From e2b9add5f870d0253ff13dc2ab5c68fea69bee06 Mon Sep 17 00:00:00 2001
From: Dominick Grift <domg472@gmail.com>
Date: Mon, 7 Jun 2010 20:27:41 +0200
Subject: [PATCH] How users interact with cgroup.

All login users can list cgroup.
Common users can read and write cgroup files (access governed by dac)

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
---
 policy/modules/system/userdomain.if | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 990063c0..42d4e8db 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -542,6 +542,8 @@ template(`userdom_common_user_template',`
 	# Stat lost+found.
 	files_getattr_lost_found_dirs($1_t)
 
+	fs_rw_cgroup_files($1_t)
+
 	# cjp: some of this probably can be removed
 	selinux_get_fs_mount($1_t)
 	selinux_validate_context($1_t)
@@ -753,8 +755,10 @@ template(`userdom_login_user_template', `
 	fs_getattr_all_fs($1_t)
 	fs_getattr_all_dirs($1_t)
 	fs_search_auto_mountpoints($1_t)
+	fs_list_cgroup_dirs($1_t)
 	fs_list_inotifyfs($1_t)
 	fs_rw_anon_inodefs_files($1_t)
+	fs_dontaudit_rw_cgroup_files($1_t)
 
 	auth_dontaudit_write_login_records($1_t)