From 860c05d9de863257279699eaf605e1e109b01151 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Jun 08 2010 13:10:45 +0000 Subject: Rearrange cgroup interfaces in filesystem. --- diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 4052ab9..85b3bb4 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -559,7 +559,7 @@ interface(`fs_register_binary_executable_type',` ######################################## ## -## Get attributes of cgroup filesystems. +## Mount cgroup filesystems. ## ## ## @@ -567,17 +567,17 @@ interface(`fs_register_binary_executable_type',` ## ## # -interface(`fs_getattr_cgroup',` +interface(`fs_mount_cgroup', ` gen_require(` type cgroup_t; ') - allow $1 cgroup_t:filesystem getattr; + allow $1 cgroup_t:filesystem mount; ') ######################################## ## -## Mount cgroup filesystems. +## Remount cgroup filesystems. ## ## ## @@ -585,17 +585,17 @@ interface(`fs_getattr_cgroup',` ## ## # -interface(`fs_mount_cgroup', ` +interface(`fs_remount_cgroup', ` gen_require(` type cgroup_t; ') - allow $1 cgroup_t:filesystem mount; + allow $1 cgroup_t:filesystem remount; ') ######################################## ## -## Mount on cgroup directories. +## Unmount cgroup filesystems. ## ## ## @@ -603,17 +603,17 @@ interface(`fs_mount_cgroup', ` ## ## # -interface(`fs_mounton_cgroup', ` +interface(`fs_unmount_cgroup', ` gen_require(` type cgroup_t; ') - allow $1 cgroup_t:dir mounton; + allow $1 cgroup_t:filesystem unmount; ') ######################################## ## -## Remount cgroup filesystems. +## Get attributes of cgroup filesystems. ## ## ## @@ -621,17 +621,17 @@ interface(`fs_mounton_cgroup', ` ## ## # -interface(`fs_remount_cgroup', ` +interface(`fs_getattr_cgroup',` gen_require(` type cgroup_t; ') - allow $1 cgroup_t:filesystem remount; + allow $1 cgroup_t:filesystem getattr; ') ######################################## ## -## Unmount cgroup filesystems. +## Search cgroup directories. ## ## ## @@ -639,17 +639,18 @@ interface(`fs_remount_cgroup', ` ## ## # -interface(`fs_unmount_cgroup', ` +interface(`fs_search_cgroup_dirs',` gen_require(` type cgroup_t; + ') - allow $1 cgroup_t:filesystem unmount; + search_dirs_pattern($1, cgroup_t, cgroup_t) ') ######################################## ## -## Delete cgroup directories. +## list cgroup directories. ## ## ## @@ -657,17 +658,17 @@ interface(`fs_unmount_cgroup', ` ## ## # -interface(`fs_delete_cgroup_dirs', ` +interface(`fs_list_cgroup_dirs', ` gen_require(` type cgroup_t; ') - delete_dirs_pattern($1, cgroup_t, cgroup_t) + list_dirs_pattern($1, cgroup_t, cgroup_t) ') ######################################## ## -## list cgroup directories. +## Delete cgroup directories. ## ## ## @@ -675,12 +676,12 @@ interface(`fs_delete_cgroup_dirs', ` ## ## # -interface(`fs_list_cgroup_dirs', ` +interface(`fs_delete_cgroup_dirs', ` gen_require(` type cgroup_t; ') - list_dirs_pattern($1, cgroup_t, cgroup_t) + delete_dirs_pattern($1, cgroup_t, cgroup_t) ') ######################################## @@ -704,7 +705,7 @@ interface(`fs_manage_cgroup_dirs',` ######################################## ## -## Search cgroup directories. +## Read cgroup files. ## ## ## @@ -712,18 +713,18 @@ interface(`fs_manage_cgroup_dirs',` ## ## # -interface(`fs_search_cgroup_dirs',` +interface(`fs_read_cgroup_files',` gen_require(` type cgroup_t; ') - search_dirs_pattern($1, cgroup_t, cgroup_t) + read_files_pattern($1, cgroup_t, cgroup_t) ') ######################################## ## -## Manage cgroup files. +## Write cgroup files. ## ## ## @@ -731,18 +732,17 @@ interface(`fs_search_cgroup_dirs',` ## ## # -interface(`fs_manage_cgroup_files',` +interface(`fs_write_cgroup_files', ` gen_require(` type cgroup_t; - ') - manage_files_pattern($1, cgroup_t, cgroup_t) + write_files_pattern($1, cgroup_t, cgroup_t) ') ######################################## ## -## Read cgroup files. +## Read and write cgroup files. ## ## ## @@ -750,37 +750,38 @@ interface(`fs_manage_cgroup_files',` ## ## # -interface(`fs_read_cgroup_files',` +interface(`fs_rw_cgroup_files',` gen_require(` type cgroup_t; ') - read_files_pattern($1, cgroup_t, cgroup_t) + rw_files_pattern($1, cgroup_t, cgroup_t) ') ######################################## ## -## Read and write cgroup files. +## Do not audit attempts to open, +## get attributes, read and write +## cgroup files. ## ## ## -## Domain allowed access. +## Domain to not audit. ## ## # -interface(`fs_rw_cgroup_files',` +interface(`fs_dontaudit_rw_cgroup_files',` gen_require(` type cgroup_t; - ') - rw_files_pattern($1, cgroup_t, cgroup_t) + dontaudit $1 cgroup_t:file rw_file_perms; ') ######################################## ## -## Write cgroup files. +## Manage cgroup files. ## ## ## @@ -788,32 +789,31 @@ interface(`fs_rw_cgroup_files',` ## ## # -interface(`fs_write_cgroup_files', ` +interface(`fs_manage_cgroup_files',` gen_require(` type cgroup_t; + ') - write_files_pattern($1, cgroup_t, cgroup_t) + manage_files_pattern($1, cgroup_t, cgroup_t) ') ######################################## ## -## Do not audit attempts to open, -## get attributes, read and write -## cgroup files. +## Mount on cgroup directories. ## ## ## -## Domain to not audit. +## Domain allowed access. ## ## # -interface(`fs_dontaudit_rw_cgroup_files',` +interface(`fs_mounton_cgroup', ` gen_require(` type cgroup_t; ') - dontaudit $1 cgroup_t:file rw_file_perms; + allow $1 cgroup_t:dir mounton; ') ########################################