]>
Commit | Line | Data |
---|---|---|
ddf82133 DG |
1 | ## <summary>libcg is a library that abstracts the control group file system in Linux.</summary> |
2 | ||
61d7ee58 DG |
3 | ######################################## |
4 | ## <summary> | |
5 | ## Execute a domain transition to run | |
6 | ## CG Clear. | |
7 | ## </summary> | |
8 | ## <param name="domain"> | |
c5eae5f8 | 9 | ## <summary> |
61d7ee58 | 10 | ## Domain allowed to transition. |
c5eae5f8 | 11 | ## </summary> |
61d7ee58 DG |
12 | ## </param> |
13 | # | |
14 | interface(`cgroup_domtrans_cgclear',` | |
15 | gen_require(` | |
16 | type cgclear_t, cgclear_exec_t; | |
17 | ') | |
18 | ||
19 | domtrans_pattern($1, cgclear_exec_t, cgclear_t) | |
20 | corecmd_search_bin($1) | |
21 | ') | |
22 | ||
ddf82133 DG |
23 | ######################################## |
24 | ## <summary> | |
25 | ## Execute a domain transition to run | |
26 | ## CG config parser. | |
27 | ## </summary> | |
28 | ## <param name="domain"> | |
c5eae5f8 | 29 | ## <summary> |
ddf82133 | 30 | ## Domain allowed to transition. |
c5eae5f8 | 31 | ## </summary> |
ddf82133 DG |
32 | ## </param> |
33 | # | |
53f9abbe | 34 | interface(`cgroup_domtrans_cgconfig',` |
ddf82133 | 35 | gen_require(` |
53f9abbe | 36 | type cgconfig_t, cgconfig_exec_t; |
ddf82133 DG |
37 | ') |
38 | ||
53f9abbe | 39 | domtrans_pattern($1, cgconfig_exec_t, cgconfig_t) |
ddf82133 DG |
40 | corecmd_search_bin($1) |
41 | ') | |
42 | ||
43 | ######################################## | |
44 | ## <summary> | |
45 | ## Execute a domain transition to run | |
46 | ## CG config parser. | |
47 | ## </summary> | |
48 | ## <param name="domain"> | |
49 | ## <summary> | |
50 | ## Domain allowed to transition. | |
51 | ## </summary> | |
52 | ## </param> | |
53 | # | |
53f9abbe | 54 | interface(`cgroup_initrc_domtrans_cgconfig',` |
ddf82133 DG |
55 | gen_require(` |
56 | type cgconfig_initrc_exec_t; | |
57 | ') | |
58 | ||
ddf82133 DG |
59 | init_labeled_script_domtrans($1, cgconfig_initrc_exec_t) |
60 | ') | |
61 | ||
62 | ######################################## | |
63 | ## <summary> | |
64 | ## Execute a domain transition to run | |
65 | ## CG rules engine daemon. | |
66 | ## </summary> | |
67 | ## <param name="domain"> | |
c5eae5f8 | 68 | ## <summary> |
ddf82133 | 69 | ## Domain allowed to transition. |
c5eae5f8 | 70 | ## </summary> |
ddf82133 DG |
71 | ## </param> |
72 | # | |
73 | interface(`cgroup_domtrans_cgred',` | |
74 | gen_require(` | |
75 | type cgred_t, cgred_exec_t; | |
76 | ') | |
77 | ||
78 | domtrans_pattern($1, cgred_exec_t, cgred_t) | |
79 | corecmd_search_bin($1) | |
80 | ') | |
81 | ||
82 | ######################################## | |
83 | ## <summary> | |
84 | ## Execute a domain transition to run | |
85 | ## CG rules engine daemon. | |
86 | ## domain. | |
87 | ## </summary> | |
88 | ## <param name="domain"> | |
89 | ## <summary> | |
90 | ## Domain allowed to transition. | |
91 | ## </summary> | |
92 | ## </param> | |
93 | # | |
94 | interface(`cgroup_initrc_domtrans_cgred',` | |
95 | gen_require(` | |
96 | type cgred_initrc_exec_t; | |
97 | ') | |
98 | ||
99 | init_labeled_script_domtrans($1, cgred_initrc_exec_t) | |
100 | ') | |
101 | ||
61d7ee58 DG |
102 | ######################################## |
103 | ## <summary> | |
104 | ## Execute a domain transition to | |
105 | ## run CG Clear and allow the | |
106 | ## specified role the CG Clear | |
107 | ## domain. | |
108 | ## </summary> | |
109 | ## <param name="domain"> | |
110 | ## <summary> | |
111 | ## Domain allowed to transition. | |
112 | ## </summary> | |
113 | ## </param> | |
114 | ## <param name="role"> | |
115 | ## <summary> | |
116 | ## Role allowed access. | |
117 | ## </summary> | |
118 | ## </param> | |
119 | ## <rolecap/> | |
120 | # | |
121 | interface(`cgroup_run_cgclear',` | |
122 | gen_require(` | |
123 | type cgclear_t; | |
124 | ') | |
125 | ||
126 | cgroup_domtrans_cgclear($1) | |
127 | role $2 types cgclear_t; | |
128 | ') | |
129 | ||
ddf82133 DG |
130 | ######################################## |
131 | ## <summary> | |
132 | ## Connect to CG rules engine daemon | |
133 | ## over unix stream sockets. | |
134 | ## </summary> | |
135 | ## <param name="domain"> | |
136 | ## <summary> | |
137 | ## Domain allowed access. | |
138 | ## </summary> | |
139 | ## </param> | |
140 | # | |
61d7ee58 | 141 | interface(`cgroup_stream_connect_cgred', ` |
ddf82133 DG |
142 | gen_require(` |
143 | type cgred_var_run_t, cgred_t; | |
144 | ') | |
145 | ||
146 | stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t) | |
147 | files_search_pids($1) | |
148 | ') | |
149 | ||
150 | ######################################## | |
151 | ## <summary> | |
04dcd73f | 152 | ## All of the rules required to administrate |
ddf82133 DG |
153 | ## an cgroup environment. |
154 | ## </summary> | |
155 | ## <param name="domain"> | |
156 | ## <summary> | |
157 | ## Domain allowed access. | |
158 | ## </summary> | |
159 | ## </param> | |
160 | ## <param name="role"> | |
161 | ## <summary> | |
162 | ## Role allowed access. | |
163 | ## </summary> | |
164 | ## </param> | |
165 | ## <rolecap/> | |
166 | # | |
167 | interface(`cgroup_admin',` | |
168 | gen_require(` | |
53f9abbe | 169 | type cgred_t, cgconfig_t, cgred_var_run_t; |
ddf82133 | 170 | type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t; |
00ca404a | 171 | type cgrules_etc_t, cgclear_t; |
ddf82133 DG |
172 | ') |
173 | ||
995bdbb1 | 174 | allow $1 cgclear_t:process signal_perms; |
61d7ee58 | 175 | ps_process_pattern($1, cgclear_t) |
ddf82133 | 176 | |
995bdbb1 | 177 | tunable_policy(`deny_ptrace',`',` |
178 | allow $1 cglear_t:process ptrace; | |
179 | ') | |
180 | ||
181 | allow $1 cgconfig_t:process signal_perms; | |
61d7ee58 DG |
182 | ps_process_pattern($1, cgconfig_t) |
183 | ||
995bdbb1 | 184 | tunable_policy(`deny_ptrace',`',` |
185 | allow $1 cgconfig_t:process ptrace; | |
186 | ') | |
187 | ||
188 | allow $1 cgred_t:process signal_perms; | |
61d7ee58 | 189 | ps_process_pattern($1, cgred_t) |
ddf82133 | 190 | |
995bdbb1 | 191 | tunable_policy(`deny_ptrace',`',` |
192 | allow $1 cgred_t:process ptrace; | |
193 | ') | |
194 | ||
ddf82133 | 195 | admin_pattern($1, cgconfig_etc_t) |
7e5463b5 | 196 | admin_pattern($1, cgrules_etc_t) |
61f40642 | 197 | files_list_etc($1) |
ddf82133 DG |
198 | |
199 | admin_pattern($1, cgred_var_run_t) | |
61f40642 | 200 | files_list_pids($1) |
ddf82133 | 201 | |
53f9abbe | 202 | cgroup_initrc_domtrans_cgconfig($1) |
ddf82133 DG |
203 | domain_system_change_exemption($1) |
204 | role_transition $2 cgconfig_initrc_exec_t system_r; | |
205 | allow $2 system_r; | |
206 | ||
207 | cgroup_initrc_domtrans_cgred($1) | |
208 | role_transition $2 cgred_initrc_exec_t system_r; | |
61d7ee58 DG |
209 | |
210 | cgroup_run_cgclear($1, $2) | |
ddf82133 | 211 | ') |