diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc index 78a613072..cda5588eb 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc @@ -11,5 +11,6 @@ /lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) /lib/udev/devices/shm/.* <> +# for systemd systems: /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) -/sys/fs/cgroup(/.*)? <> +/sys/fs/cgroup/.* <> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 5a078514e..f125dc2b1 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.14.2) +policy_module(filesystem, 1.14.3) ######################################## # @@ -71,6 +71,7 @@ type cgroup_t; fs_type(cgroup_t) files_type(cgroup_t) files_mountpoint(cgroup_t) +dev_associate_sysfs(cgroup_t) # only for systemd systems genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) type configfs_t; diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc index 420c9d379..b6bb46cf6 100644 --- a/policy/modules/services/cgroup.fc +++ b/policy/modules/services/cgroup.fc @@ -11,4 +11,5 @@ /sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) /sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) +/var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0) /var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if index d020c9390..33facaf26 100644 --- a/policy/modules/services/cgroup.if +++ b/policy/modules/services/cgroup.if @@ -182,10 +182,10 @@ interface(`cgroup_admin',` admin_pattern($1, cgconfig_etc_t) admin_pattern($1, cgrules_etc_t) - files_search_etc($1) + files_list_etc($1) admin_pattern($1, cgred_var_run_t) - files_search_pids($1) + files_list_pids($1) cgroup_initrc_domtrans_cgconfig($1) domain_system_change_exemption($1) diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te index 8ca233387..dad226c15 100644 --- a/policy/modules/services/cgroup.te +++ b/policy/modules/services/cgroup.te @@ -1,4 +1,4 @@ -policy_module(cgroup, 1.0.0) +policy_module(cgroup, 1.0.1) ######################################## # @@ -16,6 +16,9 @@ init_daemon_domain(cgred_t, cgred_exec_t) type cgred_initrc_exec_t; init_script_file(cgred_initrc_exec_t) +type cgred_log_t; +logging_log_file(cgred_log_t) + type cgred_var_run_t; files_pid_file(cgred_var_run_t) @@ -37,7 +40,7 @@ files_config_file(cgconfig_etc_t) # cgclear personal policy. # -allow cgclear_t self:capability sys_admin; +allow cgclear_t self:capability { dac_read_search dac_override sys_admin }; kernel_read_system_state(cgclear_t) @@ -52,7 +55,7 @@ fs_unmount_cgroup(cgclear_t) # cgconfig personal policy. # -allow cgconfig_t self:capability { chown sys_admin }; +allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config }; allow cgconfig_t cgconfig_etc_t:file read_file_perms; @@ -67,16 +70,20 @@ fs_manage_cgroup_dirs(cgconfig_t) fs_manage_cgroup_files(cgconfig_t) fs_mount_cgroup(cgconfig_t) fs_mounton_cgroup(cgconfig_t) +fs_unmount_cgroup(cgconfig_t) ######################################## # # cgred personal policy. # -allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override }; +allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; +manage_files_pattern(cgred_t, cgred_log_t, cgred_log_t) +logging_log_filetrans(cgred_t, cgred_log_t, file) + allow cgred_t cgrules_etc_t:file read_file_perms; # rc script creates pid file