## libcg is a library that abstracts the control group file system in Linux.
########################################
##
## Execute a domain transition to run
## CG Clear.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`cgroup_domtrans_cgclear',`
gen_require(`
type cgclear_t, cgclear_exec_t;
')
domtrans_pattern($1, cgclear_exec_t, cgclear_t)
corecmd_search_bin($1)
')
########################################
##
## Execute a domain transition to run
## CG config parser.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`cgroup_domtrans_cgconfig',`
gen_require(`
type cgconfig_t, cgconfig_exec_t;
')
domtrans_pattern($1, cgconfig_exec_t, cgconfig_t)
corecmd_search_bin($1)
')
########################################
##
## Execute a domain transition to run
## CG config parser.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`cgroup_initrc_domtrans_cgconfig',`
gen_require(`
type cgconfig_initrc_exec_t;
')
init_labeled_script_domtrans($1, cgconfig_initrc_exec_t)
')
########################################
##
## Execute a domain transition to run
## CG rules engine daemon.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`cgroup_domtrans_cgred',`
gen_require(`
type cgred_t, cgred_exec_t;
')
domtrans_pattern($1, cgred_exec_t, cgred_t)
corecmd_search_bin($1)
')
########################################
##
## Execute a domain transition to run
## CG rules engine daemon.
## domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`cgroup_initrc_domtrans_cgred',`
gen_require(`
type cgred_initrc_exec_t;
')
init_labeled_script_domtrans($1, cgred_initrc_exec_t)
')
########################################
##
## Execute a domain transition to
## run CG Clear and allow the
## specified role the CG Clear
## domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
interface(`cgroup_run_cgclear',`
gen_require(`
type cgclear_t;
')
cgroup_domtrans_cgclear($1)
role $2 types cgclear_t;
')
########################################
##
## Connect to CG rules engine daemon
## over unix stream sockets.
##
##
##
## Domain allowed access.
##
##
#
interface(`cgroup_stream_connect_cgred', `
gen_require(`
type cgred_var_run_t, cgred_t;
')
stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t)
files_search_pids($1)
')
########################################
##
## All of the rules required to administrate
## an cgroup environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
interface(`cgroup_admin',`
gen_require(`
type cgred_t, cgconfig_t, cgred_var_run_t;
type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
type cgrules_etc_t, cgclear_t;
')
allow $1 cgclear_t:process signal_perms;
ps_process_pattern($1, cgclear_t)
tunable_policy(`deny_ptrace',`',`
allow $1 cgclear_t:process ptrace;
')
allow $1 cgconfig_t:process signal_perms;
ps_process_pattern($1, cgconfig_t)
tunable_policy(`deny_ptrace',`',`
allow $1 cgconfig_t:process ptrace;
')
allow $1 cgred_t:process signal_perms;
ps_process_pattern($1, cgred_t)
tunable_policy(`deny_ptrace',`',`
allow $1 cgred_t:process ptrace;
')
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
admin_pattern($1, cgred_var_run_t)
files_list_pids($1)
cgroup_initrc_domtrans_cgconfig($1)
cgroup_initrc_domtrans_cgred($1)
domain_system_change_exemption($1)
role_transition $2 { cgconfig_initrc_exec_t cgred_initrc_exec_t } system_r;
allow $2 system_r;
cgroup_run_cgclear($1, $2)
')