[refpolicy] [patch v2 0/1] Revisiting cgroups.

Dominick Grift domg472 at gmail.com
Mon Jun 7 13:10:02 CDT 2010


Here's another shot at cgroups.

Revisiting existing cgrou policy:
- Move cgroup_t declarations from kernel.te to filesystem.te
- Redo cgroup interfaces in filesystem.if
- Add file context specification for /cgroup mountpoint to filesystem.fc

Implementing libcgroup policy:
- Libcg automates cgroup management.

How libcg init scripts interact with cgroup:
- The libcgroup init scripts use tools in /usr/bin like cgexec and cgclear.

How users interact with cgroup:
- All login users can list cgroup.
- Common users can read and write cgroup files (access governed by dac).

policy/modules/kernel/filesystem.fc |    2 +
policy/modules/kernel/filesystem.if |  150 +++++++++++++++++++++++++----------
policy/modules/kernel/filesystem.te |    6 ++
policy/modules/kernel/kernel.te     |    9 --
policy/modules/services/cgroup.fc   |   10 +++
policy/modules/services/cgroup.if   |  149 ++++++++++++++++++++++++++++++++++
policy/modules/services/cgroup.te   |   86 ++++++++++++++++++++
policy/modules/system/init.te       |    7 ++
policy/modules/system/userdomain.if |    4 +
9 files changed, 372 insertions(+), 51 deletions(-)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100607/94e400ee/attachment.bin 


More information about the refpolicy mailing list