## libcg is a library that abstracts the control group file system in Linux. ######################################## ## ## Execute a domain transition to run ## CG Clear. ## ## ## ## Domain allowed to transition. ## ## # interface(`cgroup_domtrans_cgclear',` gen_require(` type cgclear_t, cgclear_exec_t; ') domtrans_pattern($1, cgclear_exec_t, cgclear_t) corecmd_search_bin($1) ') ######################################## ## ## Execute a domain transition to run ## CG config parser. ## ## ## ## Domain allowed to transition. ## ## # interface(`cgroup_domtrans_cgconfig',` gen_require(` type cgconfig_t, cgconfig_exec_t; ') domtrans_pattern($1, cgconfig_exec_t, cgconfig_t) corecmd_search_bin($1) ') ######################################## ## ## Execute CG config init scripts in ## the init script domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`cgroup_initrc_domtrans_cgconfig',` gen_require(` type cgconfig_initrc_exec_t; ') init_labeled_script_domtrans($1, cgconfig_initrc_exec_t) ') ######################################## ## ## Execute a domain transition to run ## CG rules engine daemon. ## ## ## ## Domain allowed to transition. ## ## # interface(`cgroup_domtrans_cgred',` gen_require(` type cgred_t, cgred_exec_t; ') domtrans_pattern($1, cgred_exec_t, cgred_t) corecmd_search_bin($1) ') ######################################## ## ## Execute a domain transition to run ## CG rules engine daemon. ## domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`cgroup_initrc_domtrans_cgred',` gen_require(` type cgred_initrc_exec_t; ') init_labeled_script_domtrans($1, cgred_initrc_exec_t) ') ######################################## ## ## Execute a domain transition to ## run CG Clear and allow the ## specified role the CG Clear ## domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`cgroup_run_cgclear',` gen_require(` type cgclear_t; ') cgroup_domtrans_cgclear($1) role $2 types cgclear_t; ') ######################################## ## ## Connect to CG rules engine daemon ## over unix stream sockets. ## ## ## ## Domain allowed access. ## ## # interface(`cgroup_stream_connect_cgred', ` gen_require(` type cgred_runtime_t, cgred_t; ') stream_connect_pattern($1, cgred_runtime_t, cgred_runtime_t, cgred_t) files_search_pids($1) ') ######################################## ## ## All of the rules required to administrate ## an cgroup environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`cgroup_admin',` gen_require(` type cgred_t, cgconfig_t, cgred_runtime_t; type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t; type cgrules_etc_t, cgclear_t; ') allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms }; ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t }) admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) files_list_etc($1) admin_pattern($1, cgred_runtime_t) files_list_pids($1) init_startstop_service($1, $2, cgred_t, cgred_initrc_exec_t) init_startstop_service($1, $2, cgconfig_t, cgconfig_initrc_exec_t) cgroup_run_cgclear($1, $2) ')