Rearrange cgroup interfaces in filesystem.

2010-06-08 09:10:45 -04:00 · 2010-06-08 09:10:45 -04:00 · 860c05d9de
commit 860c05d9de
parent 04dcd73fe3
1 changed files with 97 additions and 97 deletions
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@ -557,24 +557,6 @@ interface(`fs_register_binary_executable_type',`
 	rw_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t)
 ')
 ########################################
 ## <summary>
 ##	Get attributes of cgroup filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fs_getattr_cgroup',`
 	gen_require(`
 		type cgroup_t;
 	')
 	allow $1 cgroup_t:filesystem getattr;
 ')
 ########################################
 ## <summary>
 ##	Mount cgroup filesystems.
@ -593,24 +575,6 @@ interface(`fs_mount_cgroup', `
 	allow $1 cgroup_t:filesystem mount;
 ')
 ########################################
 ## <summary>
 ##	Mount on cgroup directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fs_mounton_cgroup', `
 	gen_require(`
 		type cgroup_t;
 	')
 	allow $1 cgroup_t:dir mounton;
 ')
 ########################################
 ## <summary>
 ##	Remount cgroup filesystems.
@ -649,7 +613,7 @@ interface(`fs_unmount_cgroup', `
 ########################################
 ## <summary>
-##	Delete cgroup directories.
+##	Get attributes of cgroup filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -657,49 +621,12 @@ interface(`fs_unmount_cgroup', `
 ##	</summary>
 ## </param>
 #
-interface(`fs_delete_cgroup_dirs', `
+interface(`fs_getattr_cgroup',`
 	gen_require(`
 		type cgroup_t;
 	')
-	delete_dirs_pattern($1, cgroup_t, cgroup_t)
+	allow $1 cgroup_t:filesystem getattr;
 ')
 ########################################
 ## <summary>
 ##	list cgroup directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fs_list_cgroup_dirs', `
 	gen_require(`
 		type cgroup_t;
 	')
 	list_dirs_pattern($1, cgroup_t, cgroup_t)
 ')
 ########################################
 ## <summary>
 ##	Manage cgroup directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fs_manage_cgroup_dirs',`
 	gen_require(`
 		type cgroup_t;
 	')
 	manage_dirs_pattern($1, cgroup_t, cgroup_t)
 ')
 ########################################
@ -723,7 +650,7 @@ interface(`fs_search_cgroup_dirs',`
 ########################################
 ## <summary>
-##	Manage cgroup files.
+##	list cgroup directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -731,13 +658,49 @@ interface(`fs_search_cgroup_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_manage_cgroup_files',`
+interface(`fs_list_cgroup_dirs', `
 	gen_require(`
 		type cgroup_t;
 	')
 	list_dirs_pattern($1, cgroup_t, cgroup_t)
 ')
 ########################################
 ## <summary>
 ##	Delete cgroup directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fs_delete_cgroup_dirs', `
 	gen_require(`
 		type cgroup_t;
 	')
 	delete_dirs_pattern($1, cgroup_t, cgroup_t)
 ')
 ########################################
 ## <summary>
 ##	Manage cgroup directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fs_manage_cgroup_dirs',`
 	gen_require(`
 		type cgroup_t;
 	')
-	manage_files_pattern($1, cgroup_t, cgroup_t)
+	manage_dirs_pattern($1, cgroup_t, cgroup_t)
 ')
 ########################################
@ -759,6 +722,24 @@ interface(`fs_read_cgroup_files',`
 	read_files_pattern($1, cgroup_t, cgroup_t)
 ')
 ########################################
 ## <summary>
 ##	Write cgroup files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fs_write_cgroup_files', `
 	gen_require(`
 		type cgroup_t;
 	')
 	write_files_pattern($1, cgroup_t, cgroup_t)
 ')
 ########################################
 ## <summary>
 ##	Read and write cgroup files.
@ -778,24 +759,6 @@ interface(`fs_rw_cgroup_files',`
 	rw_files_pattern($1, cgroup_t, cgroup_t)
 ')
 ########################################
 ## <summary>
 ##	Write cgroup files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fs_write_cgroup_files', `
 	gen_require(`
 		type cgroup_t;
 	')
 	write_files_pattern($1, cgroup_t, cgroup_t)
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts to open,
@ -816,6 +779,43 @@ interface(`fs_dontaudit_rw_cgroup_files',`
 	dontaudit $1 cgroup_t:file rw_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Manage cgroup files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fs_manage_cgroup_files',`
 	gen_require(`
 		type cgroup_t;
 	')
 	manage_files_pattern($1, cgroup_t, cgroup_t)
 ')
 ########################################
 ## <summary>
 ##	Mount on cgroup directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`fs_mounton_cgroup', `
 	gen_require(`
 		type cgroup_t;
 	')
 	allow $1 cgroup_t:dir mounton;
 ')
 ########################################
 ## <summary>
 ##	Do not audit attempts to read