]>
Commit | Line | Data |
---|---|---|
ddf82133 DG |
1 | policy_module(cgroup, 1.0.0) |
2 | ||
3 | ######################################## | |
4 | # | |
53f9abbe | 5 | # Declarations |
ddf82133 DG |
6 | # |
7 | ||
61d7ee58 DG |
8 | type cgclear_t; |
9 | type cgclear_exec_t; | |
10 | init_daemon_domain(cgclear_t, cgclear_exec_t) | |
11 | ||
ddf82133 DG |
12 | type cgred_t; |
13 | type cgred_exec_t; | |
14 | init_daemon_domain(cgred_t, cgred_exec_t) | |
15 | ||
16 | type cgred_initrc_exec_t; | |
17 | init_script_file(cgred_initrc_exec_t) | |
18 | ||
19 | type cgred_var_run_t; | |
20 | files_pid_file(cgred_var_run_t) | |
21 | ||
22 | type cgrules_etc_t; | |
23 | files_config_file(cgrules_etc_t) | |
24 | ||
3eaa9939 DW |
25 | type cgconfig_t alias cgconfigparser_t; |
26 | type cgconfig_exec_t alias cgconfigparser_exec_t; | |
53f9abbe | 27 | init_daemon_domain(cgconfig_t, cgconfig_exec_t) |
ddf82133 DG |
28 | |
29 | type cgconfig_initrc_exec_t; | |
30 | init_script_file(cgconfig_initrc_exec_t) | |
31 | ||
32 | type cgconfig_etc_t; | |
33 | files_config_file(cgconfig_etc_t) | |
34 | ||
61d7ee58 DG |
35 | ######################################## |
36 | # | |
37 | # cgclear personal policy. | |
38 | # | |
39 | ||
40 | allow cgclear_t self:capability sys_admin; | |
41 | ||
42 | kernel_read_system_state(cgclear_t) | |
43 | ||
44 | domain_setpriority_all_domains(cgclear_t) | |
45 | ||
46 | fs_manage_cgroup_dirs(cgclear_t) | |
47 | fs_manage_cgroup_files(cgclear_t) | |
48 | fs_unmount_cgroup(cgclear_t) | |
49 | ||
53f9abbe CP |
50 | ######################################## |
51 | # | |
52 | # cgconfig personal policy. | |
53 | # | |
54 | ||
3eaa9939 | 55 | allow cgconfig_t self:capability { dac_override fowner chown sys_admin }; |
53f9abbe CP |
56 | |
57 | allow cgconfig_t cgconfig_etc_t:file read_file_perms; | |
58 | ||
61d7ee58 | 59 | # search will do. |
53f9abbe CP |
60 | kernel_list_unlabeled(cgconfig_t) |
61 | kernel_read_system_state(cgconfig_t) | |
62 | ||
61d7ee58 | 63 | # /etc/nsswitch.conf, /etc/passwd |
53f9abbe CP |
64 | files_read_etc_files(cgconfig_t) |
65 | ||
66 | fs_manage_cgroup_dirs(cgconfig_t) | |
67 | fs_manage_cgroup_files(cgconfig_t) | |
68 | fs_mount_cgroup(cgconfig_t) | |
69 | fs_mounton_cgroup(cgconfig_t) | |
53f9abbe | 70 | |
ddf82133 DG |
71 | ######################################## |
72 | # | |
73 | # cgred personal policy. | |
74 | # | |
75 | ||
61d7ee58 | 76 | allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override }; |
ddf82133 DG |
77 | allow cgred_t self:netlink_socket { write bind create read }; |
78 | allow cgred_t self:unix_dgram_socket { write create connect }; | |
79 | ||
80 | allow cgred_t cgrules_etc_t:file read_file_perms; | |
81 | ||
d687db9b | 82 | # rc script creates pid file |
61d7ee58 | 83 | manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) |
ddf82133 | 84 | manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) |
61d7ee58 | 85 | files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file }) |
ddf82133 DG |
86 | |
87 | kernel_read_system_state(cgred_t) | |
88 | ||
89 | domain_read_all_domains_state(cgred_t) | |
61d7ee58 | 90 | domain_setpriority_all_domains(cgred_t) |
ddf82133 DG |
91 | |
92 | files_getattr_all_files(cgred_t) | |
93 | files_getattr_all_sockets(cgred_t) | |
94 | files_read_all_symlinks(cgred_t) | |
61d7ee58 | 95 | # /etc/group |
ddf82133 DG |
96 | files_read_etc_files(cgred_t) |
97 | ||
98 | fs_write_cgroup_files(cgred_t) | |
99 | ||
100 | logging_send_syslog_msg(cgred_t) | |
101 | ||
102 | miscfiles_read_localization(cgred_t) |