From b04669aaeab37a0c85f534c74137a7a7f5d87b6d Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 26 Oct 2009 09:42:11 -0400 Subject: [PATCH] add tuned from miroslav grepl. --- Changelog | 1 + policy/modules/services/tuned.fc | 5 ++ policy/modules/services/tuned.if | 129 +++++++++++++++++++++++++++++++ policy/modules/services/tuned.te | 54 +++++++++++++ 4 files changed, 189 insertions(+) create mode 100644 policy/modules/services/tuned.fc create mode 100644 policy/modules/services/tuned.if create mode 100644 policy/modules/services/tuned.te diff --git a/Changelog b/Changelog index f52025401..b03fb48d8 100644 --- a/Changelog +++ b/Changelog @@ -22,6 +22,7 @@ rtkit (Dan Walsh) seunshare (Dan Walsh) shorewall (Dan Walsh) + tuned (Miroslav Grepl) xscreensaver (Corentin Labbe) * Thu Jul 30 2009 Chris PeBenito - 2.20090730 diff --git a/policy/modules/services/tuned.fc b/policy/modules/services/tuned.fc new file mode 100644 index 000000000..2188cc8d9 --- /dev/null +++ b/policy/modules/services/tuned.fc @@ -0,0 +1,5 @@ +/etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0) + +/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) + +/var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if new file mode 100644 index 000000000..25b243532 --- /dev/null +++ b/policy/modules/services/tuned.if @@ -0,0 +1,129 @@ +## Dynamic adaptive system tuning daemon + +######################################## +## +## Execute a domain transition to run tuned. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`tuned_domtrans',` + gen_require(` + type tuned_t, tuned_exec_t; + ') + + domtrans_pattern($1, tuned_exec_t, tuned_t) +') + +####################################### +## +## Execute tuned in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`tuned_exec',` + gen_require(` + type tuned_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, tuned_exec_t) +') + +###################################### +## +## Read tuned PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`tuned_read_pid_files',` + gen_require(` + type tuned_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, tuned_var_run_t, tuned_var_run_t) +') + +####################################### +## +## Manage tuned PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`tuned_manage_pid_files',` + gen_require(` + type tuned_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, tuned_var_run_t, tuned_var_run_t) +') + +######################################## +## +## Execute tuned server in the tuned domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`tuned_initrc_domtrans',` + gen_require(` + type tuned_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, tuned_initrc_exec_t) +') + +######################################## +## +## All of the rules required to administrate +## an tuned environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`tuned_admin',` + gen_require(` + type tuned_t, tuned_var_run_t; + type tuned_initrc_exec_t; + ') + + allow $1 tuned_t:process { ptrace signal_perms }; + ps_process_pattern($1, tuned_t) + + tuned_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 tuned_initrc_exec_t system_r; + allow $2 system_r; + + files_search_pids($1) + admin_pattern($1, tuned_var_run_t) +') diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te new file mode 100644 index 000000000..b54ead0ac --- /dev/null +++ b/policy/modules/services/tuned.te @@ -0,0 +1,54 @@ + +policy_module(tuned, 1.0.0) + +######################################## +# +# Declarations +# + +type tuned_t; +type tuned_exec_t; +init_daemon_domain(tuned_t, tuned_exec_t) + +type tuned_initrc_exec_t; +init_script_file(tuned_initrc_exec_t) + +type tuned_var_run_t; +files_pid_file(tuned_var_run_t) + +######################################## +# +# tuned local policy +# + +dontaudit tuned_t self:capability dac_override; + +manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) +files_pid_filetrans(tuned_t, tuned_var_run_t, file) + +corecmd_exec_shell(tuned_t) + +kernel_read_system_state(tuned_t) +kernel_read_network_state(tuned_t) + +dev_read_sysfs(tuned_t) +# to allow cpu tuning +dev_rw_netcontrol(tuned_t) + +files_read_etc_files(tuned_t) +files_read_usr_files(tuned_t) +files_dontaudit_search_home(tuned_t) + +miscfiles_read_localization(tuned_t) + +userdom_dontaudit_search_user_home_dirs(tuned_t) + +# to allow disk tuning +optional_policy(` + fstools_domtrans(tuned_t) +') + +# to allow network interface tuning +optional_policy(` + sysnet_domtrans_ifconfig(tuned_t) +')