diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc index b029773..9306de6 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc @@ -1 +1,3 @@ /dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) + +/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index a2c146b..4052ab9 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -559,7 +559,25 @@ interface(`fs_register_binary_executable_type',` ######################################## ## <summary> -## Mount a cgroup filesystem. +## Get attributes of cgroup filesystems. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_getattr_cgroup',` + gen_require(` + type cgroup_t; + ') + + allow $1 cgroup_t:filesystem getattr; +') + +######################################## +## <summary> +## Mount cgroup filesystems. ## </summary> ## <param name="domain"> ## <summary> @@ -577,8 +595,25 @@ interface(`fs_mount_cgroup', ` ######################################## ## <summary> -## Remount a cgroup filesystem This allows -## some mount options to be changed. +## Mount on cgroup directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_mounton_cgroup', ` + gen_require(` + type cgroup_t; + ') + + allow $1 cgroup_t:dir mounton; +') + +######################################## +## <summary> +## Remount cgroup filesystems. ## </summary> ## <param name="domain"> ## <summary> @@ -596,7 +631,7 @@ interface(`fs_remount_cgroup', ` ######################################## ## <summary> -## Unmount a cgroup file system. +## Unmount cgroup filesystems. ## </summary> ## <param name="domain"> ## <summary> @@ -614,65 +649,62 @@ interface(`fs_unmount_cgroup', ` ######################################## ## <summary> -## Get the attributes of a cgroup filesystem. +## Delete cgroup directories. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> -## <rolecap/> # -interface(`fs_getattr_cgroup',` +interface(`fs_delete_cgroup_dirs', ` gen_require(` - type cifs_t; + type cgroup_t; ') - allow $1 cifs_t:filesystem getattr; + delete_dirs_pattern($1, cgroup_t, cgroup_t) ') ######################################## ## <summary> -## list dirs on cgroup -## file systems. +## list cgroup directories. ## </summary> ## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> +## <summary> +## Domain allowed access. +## </summary> ## </param> # interface(`fs_list_cgroup_dirs', ` - gen_require(` - type cgroup_t; - - ') + gen_require(` + type cgroup_t; + ') - list_dirs_pattern($1, cgroup_t, cgroup_t) + list_dirs_pattern($1, cgroup_t, cgroup_t) ') ######################################## ## <summary> -## Do not audit attempts to read -## dirs on a CIFS or SMB filesystem. +## Manage cgroup directories. ## </summary> ## <param name="domain"> ## <summary> -## Domain to not audit. +## Domain allowed access. ## </summary> ## </param> # -interface(`fs_dontaudit_list_cifs_dirs',` +interface(`fs_manage_cgroup_dirs',` gen_require(` - type cifs_t; + type cgroup_t; + ') - dontaudit $1 cifs_t:dir list_dir_perms; + manage_dirs_pattern($1, cgroup_t, cgroup_t) ') ######################################## ## <summary> -## Manage dirs on cgroup file systems. +## Search cgroup directories. ## </summary> ## <param name="domain"> ## <summary> @@ -680,19 +712,18 @@ interface(`fs_dontaudit_list_cifs_dirs',` ## </summary> ## </param> # -interface(`fs_manage_cgroup_dirs',` +interface(`fs_search_cgroup_dirs',` gen_require(` type cgroup_t; ') - manage_dirs_pattern($1, cgroup_t, cgroup_t) + search_dirs_pattern($1, cgroup_t, cgroup_t) ') ######################################## ## <summary> -## Set attributes of files on cgroup -## file systems. +## Manage cgroup files. ## </summary> ## <param name="domain"> ## <summary> @@ -700,19 +731,18 @@ interface(`fs_manage_cgroup_dirs',` ## </summary> ## </param> # -interface(`fs_setattr_cgroup_files',` +interface(`fs_manage_cgroup_files',` gen_require(` type cgroup_t; ') - setattr_files_pattern($1, cgroup_t, cgroup_t) + manage_files_pattern($1, cgroup_t, cgroup_t) ') ######################################## ## <summary> -## Read files on cgroup -## file systems. +## Read cgroup files. ## </summary> ## <param name="domain"> ## <summary> @@ -731,8 +761,7 @@ interface(`fs_read_cgroup_files',` ######################################## ## <summary> -## Write files on cgroup -## file systems. +## Read and write cgroup files. ## </summary> ## <param name="domain"> ## <summary> @@ -740,19 +769,18 @@ interface(`fs_read_cgroup_files',` ## </summary> ## </param> # -interface(`fs_write_cgroup_files', ` +interface(`fs_rw_cgroup_files',` gen_require(` type cgroup_t; ') - write_files_pattern($1, cgroup_t, cgroup_t) + rw_files_pattern($1, cgroup_t, cgroup_t) ') ######################################## ## <summary> -## Read and write files on cgroup -## file systems. +## Write cgroup files. ## </summary> ## <param name="domain"> ## <summary> @@ -760,13 +788,51 @@ interface(`fs_write_cgroup_files', ` ## </summary> ## </param> # -interface(`fs_rw_cgroup_files',` +interface(`fs_write_cgroup_files', ` gen_require(` type cgroup_t; + ') + + write_files_pattern($1, cgroup_t, cgroup_t) +') +######################################## +## <summary> +## Do not audit attempts to open, +## get attributes, read and write +## cgroup files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`fs_dontaudit_rw_cgroup_files',` + gen_require(` + type cgroup_t; ') - rw_files_pattern($1, cgroup_t, cgroup_t) + dontaudit $1 cgroup_t:file rw_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to read +## dirs on a CIFS or SMB filesystem. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`fs_dontaudit_list_cifs_dirs',` + gen_require(` + type cifs_t; + ') + + dontaudit $1 cifs_t:dir list_dir_perms; ') ######################################## diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 774e0a1..cb889c3 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -68,6 +68,12 @@ fs_type(capifs_t) files_mountpoint(capifs_t) genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) +type cgroup_t; +fs_type(cgroup_t) +files_type(cgroup_t) +files_mountpoint(cgroup_t) +genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) + type configfs_t; fs_type(configfs_t) genfscon configfs / gen_context(system_u:object_r:configfs_t,s0) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index b0b4617..5b7ffc0 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -46,15 +46,6 @@ role system_r types kernel_t; sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) # -# cgroup fs -# - -type cgroup_t; -fs_type(cgroup_t) -allow cgroup_t self:filesystem associate; -genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) - -# # DebugFS #