How users interact with cgroup.

All login users can list cgroup. Common users can read and write cgroup files (access governed by dac) Signed-off-by: Dominick Grift <domg472@gmail.com> Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2010-06-07 20:27:41 +02:00 · 2010-06-07 20:27:41 +02:00 · e2b9add5f8
commit e2b9add5f8
parent 73f0985092
1 changed files with 4 additions and 0 deletions
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -542,6 +542,8 @@ template(`userdom_common_user_template',`
 	# Stat lost+found.
 	files_getattr_lost_found_dirs($1_t)

+	fs_rw_cgroup_files($1_t)
+
 	# cjp: some of this probably can be removed
 	selinux_get_fs_mount($1_t)
 	selinux_validate_context($1_t)
@ -753,8 +755,10 @@ template(`userdom_login_user_template', `
 	fs_getattr_all_fs($1_t)
 	fs_getattr_all_dirs($1_t)
 	fs_search_auto_mountpoints($1_t)
+	fs_list_cgroup_dirs($1_t)
 	fs_list_inotifyfs($1_t)
 	fs_rw_anon_inodefs_files($1_t)
+	fs_dontaudit_rw_cgroup_files($1_t)

 	auth_dontaudit_write_login_records($1_t)