[people/stevee/selinux-policy.git] / policy / modules / services / cgroup.if

## <summary>libcg is a library that abstracts the control group file system in Linux.</summary>

########################################
## <summary>
##	Execute a domain transition to run
##	CG Clear.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`cgroup_domtrans_cgclear',`
	gen_require(`
		type cgclear_t, cgclear_exec_t;
	')

	domtrans_pattern($1, cgclear_exec_t, cgclear_t)
	corecmd_search_bin($1)
')

########################################
## <summary>
##	Execute a domain transition to run
##	CG config parser.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`cgroup_domtrans_cgconfig',`
	gen_require(`
		type cgconfig_t, cgconfig_exec_t;
	')

	domtrans_pattern($1, cgconfig_exec_t, cgconfig_t)
	corecmd_search_bin($1)
')

########################################
## <summary>
##	Execute a domain transition to run
##	CG config parser.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`cgroup_initrc_domtrans_cgconfig',`
	gen_require(`
		type cgconfig_initrc_exec_t;
	')

	init_labeled_script_domtrans($1, cgconfig_initrc_exec_t)
')

########################################
## <summary>
##	Execute a domain transition to run
##	CG rules engine daemon.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`cgroup_domtrans_cgred',`
	gen_require(`
		type cgred_t, cgred_exec_t;
	')

	domtrans_pattern($1, cgred_exec_t, cgred_t)
	corecmd_search_bin($1)
')

########################################
## <summary>
##	Execute a domain transition to run
## 	CG rules engine daemon.
##	domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`cgroup_initrc_domtrans_cgred',`
	gen_require(`
		type cgred_initrc_exec_t;
	')

	init_labeled_script_domtrans($1, cgred_initrc_exec_t)
')

########################################
## <summary>
##	Execute a domain transition to
##	run CG Clear and allow the
##	specified role the CG Clear
##	domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`cgroup_run_cgclear',`
	gen_require(`
		type cgclear_t;
	')

	cgroup_domtrans_cgclear($1)
	role $2 types cgclear_t;
')

########################################
## <summary>
##	Connect to CG rules engine daemon
##	over unix stream sockets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cgroup_stream_connect_cgred', `
	gen_require(`
		type cgred_var_run_t, cgred_t;
	')

	stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t)
	files_search_pids($1)
')

########################################
## <summary>
##	All of the rules required to administrate
##	an cgroup environment.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`cgroup_admin',`
	gen_require(`
		type cgred_t, cgconfig_t, cgred_var_run_t;
		type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
		type cgrules_etc_t, cgclear_t;
	')

	allow $1 cgclear_t:process signal_perms;
	ps_process_pattern($1, cgclear_t)

	tunable_policy(`deny_ptrace',`',`
		allow $1 cglear_t:process ptrace;
	')

	allow $1 cgconfig_t:process signal_perms;
	ps_process_pattern($1, cgconfig_t)

	tunable_policy(`deny_ptrace',`',`
		allow $1 cgconfig_t:process ptrace;
	')

	allow $1 cgred_t:process signal_perms;
	ps_process_pattern($1, cgred_t)

	tunable_policy(`deny_ptrace',`',`
		allow $1 cgred_t:process ptrace;
	')

	admin_pattern($1, cgconfig_etc_t)
	admin_pattern($1, cgrules_etc_t)
	files_list_etc($1)

	admin_pattern($1, cgred_var_run_t)
	files_list_pids($1)

	cgroup_initrc_domtrans_cgconfig($1)
	domain_system_change_exemption($1)
	role_transition $2 cgconfig_initrc_exec_t system_r;
	allow $2 system_r;

	cgroup_initrc_domtrans_cgred($1)
	role_transition $2 cgred_initrc_exec_t system_r;

	cgroup_run_cgclear($1, $2)
')
Commit	Line	Data
ddf82133 DG	1	## <summary>libcg is a library that abstracts the control group file system in Linux.</summary>
ddf82133 DG	2
61d7ee58 DG	3	########################################
	4	## <summary>
	5	## Execute a domain transition to run
	6	## CG Clear.
	7	## </summary>
	8	## <param name="domain">
c5eae5f8	9	## <summary>
61d7ee58	10	## Domain allowed to transition.
c5eae5f8	11	## </summary>
61d7ee58 DG	12	## </param>
	13	#
	14	interface(`cgroup_domtrans_cgclear',`
	15	gen_require(`
	16	type cgclear_t, cgclear_exec_t;
	17	')
	18
	19	domtrans_pattern($1, cgclear_exec_t, cgclear_t)
	20	corecmd_search_bin($1)
	21	')
	22
ddf82133 DG	23	########################################
	24	## <summary>
	25	## Execute a domain transition to run
	26	## CG config parser.
	27	## </summary>
	28	## <param name="domain">
c5eae5f8	29	## <summary>
ddf82133	30	## Domain allowed to transition.
c5eae5f8	31	## </summary>
ddf82133 DG	32	## </param>
ddf82133 DG	33	#
53f9abbe	34	interface(`cgroup_domtrans_cgconfig',`
ddf82133	35	gen_require(`
53f9abbe	36	type cgconfig_t, cgconfig_exec_t;
ddf82133 DG	37	')
ddf82133 DG	38
53f9abbe	39	domtrans_pattern($1, cgconfig_exec_t, cgconfig_t)
ddf82133 DG	40	corecmd_search_bin($1)
	41	')
	42
	43	########################################
	44	## <summary>
	45	## Execute a domain transition to run
	46	## CG config parser.
	47	## </summary>
	48	## <param name="domain">
	49	## <summary>
	50	## Domain allowed to transition.
	51	## </summary>
	52	## </param>
	53	#
53f9abbe	54	interface(`cgroup_initrc_domtrans_cgconfig',`
ddf82133 DG	55	gen_require(`
	56	type cgconfig_initrc_exec_t;
	57	')
	58
ddf82133 DG	59	init_labeled_script_domtrans($1, cgconfig_initrc_exec_t)
	60	')
	61
	62	########################################
	63	## <summary>
	64	## Execute a domain transition to run
	65	## CG rules engine daemon.
	66	## </summary>
	67	## <param name="domain">
c5eae5f8	68	## <summary>
ddf82133	69	## Domain allowed to transition.
c5eae5f8	70	## </summary>
ddf82133 DG	71	## </param>
	72	#
	73	interface(`cgroup_domtrans_cgred',`
	74	gen_require(`
	75	type cgred_t, cgred_exec_t;
	76	')
	77
	78	domtrans_pattern($1, cgred_exec_t, cgred_t)
	79	corecmd_search_bin($1)
	80	')
	81
	82	########################################
	83	## <summary>
	84	## Execute a domain transition to run
	85	## CG rules engine daemon.
	86	## domain.
	87	## </summary>
	88	## <param name="domain">
	89	## <summary>
	90	## Domain allowed to transition.
	91	## </summary>
	92	## </param>
	93	#
	94	interface(`cgroup_initrc_domtrans_cgred',`
	95	gen_require(`
	96	type cgred_initrc_exec_t;
	97	')
	98
	99	init_labeled_script_domtrans($1, cgred_initrc_exec_t)
	100	')
	101
61d7ee58 DG	102	########################################
	103	## <summary>
	104	## Execute a domain transition to
	105	## run CG Clear and allow the
	106	## specified role the CG Clear
	107	## domain.
	108	## </summary>
	109	## <param name="domain">
	110	## <summary>
	111	## Domain allowed to transition.
	112	## </summary>
	113	## </param>
	114	## <param name="role">
	115	## <summary>
	116	## Role allowed access.
	117	## </summary>
	118	## </param>
	119	## <rolecap/>
	120	#
	121	interface(`cgroup_run_cgclear',`
	122	gen_require(`
	123	type cgclear_t;
	124	')
	125
	126	cgroup_domtrans_cgclear($1)
	127	role $2 types cgclear_t;
	128	')
	129
ddf82133 DG	130	########################################
	131	## <summary>
	132	## Connect to CG rules engine daemon
	133	## over unix stream sockets.
	134	## </summary>
	135	## <param name="domain">
	136	## <summary>
	137	## Domain allowed access.
	138	## </summary>
	139	## </param>
	140	#
61d7ee58	141	interface(`cgroup_stream_connect_cgred', `
ddf82133 DG	142	gen_require(`
	143	type cgred_var_run_t, cgred_t;
	144	')
	145
	146	stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t)
	147	files_search_pids($1)
	148	')
	149
	150	########################################
	151	## <summary>
04dcd73f	152	## All of the rules required to administrate
ddf82133 DG	153	## an cgroup environment.
	154	## </summary>
	155	## <param name="domain">
	156	## <summary>
	157	## Domain allowed access.
	158	## </summary>
	159	## </param>
	160	## <param name="role">
	161	## <summary>
	162	## Role allowed access.
	163	## </summary>
	164	## </param>
	165	## <rolecap/>
	166	#
	167	interface(`cgroup_admin',`
	168	gen_require(`
53f9abbe	169	type cgred_t, cgconfig_t, cgred_var_run_t;
ddf82133	170	type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
00ca404a	171	type cgrules_etc_t, cgclear_t;
ddf82133 DG	172	')
ddf82133 DG	173
995bdbb1	174	allow $1 cgclear_t:process signal_perms;
61d7ee58	175	ps_process_pattern($1, cgclear_t)
ddf82133	176
995bdbb1	177	tunable_policy(`deny_ptrace',`',`
	178	allow $1 cglear_t:process ptrace;
	179	')
	180
	181	allow $1 cgconfig_t:process signal_perms;
61d7ee58 DG	182	ps_process_pattern($1, cgconfig_t)
61d7ee58 DG	183
995bdbb1	184	tunable_policy(`deny_ptrace',`',`
	185	allow $1 cgconfig_t:process ptrace;
	186	')
	187
	188	allow $1 cgred_t:process signal_perms;
61d7ee58	189	ps_process_pattern($1, cgred_t)
ddf82133	190
995bdbb1	191	tunable_policy(`deny_ptrace',`',`
	192	allow $1 cgred_t:process ptrace;
	193	')
	194
ddf82133	195	admin_pattern($1, cgconfig_etc_t)
7e5463b5	196	admin_pattern($1, cgrules_etc_t)
61f40642	197	files_list_etc($1)
ddf82133 DG	198
ddf82133 DG	199	admin_pattern($1, cgred_var_run_t)
61f40642	200	files_list_pids($1)
ddf82133	201
53f9abbe	202	cgroup_initrc_domtrans_cgconfig($1)
ddf82133 DG	203	domain_system_change_exemption($1)
	204	role_transition $2 cgconfig_initrc_exec_t system_r;
	205	allow $2 system_r;
	206
	207	cgroup_initrc_domtrans_cgred($1)
	208	role_transition $2 cgred_initrc_exec_t system_r;
61d7ee58 DG	209
61d7ee58 DG	210	cgroup_run_cgclear($1, $2)
ddf82133	211	')