Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/services/cgroup.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/services/cgroup.if')
-rw-r--r--policy/modules/services/cgroup.if187
1 files changed, 187 insertions, 0 deletions
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
new file mode 100644
index 000000000..a8870b96c
--- /dev/null
+++ b/policy/modules/services/cgroup.if
@@ -0,0 +1,187 @@
+## <summary>libcg is a library that abstracts the control group file system in Linux.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## CG Clear.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_domtrans_cgclear',`
+ gen_require(`
+ type cgclear_t, cgclear_exec_t;
+ ')
+
+ domtrans_pattern($1, cgclear_exec_t, cgclear_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## CG config parser.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_domtrans_cgconfig',`
+ gen_require(`
+ type cgconfig_t, cgconfig_exec_t;
+ ')
+
+ domtrans_pattern($1, cgconfig_exec_t, cgconfig_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+## Execute CG config init scripts in
+## the init script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_initrc_domtrans_cgconfig',`
+ gen_require(`
+ type cgconfig_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, cgconfig_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## CG rules engine daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_domtrans_cgred',`
+ gen_require(`
+ type cgred_t, cgred_exec_t;
+ ')
+
+ domtrans_pattern($1, cgred_exec_t, cgred_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## CG rules engine daemon.
+## domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_initrc_domtrans_cgred',`
+ gen_require(`
+ type cgred_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, cgred_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to
+## run CG Clear and allow the
+## specified role the CG Clear
+## domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cgroup_run_cgclear',`
+ gen_require(`
+ type cgclear_t;
+ ')
+
+ cgroup_domtrans_cgclear($1)
+ role $2 types cgclear_t;
+')
+
+########################################
+## <summary>
+## Connect to CG rules engine daemon
+## over unix stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_stream_connect_cgred', `
+ gen_require(`
+ type cgred_var_run_t, cgred_t;
+ ')
+
+ stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an cgroup environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cgroup_admin',`
+ gen_require(`
+ type cgred_t, cgconfig_t, cgred_var_run_t;
+ type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
+ type cgrules_etc_t, cgclear_t;
+ ')
+
+ allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms };
+ ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t })
+
+ admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
+ files_list_etc($1)
+
+ admin_pattern($1, cgred_var_run_t)
+ files_list_pids($1)
+
+ init_startstop_service($1, $2, cgred_t, cgred_initrc_exec_t)
+ init_startstop_service($1, $2, cgconfig_t, cgconfig_initrc_exec_t)
+
+ cgroup_run_cgclear($1, $2)
+')