_t)
|
||||
|
||||
fs_write_cgroup_files(cgred_t)
|
||||
|
@ -338,9 +338,7 @@ files_mounton_isid_type_dirs(initrc_t)
|
||||
files_list_default(initrc_t)
|
||||
files_mounton_default(initrc_t)
|
||||
|
||||
fs_delete_cgroup_dirs(initrc_t)
|
||||
fs_list_cgroup_dirs(initrc_t)
|
||||
fs_rw_cgroup_files(initrc_t)
|
||||
fs_write_cgroup_files(initrc_t)
|
||||
fs_list_inotifyfs(initrc_t)
|
||||
fs_register_binary_executable_type(initrc_t)
|
||||
# rhgb-console writes to ramfs
|
||||
@ -570,7 +568,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
cgroup_stream_connect(initrc_t)
|
||||
cgroup_stream_connect_cgred(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
Loading…
Reference in New Issue
Block a user