[people/stevee/selinux-policy.git] / policy / modules / services / cgroup.te

policy_module(cgroup, 1.0.0)

########################################
#
# Declarations
#

type cgclear_t;
type cgclear_exec_t;
init_daemon_domain(cgclear_t, cgclear_exec_t)

type cgred_t;
type cgred_exec_t;
init_daemon_domain(cgred_t, cgred_exec_t)

type cgred_initrc_exec_t;
init_script_file(cgred_initrc_exec_t)

type cgred_var_run_t;
files_pid_file(cgred_var_run_t)

type cgrules_etc_t;
files_config_file(cgrules_etc_t)

type cgconfig_t alias cgconfigparser_t;
type cgconfig_exec_t alias cgconfigparser_exec_t;
init_daemon_domain(cgconfig_t, cgconfig_exec_t)

type cgconfig_initrc_exec_t;
init_script_file(cgconfig_initrc_exec_t)

type cgconfig_etc_t;
files_config_file(cgconfig_etc_t)

########################################
#
# cgclear personal policy.
#

allow cgclear_t self:capability sys_admin;

kernel_read_system_state(cgclear_t)

domain_setpriority_all_domains(cgclear_t)

fs_manage_cgroup_dirs(cgclear_t)
fs_manage_cgroup_files(cgclear_t)
fs_unmount_cgroup(cgclear_t)

########################################
#
# cgconfig personal policy.
#

allow cgconfig_t self:capability { dac_override fowner chown sys_admin };

allow cgconfig_t cgconfig_etc_t:file read_file_perms;

# search will do.
kernel_list_unlabeled(cgconfig_t)
kernel_read_system_state(cgconfig_t)

# /etc/nsswitch.conf, /etc/passwd
files_read_etc_files(cgconfig_t)

fs_manage_cgroup_dirs(cgconfig_t)
fs_manage_cgroup_files(cgconfig_t)
fs_mount_cgroup(cgconfig_t)
fs_mounton_cgroup(cgconfig_t)

########################################
#
# cgred personal policy.
#

allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };

allow cgred_t cgrules_etc_t:file read_file_perms;

# rc script creates pid file
manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })

kernel_read_system_state(cgred_t)

domain_read_all_domains_state(cgred_t)
domain_setpriority_all_domains(cgred_t)

files_getattr_all_files(cgred_t)
files_getattr_all_sockets(cgred_t)
files_read_all_symlinks(cgred_t)
# /etc/group
files_read_etc_files(cgred_t)

fs_write_cgroup_files(cgred_t)

logging_send_syslog_msg(cgred_t)

miscfiles_read_localization(cgred_t)
Commit	Line	Data
ddf82133 DG	1	policy_module(cgroup, 1.0.0)
	2
	3	########################################
	4	#
53f9abbe	5	# Declarations
ddf82133 DG	6	#
ddf82133 DG	7
61d7ee58 DG	8	type cgclear_t;
	9	type cgclear_exec_t;
	10	init_daemon_domain(cgclear_t, cgclear_exec_t)
	11
ddf82133 DG	12	type cgred_t;
	13	type cgred_exec_t;
	14	init_daemon_domain(cgred_t, cgred_exec_t)
	15
	16	type cgred_initrc_exec_t;
	17	init_script_file(cgred_initrc_exec_t)
	18
	19	type cgred_var_run_t;
	20	files_pid_file(cgred_var_run_t)
	21
	22	type cgrules_etc_t;
	23	files_config_file(cgrules_etc_t)
	24
3eaa9939 DW	25	type cgconfig_t alias cgconfigparser_t;
3eaa9939 DW	26	type cgconfig_exec_t alias cgconfigparser_exec_t;
53f9abbe	27	init_daemon_domain(cgconfig_t, cgconfig_exec_t)
ddf82133 DG	28
	29	type cgconfig_initrc_exec_t;
	30	init_script_file(cgconfig_initrc_exec_t)
	31
	32	type cgconfig_etc_t;
	33	files_config_file(cgconfig_etc_t)
	34
61d7ee58 DG	35	########################################
	36	#
	37	# cgclear personal policy.
	38	#
	39
	40	allow cgclear_t self:capability sys_admin;
	41
	42	kernel_read_system_state(cgclear_t)
	43
	44	domain_setpriority_all_domains(cgclear_t)
	45
	46	fs_manage_cgroup_dirs(cgclear_t)
	47	fs_manage_cgroup_files(cgclear_t)
	48	fs_unmount_cgroup(cgclear_t)
	49
53f9abbe CP	50	########################################
	51	#
	52	# cgconfig personal policy.
	53	#
	54
3eaa9939	55	allow cgconfig_t self:capability { dac_override fowner chown sys_admin };
53f9abbe CP	56
	57	allow cgconfig_t cgconfig_etc_t:file read_file_perms;
	58
61d7ee58	59	# search will do.
53f9abbe CP	60	kernel_list_unlabeled(cgconfig_t)
	61	kernel_read_system_state(cgconfig_t)
	62
61d7ee58	63	# /etc/nsswitch.conf, /etc/passwd
53f9abbe CP	64	files_read_etc_files(cgconfig_t)
	65
	66	fs_manage_cgroup_dirs(cgconfig_t)
	67	fs_manage_cgroup_files(cgconfig_t)
	68	fs_mount_cgroup(cgconfig_t)
	69	fs_mounton_cgroup(cgconfig_t)
53f9abbe	70
ddf82133 DG	71	########################################
	72	#
	73	# cgred personal policy.
	74	#
	75
61d7ee58	76	allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
ddf82133 DG	77	allow cgred_t self:netlink_socket { write bind create read };
	78	allow cgred_t self:unix_dgram_socket { write create connect };
	79
	80	allow cgred_t cgrules_etc_t:file read_file_perms;
	81
d687db9b	82	# rc script creates pid file
61d7ee58	83	manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
ddf82133	84	manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
61d7ee58	85	files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })
ddf82133 DG	86
	87	kernel_read_system_state(cgred_t)
	88
	89	domain_read_all_domains_state(cgred_t)
61d7ee58	90	domain_setpriority_all_domains(cgred_t)
ddf82133 DG	91
	92	files_getattr_all_files(cgred_t)
	93	files_getattr_all_sockets(cgred_t)
	94	files_read_all_symlinks(cgred_t)
61d7ee58	95	# /etc/group
ddf82133 DG	96	files_read_etc_files(cgred_t)
	97
	98	fs_write_cgroup_files(cgred_t)
	99
	100	logging_send_syslog_msg(cgred_t)
	101
	102	miscfiles_read_localization(cgred_t)