[refpolicy] [PATCH v2 1/6] cgmanager: add policy from gentoo

[refpolicy] [PATCH v2 1/6] cgmanager: add policy from gentoo

[Jason Zaman]

---
 cgmanager.fc |  9 ++++++++
 cgmanager.if | 22 ++++++++++++++++++++
 cgmanager.te | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 98 insertions(+)
 create mode 100644 cgmanager.fc
 create mode 100644 cgmanager.if
 create mode 100644 cgmanager.te

diff --git a/cgmanager.fc b/cgmanager.fc
new file mode 100644
index 0000000..b02ca99
--- /dev/null
+++ b/cgmanager.fc
@@ -0,0 +1,9 @@
+/usr/sbin/cgmanager				--	gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/sbin/cgproxy				--	gen_context(system_u:object_r:cgmanager_exec_t,s0)
+/usr/libexec/cgmanager/cgm-release-agent	--	gen_context(system_u:object_r:cgmanager_exec_t,s0)
+
+/sys/fs/cgroup/cgmanager(/.*)?				gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
+
+/run/cgmanager(/.*)?					gen_context(system_u:object_r:cgmanager_run_t,s0)
+/run/cgmanager.pid					gen_context(system_u:object_r:cgmanager_run_t,s0)
+/run/cgmanager/fs(/.*)?					<<none>>
diff --git a/cgmanager.if b/cgmanager.if
new file mode 100644
index 0000000..ad459a6
--- /dev/null
+++ b/cgmanager.if
@@ -0,0 +1,22 @@
+## <summary>Control Group manager daemon.</summary>
+
+########################################
+## <summary>
+##	Connect to cgmanager with a unix
+##	domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`cgmanager_stream_connect',`
+	gen_require(`
+		type cgmanager_t, cgmanager_cgroup_t;
+	')
+
+	fs_search_cgroup_dirs($1)
+	list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t)
+	stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)
+')
diff --git a/cgmanager.te b/cgmanager.te
new file mode 100644
index 0000000..d70e8ca
--- /dev/null
+++ b/cgmanager.te
@@ -0,0 +1,67 @@
+policy_module(cgmanager, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cgmanager_t;
+type cgmanager_exec_t;
+init_daemon_domain(cgmanager_t, cgmanager_exec_t)
+
+type cgmanager_run_t;
+files_pid_file(cgmanager_run_t)
+
+type cgmanager_cgroup_t;
+files_type(cgmanager_cgroup_t)
+
+########################################
+#
+# CGManager local policy
+#
+
+allow cgmanager_t self:capability { sys_admin dac_override };
+allow cgmanager_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
+files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
+allow cgmanager_t cgmanager_run_t:dir mounton;
+
+manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
+fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
+
+# for the release agent
+kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
+kernel_read_system_state(cgmanager_t)
+
+corecmd_exec_bin(cgmanager_t)
+can_exec(cgmanager_t, cgmanager_exec_t)
+
+domain_read_all_domains_state(cgmanager_t)
+
+files_read_etc_files(cgmanager_t)
+
+# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
+files_mounton_all_mountpoints(cgmanager_t)
+files_unmount_all_file_type_fs(cgmanager_t)
+fs_unmount_xattr_fs(cgmanager_t)
+
+fs_manage_cgroup_dirs(cgmanager_t)
+fs_manage_cgroup_files(cgmanager_t)
+
+fs_getattr_tmpfs(cgmanager_t)
+
+fs_manage_tmpfs_dirs(cgmanager_t)
+fs_manage_tmpfs_files(cgmanager_t)
+
+fs_mount_cgroup(cgmanager_t)
+fs_mount_tmpfs(cgmanager_t)
+fs_mounton_tmpfs(cgmanager_t)
+fs_remount_cgroup(cgmanager_t)
+fs_remount_tmpfs(cgmanager_t)
+fs_unmount_cgroup(cgmanager_t)
+fs_unmount_tmpfs(cgmanager_t)
-- 
2.13.0

[refpolicy] [PATCH v2 2/6] consolekit: Add support for consolekit2

[Jason Zaman]

setattr chr_files is to setting dev nodes on login
rw sysfs and devicekit for suspend
connect to cgmanager to track sessions with cgroups
---
 consolekit.te | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/consolekit.te b/consolekit.te
index c99a6cb..c3c58f7 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -53,7 +53,8 @@ corecmd_exec_bin(consolekit_t)
 corecmd_exec_shell(consolekit_t)
 
 dev_read_urand(consolekit_t)
-dev_read_sysfs(consolekit_t)
+dev_rw_sysfs(consolekit_t)
+dev_setattr_all_chr_files(consolekit_t)
 
 domain_read_all_domains_state(consolekit_t)
 domain_use_interactive_fds(consolekit_t)
@@ -104,6 +105,10 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
+	cgmanager_stream_connect(consolekit_t)
+')
+
+optional_policy(`
 	dbus_read_lib_files(consolekit_t)
 	dbus_system_domain(consolekit_t, consolekit_exec_t)
 
@@ -125,6 +130,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	devicekit_manage_log_files(consolekit_t)
+')
+
+optional_policy(`
 	hal_ptrace(consolekit_t)
 ')
 
@@ -156,6 +165,7 @@ optional_policy(`
 optional_policy(`
 	udev_domtrans(consolekit_t)
 	udev_read_db(consolekit_t)
+	udev_read_pid_files(consolekit_t)
 	udev_signal(consolekit_t)
 ')
 
-- 
2.13.0

[refpolicy] [PATCH v2 3/6] consolekit: allow purging tmp

[Jason Zaman]

Needs to be able to clear out /run/user/UID on logout
---
 consolekit.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/consolekit.te b/consolekit.te
index c3c58f7..ad7ea36 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -63,6 +63,7 @@ domain_dontaudit_ptrace_all_domains(consolekit_t)
 files_read_usr_files(consolekit_t)
 files_read_var_lib_files(consolekit_t)
 files_search_all_mountpoints(consolekit_t)
+files_purge_tmp(consolekit_t)
 
 fs_list_inotifyfs(consolekit_t)
 fs_mount_tmpfs(consolekit_t)
-- 
2.13.0

[refpolicy] [PATCH v2 4/6] consolekit: introduce consolekit_use_inhibit_lock interface

[Jason Zaman]

Applications hold FDs while they hold the lock.
Implements this API:
https://www.freedesktop.org/wiki/Software/systemd/inhibit/
---
changes from v1:
- rw_fifo_file_perms -> rw_inherited_fifo_file_perms
- updated the description in the interface with more detail from the previous summary
- Added the manage_fifo_fle_perms to the .te file in this patch instead of in the previous one
---
 consolekit.if | 23 +++++++++++++++++++++++
 consolekit.te |  1 +
 2 files changed, 24 insertions(+)

diff --git a/consolekit.if b/consolekit.if
index 5b830ec..e5cc843 100644
--- a/consolekit.if
+++ b/consolekit.if
@@ -42,6 +42,29 @@ interface(`consolekit_dbus_chat',`
 
 ########################################
 ## <summary>
+##	Use consolekit inhibit locks.
+##
+##	The program gets passed an FD to a fifo_file to hold.
+##	When the application is done with the lock, it closes the FD.
+##	Implements this API: https://www.freedesktop.org/wiki/Software/systemd/inhibit/
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`consolekit_use_inhibit_lock',`
+	gen_require(`
+		type consolekit_t, consolekit_var_run_t;
+	')
+
+	allow $1 consolekit_t:fd use;
+	allow $1 consolekit_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read consolekit log files.
 ## </summary>
 ## <param name="domain">
diff --git a/consolekit.te b/consolekit.te
index ad7ea36..ea4db82 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -40,6 +40,7 @@ logging_log_filetrans(consolekit_t, consolekit_log_t, file)
 
 manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
 manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+manage_fifo_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
 files_pid_filetrans(consolekit_t, consolekit_var_run_t, { dir file })
 
 kernel_read_system_state(consolekit_t)
-- 
2.13.0

[refpolicy] [PATCH v2 5/6] dbus: use consolekit inhibit locks

[Jason Zaman]

---
 dbus.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/dbus.te b/dbus.te
index a3bd6bd..f6b83a6 100644
--- a/dbus.te
+++ b/dbus.te
@@ -164,6 +164,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	consolekit_use_inhibit_lock(system_dbusd_t)
+')
+
+optional_policy(`
 	policykit_read_lib(system_dbusd_t)
 ')
 
-- 
2.13.0

[refpolicy] [PATCH v2 6/6] networkmanager: use consolekit inhibit locks

[Jason Zaman]

---
 networkmanager.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/networkmanager.te b/networkmanager.te
index 9b9aaec..f5f0879 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -223,6 +223,7 @@ optional_policy(`
 
 	optional_policy(`
 		consolekit_dbus_chat(NetworkManager_t)
+		consolekit_use_inhibit_lock(NetworkManager_t)
 	')
 
 	optional_policy(`
-- 
2.13.0

[refpolicy] [PATCH v2 5/6] dbus: use consolekit inhibit locks

[Chris PeBenito]

On 06/04/2017 11:23 AM, Jason Zaman wrote:
> ---
>  dbus.te | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/dbus.te b/dbus.te
> index a3bd6bd..f6b83a6 100644
> --- a/dbus.te
> +++ b/dbus.te
> @@ -164,6 +164,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	consolekit_use_inhibit_lock(system_dbusd_t)
> +')
> +
> +optional_policy(`
>  	policykit_read_lib(system_dbusd_t)
>  ')

Merged.

-- 
Chris PeBenito

[refpolicy] [PATCH v2 3/6] consolekit: allow purging tmp

[Chris PeBenito]

On 06/04/2017 11:23 AM, Jason Zaman wrote:
> Needs to be able to clear out /run/user/UID on logout
> ---
>  consolekit.te | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/consolekit.te b/consolekit.te
> index c3c58f7..ad7ea36 100644
> --- a/consolekit.te
> +++ b/consolekit.te
> @@ -63,6 +63,7 @@ domain_dontaudit_ptrace_all_domains(consolekit_t)
>  files_read_usr_files(consolekit_t)
>  files_read_var_lib_files(consolekit_t)
>  files_search_all_mountpoints(consolekit_t)
> +files_purge_tmp(consolekit_t)
>
>  fs_list_inotifyfs(consolekit_t)
>  fs_mount_tmpfs(consolekit_t)

Merged.

-- 
Chris PeBenito

[refpolicy] [PATCH v2 6/6] networkmanager: use consolekit inhibit locks

[Chris PeBenito]

On 06/04/2017 11:23 AM, Jason Zaman wrote:
> ---
>  networkmanager.te | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/networkmanager.te b/networkmanager.te
> index 9b9aaec..f5f0879 100644
> --- a/networkmanager.te
> +++ b/networkmanager.te
> @@ -223,6 +223,7 @@ optional_policy(`
>
>  	optional_policy(`
>  		consolekit_dbus_chat(NetworkManager_t)
> +		consolekit_use_inhibit_lock(NetworkManager_t)
>  	')
>
>  	optional_policy(`

Merged.

-- 
Chris PeBenito

[refpolicy] [PATCH v2 1/6] cgmanager: add policy from gentoo

[Chris PeBenito]

On 06/04/2017 11:23 AM, Jason Zaman wrote:
> ---
>  cgmanager.fc |  9 ++++++++
>  cgmanager.if | 22 ++++++++++++++++++++
>  cgmanager.te | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 98 insertions(+)
>  create mode 100644 cgmanager.fc
>  create mode 100644 cgmanager.if
>  create mode 100644 cgmanager.te
>
> diff --git a/cgmanager.fc b/cgmanager.fc
> new file mode 100644
> index 0000000..b02ca99
> --- /dev/null
> +++ b/cgmanager.fc
> @@ -0,0 +1,9 @@
> +/usr/sbin/cgmanager				--	gen_context(system_u:object_r:cgmanager_exec_t,s0)
> +/usr/sbin/cgproxy				--	gen_context(system_u:object_r:cgmanager_exec_t,s0)
> +/usr/libexec/cgmanager/cgm-release-agent	--	gen_context(system_u:object_r:cgmanager_exec_t,s0)
> +
> +/sys/fs/cgroup/cgmanager(/.*)?				gen_context(system_u:object_r:cgmanager_cgroup_t,s0)
> +
> +/run/cgmanager(/.*)?					gen_context(system_u:object_r:cgmanager_run_t,s0)
> +/run/cgmanager.pid					gen_context(system_u:object_r:cgmanager_run_t,s0)
> +/run/cgmanager/fs(/.*)?					<<none>>
> diff --git a/cgmanager.if b/cgmanager.if
> new file mode 100644
> index 0000000..ad459a6
> --- /dev/null
> +++ b/cgmanager.if
> @@ -0,0 +1,22 @@
> +## <summary>Control Group manager daemon.</summary>
> +
> +########################################
> +## <summary>
> +##	Connect to cgmanager with a unix
> +##	domain stream socket.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`cgmanager_stream_connect',`
> +	gen_require(`
> +		type cgmanager_t, cgmanager_cgroup_t;
> +	')
> +
> +	fs_search_cgroup_dirs($1)
> +	list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t)
> +	stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t)
> +')
> diff --git a/cgmanager.te b/cgmanager.te
> new file mode 100644
> index 0000000..d70e8ca
> --- /dev/null
> +++ b/cgmanager.te
> @@ -0,0 +1,67 @@
> +policy_module(cgmanager, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type cgmanager_t;
> +type cgmanager_exec_t;
> +init_daemon_domain(cgmanager_t, cgmanager_exec_t)
> +
> +type cgmanager_run_t;
> +files_pid_file(cgmanager_run_t)
> +
> +type cgmanager_cgroup_t;
> +files_type(cgmanager_cgroup_t)
> +
> +########################################
> +#
> +# CGManager local policy
> +#
> +
> +allow cgmanager_t self:capability { sys_admin dac_override };
> +allow cgmanager_t self:fifo_file rw_fifo_file_perms;
> +
> +manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> +manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> +manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
> +files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
> +allow cgmanager_t cgmanager_run_t:dir mounton;
> +
> +manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> +manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> +manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
> +fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")
> +
> +# for the release agent
> +kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
> +kernel_read_system_state(cgmanager_t)
> +
> +corecmd_exec_bin(cgmanager_t)
> +can_exec(cgmanager_t, cgmanager_exec_t)
> +
> +domain_read_all_domains_state(cgmanager_t)
> +
> +files_read_etc_files(cgmanager_t)
> +
> +# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
> +files_mounton_all_mountpoints(cgmanager_t)
> +files_unmount_all_file_type_fs(cgmanager_t)
> +fs_unmount_xattr_fs(cgmanager_t)
> +
> +fs_manage_cgroup_dirs(cgmanager_t)
> +fs_manage_cgroup_files(cgmanager_t)
> +
> +fs_getattr_tmpfs(cgmanager_t)
> +
> +fs_manage_tmpfs_dirs(cgmanager_t)
> +fs_manage_tmpfs_files(cgmanager_t)
> +
> +fs_mount_cgroup(cgmanager_t)
> +fs_mount_tmpfs(cgmanager_t)
> +fs_mounton_tmpfs(cgmanager_t)
> +fs_remount_cgroup(cgmanager_t)
> +fs_remount_tmpfs(cgmanager_t)
> +fs_unmount_cgroup(cgmanager_t)
> +fs_unmount_tmpfs(cgmanager_t)

Merged.

-- 
Chris PeBenito

[refpolicy] [PATCH v2 4/6] consolekit: introduce consolekit_use_inhibit_lock interface

[Chris PeBenito]

On 06/04/2017 11:23 AM, Jason Zaman wrote:
> Applications hold FDs while they hold the lock.
> Implements this API:
> https://www.freedesktop.org/wiki/Software/systemd/inhibit/
> ---
> changes from v1:
> - rw_fifo_file_perms -> rw_inherited_fifo_file_perms
> - updated the description in the interface with more detail from the previous summary
> - Added the manage_fifo_fle_perms to the .te file in this patch instead of in the previous one
> ---
>  consolekit.if | 23 +++++++++++++++++++++++
>  consolekit.te |  1 +
>  2 files changed, 24 insertions(+)
>
> diff --git a/consolekit.if b/consolekit.if
> index 5b830ec..e5cc843 100644
> --- a/consolekit.if
> +++ b/consolekit.if
> @@ -42,6 +42,29 @@ interface(`consolekit_dbus_chat',`
>
>  ########################################
>  ## <summary>
> +##	Use consolekit inhibit locks.
> +##
> +##	The program gets passed an FD to a fifo_file to hold.
> +##	When the application is done with the lock, it closes the FD.
> +##	Implements this API: https://www.freedesktop.org/wiki/Software/systemd/inhibit/
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`consolekit_use_inhibit_lock',`
> +	gen_require(`
> +		type consolekit_t, consolekit_var_run_t;
> +	')
> +
> +	allow $1 consolekit_t:fd use;
> +	allow $1 consolekit_var_run_t:fifo_file rw_inherited_fifo_file_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Read consolekit log files.
>  ## </summary>
>  ## <param name="domain">
> diff --git a/consolekit.te b/consolekit.te
> index ad7ea36..ea4db82 100644
> --- a/consolekit.te
> +++ b/consolekit.te
> @@ -40,6 +40,7 @@ logging_log_filetrans(consolekit_t, consolekit_log_t, file)
>
>  manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
>  manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
> +manage_fifo_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
>  files_pid_filetrans(consolekit_t, consolekit_var_run_t, { dir file })

Merged.

-- 
Chris PeBenito

[refpolicy] [PATCH v2 2/6] consolekit: Add support for consolekit2

[Chris PeBenito]

On 06/04/2017 11:23 AM, Jason Zaman wrote:
> setattr chr_files is to setting dev nodes on login
> rw sysfs and devicekit for suspend
> connect to cgmanager to track sessions with cgroups
> ---
>  consolekit.te | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/consolekit.te b/consolekit.te
> index c99a6cb..c3c58f7 100644
> --- a/consolekit.te
> +++ b/consolekit.te
> @@ -53,7 +53,8 @@ corecmd_exec_bin(consolekit_t)
>  corecmd_exec_shell(consolekit_t)
>
>  dev_read_urand(consolekit_t)
> -dev_read_sysfs(consolekit_t)
> +dev_rw_sysfs(consolekit_t)
> +dev_setattr_all_chr_files(consolekit_t)
>
>  domain_read_all_domains_state(consolekit_t)
>  domain_use_interactive_fds(consolekit_t)
> @@ -104,6 +105,10 @@ tunable_policy(`use_samba_home_dirs',`
>  ')
>
>  optional_policy(`
> +	cgmanager_stream_connect(consolekit_t)
> +')
> +
> +optional_policy(`
>  	dbus_read_lib_files(consolekit_t)
>  	dbus_system_domain(consolekit_t, consolekit_exec_t)
>
> @@ -125,6 +130,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	devicekit_manage_log_files(consolekit_t)
> +')
> +
> +optional_policy(`
>  	hal_ptrace(consolekit_t)
>  ')
>
> @@ -156,6 +165,7 @@ optional_policy(`
>  optional_policy(`
>  	udev_domtrans(consolekit_t)
>  	udev_read_db(consolekit_t)
> +	udev_read_pid_files(consolekit_t)
>  	udev_signal(consolekit_t)
>  ')

Merged.

-- 
Chris PeBenito