diff options
Diffstat (limited to 'policy/modules/services/cgroup.if')
-rw-r--r-- | policy/modules/services/cgroup.if | 187 |
1 files changed, 187 insertions, 0 deletions
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if new file mode 100644 index 000000000..a8870b96c --- /dev/null +++ b/policy/modules/services/cgroup.if @@ -0,0 +1,187 @@ +## <summary>libcg is a library that abstracts the control group file system in Linux.</summary> + +######################################## +## <summary> +## Execute a domain transition to run +## CG Clear. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cgroup_domtrans_cgclear',` + gen_require(` + type cgclear_t, cgclear_exec_t; + ') + + domtrans_pattern($1, cgclear_exec_t, cgclear_t) + corecmd_search_bin($1) +') + +######################################## +## <summary> +## Execute a domain transition to run +## CG config parser. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cgroup_domtrans_cgconfig',` + gen_require(` + type cgconfig_t, cgconfig_exec_t; + ') + + domtrans_pattern($1, cgconfig_exec_t, cgconfig_t) + corecmd_search_bin($1) +') + +######################################## +## <summary> +## Execute CG config init scripts in +## the init script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cgroup_initrc_domtrans_cgconfig',` + gen_require(` + type cgconfig_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, cgconfig_initrc_exec_t) +') + +######################################## +## <summary> +## Execute a domain transition to run +## CG rules engine daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cgroup_domtrans_cgred',` + gen_require(` + type cgred_t, cgred_exec_t; + ') + + domtrans_pattern($1, cgred_exec_t, cgred_t) + corecmd_search_bin($1) +') + +######################################## +## <summary> +## Execute a domain transition to run +## CG rules engine daemon. +## domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cgroup_initrc_domtrans_cgred',` + gen_require(` + type cgred_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, cgred_initrc_exec_t) +') + +######################################## +## <summary> +## Execute a domain transition to +## run CG Clear and allow the +## specified role the CG Clear +## domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cgroup_run_cgclear',` + gen_require(` + type cgclear_t; + ') + + cgroup_domtrans_cgclear($1) + role $2 types cgclear_t; +') + +######################################## +## <summary> +## Connect to CG rules engine daemon +## over unix stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cgroup_stream_connect_cgred', ` + gen_require(` + type cgred_var_run_t, cgred_t; + ') + + stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t) + files_search_pids($1) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an cgroup environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cgroup_admin',` + gen_require(` + type cgred_t, cgconfig_t, cgred_var_run_t; + type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t; + type cgrules_etc_t, cgclear_t; + ') + + allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t }) + + admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) + files_list_etc($1) + + admin_pattern($1, cgred_var_run_t) + files_list_pids($1) + + init_startstop_service($1, $2, cgred_t, cgred_initrc_exec_t) + init_startstop_service($1, $2, cgconfig_t, cgconfig_initrc_exec_t) + + cgroup_run_cgclear($1, $2) +') |