From e2b9add5f870d0253ff13dc2ab5c68fea69bee06 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Jun 08 2010 12:38:33 +0000 Subject: How users interact with cgroup. All login users can list cgroup. Common users can read and write cgroup files (access governed by dac) Signed-off-by: Dominick Grift Signed-off-by: Chris PeBenito --- diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 990063c..42d4e8d 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -542,6 +542,8 @@ template(`userdom_common_user_template',` # Stat lost+found. files_getattr_lost_found_dirs($1_t) + fs_rw_cgroup_files($1_t) + # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) selinux_validate_context($1_t) @@ -753,8 +755,10 @@ template(`userdom_login_user_template', ` fs_getattr_all_fs($1_t) fs_getattr_all_dirs($1_t) fs_search_auto_mountpoints($1_t) + fs_list_cgroup_dirs($1_t) fs_list_inotifyfs($1_t) fs_rw_anon_inodefs_files($1_t) + fs_dontaudit_rw_cgroup_files($1_t) auth_dontaudit_write_login_records($1_t)