## libcg is a library that abstracts the control group file system in Linux. ######################################## ## ## Execute a domain transition to run ## CG config parser. ## ## ## ## Domain allowed to transition. ## ## # interface(`cgroup_domtrans_cgconfigparser',` gen_require(` type cgconfigparser_t, cgconfigparser_exec_t; ') domtrans_pattern($1, cgconfigparser_exec_t, cgconfigparser_t) corecmd_search_bin($1) ') ######################################## ## ## Execute a domain transition to run ## CG config parser. ## ## ## ## Domain allowed to transition. ## ## # interface(`cgroup_initrc_domtrans_cgconfigparser',` gen_require(` type cgconfig_initrc_exec_t; ') files_search_etc($1) init_labeled_script_domtrans($1, cgconfig_initrc_exec_t) ') ######################################## ## ## Execute a domain transition to run ## CG rules engine daemon. ## ## ## ## Domain allowed to transition. ## ## # interface(`cgroup_domtrans_cgred',` gen_require(` type cgred_t, cgred_exec_t; ') domtrans_pattern($1, cgred_exec_t, cgred_t) corecmd_search_bin($1) ') ######################################## ## ## Execute a domain transition to run ## CG rules engine daemon. ## domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`cgroup_initrc_domtrans_cgred',` gen_require(` type cgred_initrc_exec_t; ') init_labeled_script_domtrans($1, cgred_initrc_exec_t) ') ######################################## ## ## Connect to CG rules engine daemon ## over unix stream sockets. ## ## ## ## Domain allowed access. ## ## # interface(`cgroup_stream_connect', ` gen_require(` type cgred_var_run_t, cgred_t; ') stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t) files_search_pids($1) ') ######################################## ## ## All of the rules required to administrate ## an cgroup environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`cgroup_admin',` gen_require(` type cgred_t, cgconfigparser_t, cgred_var_run_t; type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t; type cgred_etc_t, cgroup_t; ') allow $1 cgconfigparser_t:process { ptrace signal_perms getattr }; read_files_pattern($1, cgconfigparser_t, cgconfigparser_t) allow $1 cgred_t:process { ptrace signal_perms getattr }; read_files_pattern($1, cgred_t, cgred_t) admin_pattern($1, cgroup_t) admin_pattern($1, cgconfig_etc_t) admin_pattern($1, cgred_etc_t) files_search_etc($1) admin_pattern($1, cgred_var_run_t) files_search_pids($1) cgroup_initrc_domtrans_cgconfigparser($1) domain_system_change_exemption($1) role_transition $2 cgconfig_initrc_exec_t system_r; allow $2 system_r; cgroup_initrc_domtrans_cgred($1) role_transition $2 cgred_initrc_exec_t system_r; ')