cgroup in filesystem.

Move cgroup_t declarations from kernel.te to filesystem.te
Redo cgroup interfaces in filesystem.if
Add file context specification for /cgroup mountpoint to filesystem.fc

Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>

policy/modules/kernel/filesystem.fc

@@ -1 +1,3 @@
 /dev/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
+
+/cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)

policy/modules/kernel/filesystem.if

@@ -559,7 +559,25 @@ interface(`fs_register_binary_executable_type',`
 
 ########################################
 ## <summary>
-##	Mount a cgroup filesystem.
+##	Get attributes of cgroup filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_cgroup',`
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Mount cgroup filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -577,8 +595,25 @@ interface(`fs_mount_cgroup', `
 
 ########################################
 ## <summary>
-##	Remount a cgroup filesystem  This allows
-##	some mount options to be changed.
+##	Mount on cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mounton_cgroup', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:dir mounton;
+')
+
+########################################
+## <summary>
+##	Remount cgroup filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -596,7 +631,7 @@ interface(`fs_remount_cgroup', `
 
 ########################################
 ## <summary>
-##	Unmount a cgroup file system.
+##	Unmount cgroup filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -614,41 +649,171 @@ interface(`fs_unmount_cgroup', `
 
 ########################################
 ## <summary>
-##	Get the attributes of a cgroup filesystem.
+##	Delete cgroup directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`fs_getattr_cgroup',`
+interface(`fs_delete_cgroup_dirs', `
 	gen_require(`
-		type cifs_t;
+		type cgroup_t;
 	')
 
-	allow $1 cifs_t:filesystem getattr;
+	delete_dirs_pattern($1, cgroup_t, cgroup_t)
 ')
 
 ########################################
 ## <summary>
-##      list dirs on cgroup
-##      file systems.
+##	list cgroup directories.
 ## </summary>
 ## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
+##	<summary>
+##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`fs_list_cgroup_dirs', `
-        gen_require(`
-                type cgroup_t;
+	gen_require(`
+		type cgroup_t;
+	')
 
-        ')
+	list_dirs_pattern($1, cgroup_t, cgroup_t)
+')
 
-        list_dirs_pattern($1, cgroup_t, cgroup_t)
+########################################
+## <summary>
+##	Manage cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_cgroup_dirs',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	manage_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+##	Search cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_cgroup_dirs',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	search_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+##	Manage cgroup files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	manage_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+##	Read cgroup files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	read_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+##	Read and write cgroup files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	rw_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+##	Write cgroup files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_write_cgroup_files', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	write_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to open,
+##	get attributes, read and write
+##	cgroup files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+	')
+
+	dontaudit $1 cgroup_t:file rw_file_perms;
 ')
 
 ########################################
@@ -670,105 +835,6 @@ interface(`fs_dontaudit_list_cifs_dirs',`
 	dontaudit $1 cifs_t:dir list_dir_perms;
 ')
 
-########################################
-## <summary>
-##	Manage dirs on cgroup file systems.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`fs_manage_cgroup_dirs',`
-	gen_require(`
-		type cgroup_t;
-
-	')
-
-	manage_dirs_pattern($1, cgroup_t, cgroup_t)
-')
-
-########################################
-## <summary>
-##	Set attributes of files on cgroup
-##	file systems.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`fs_setattr_cgroup_files',`
-	gen_require(`
-		type cgroup_t;
-
-	')
-
-	setattr_files_pattern($1, cgroup_t, cgroup_t)
-')
-
-########################################
-## <summary>
-##	Read files on cgroup
-##	file systems.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`fs_read_cgroup_files',`
-	gen_require(`
-		type cgroup_t;
-
-	')
-
-	read_files_pattern($1, cgroup_t, cgroup_t)
-')
-
-########################################
-## <summary>
-##	Write files on cgroup
-##	file systems.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`fs_write_cgroup_files', `
-	gen_require(`
-		type cgroup_t;
-
-	')
-
-	write_files_pattern($1, cgroup_t, cgroup_t)
-')
-
-########################################
-## <summary>
-##	Read and write files on cgroup
-##	file systems.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`fs_rw_cgroup_files',`
-	gen_require(`
-		type cgroup_t;
-
-	')
-
-	rw_files_pattern($1, cgroup_t, cgroup_t)
-')
-
 ########################################
 ## <summary>
 ##	Mount a CIFS or SMB network filesystem.

policy/modules/kernel/filesystem.te

@@ -68,6 +68,12 @@ fs_type(capifs_t)
 files_mountpoint(capifs_t)
 genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
 
+type cgroup_t;
+fs_type(cgroup_t)
+files_type(cgroup_t)
+files_mountpoint(cgroup_t)
+genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+
 type configfs_t;
 fs_type(configfs_t)
 genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)

policy/modules/kernel/kernel.te

@@ -45,15 +45,6 @@ mls_rangetrans_source(kernel_t)
 role system_r types kernel_t;
 sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
 
-#
-# cgroup fs
-#
-
-type cgroup_t;
-fs_type(cgroup_t)
-allow cgroup_t self:filesystem associate;
-genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
-
 #
 # DebugFS
 #