Pull in cgroup changes from Fedora policy, in particular to handle systemd usage.

policy/modules/kernel/filesystem.fc

@@ -11,5 +11,6 @@
 /lib/udev/devices/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
 /lib/udev/devices/shm/.*	<<none>>
 
+# for systemd systems:
 /sys/fs/cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
-/sys/fs/cgroup(/.*)?		<<none>>
+/sys/fs/cgroup/.*		<<none>>

policy/modules/kernel/filesystem.te

@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.14.2)
+policy_module(filesystem, 1.14.3)
 
 ########################################
 #
@@ -71,6 +71,7 @@ type cgroup_t;
 fs_type(cgroup_t)
 files_type(cgroup_t)
 files_mountpoint(cgroup_t)
+dev_associate_sysfs(cgroup_t) # only for systemd systems
 genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
 
 type configfs_t;

policy/modules/services/cgroup.fc

@@ -11,4 +11,5 @@
 /sbin/cgrulesengd		--	gen_context(system_u:object_r:cgred_exec_t,s0)
 /sbin/cgclear			--	gen_context(system_u:object_r:cgclear_exec_t,s0)
 
+/var/log/cgrulesengd\.log	--	gen_context(system_u:object_r:cgred_log_t,s0)
 /var/run/cgred.*			gen_context(system_u:object_r:cgred_var_run_t,s0)

policy/modules/services/cgroup.if

@@ -182,10 +182,10 @@ interface(`cgroup_admin',`
 
 	admin_pattern($1, cgconfig_etc_t)
 	admin_pattern($1, cgrules_etc_t)
-	files_search_etc($1)
+	files_list_etc($1)
 
 	admin_pattern($1, cgred_var_run_t)
-	files_search_pids($1)
+	files_list_pids($1)
 
 	cgroup_initrc_domtrans_cgconfig($1)
 	domain_system_change_exemption($1)

policy/modules/services/cgroup.te

@@ -1,4 +1,4 @@
-policy_module(cgroup, 1.0.0)
+policy_module(cgroup, 1.0.1)
 
 ########################################
 #
@@ -16,6 +16,9 @@ init_daemon_domain(cgred_t, cgred_exec_t)
 type cgred_initrc_exec_t;
 init_script_file(cgred_initrc_exec_t)
 
+type cgred_log_t;
+logging_log_file(cgred_log_t)
+
 type cgred_var_run_t;
 files_pid_file(cgred_var_run_t)
 
@@ -37,7 +40,7 @@ files_config_file(cgconfig_etc_t)
 # cgclear personal policy.
 #
 
-allow cgclear_t self:capability sys_admin;
+allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
 
 kernel_read_system_state(cgclear_t)
 
@@ -52,7 +55,7 @@ fs_unmount_cgroup(cgclear_t)
 # cgconfig personal policy.
 #
 
-allow cgconfig_t self:capability { chown sys_admin };
+allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config };
 
 allow cgconfig_t cgconfig_etc_t:file read_file_perms;
 
@@ -67,16 +70,20 @@ fs_manage_cgroup_dirs(cgconfig_t)
 fs_manage_cgroup_files(cgconfig_t)
 fs_mount_cgroup(cgconfig_t)
 fs_mounton_cgroup(cgconfig_t)
+fs_unmount_cgroup(cgconfig_t)
 
 ########################################
 #
 # cgred personal policy.
 #
 
-allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
+allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
 allow cgred_t self:netlink_socket { write bind create read };
 allow cgred_t self:unix_dgram_socket { write create connect };
 
+manage_files_pattern(cgred_t, cgred_log_t, cgred_log_t)
+logging_log_filetrans(cgred_t, cgred_log_t, file)
+
 allow cgred_t cgrules_etc_t:file read_file_perms;
 
 # rc script creates pid file