policy_module(cgmanager, 1.2.0)

########################################
#
# Declarations
#

type cgmanager_t;
type cgmanager_exec_t;
init_daemon_domain(cgmanager_t, cgmanager_exec_t)

type cgmanager_cgroup_t;
files_type(cgmanager_cgroup_t)

type cgmanager_run_t;
files_pid_file(cgmanager_run_t)

########################################
#
# CGManager local policy
#

allow cgmanager_t self:capability { sys_admin dac_override };
allow cgmanager_t self:fifo_file rw_fifo_file_perms;

manage_dirs_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
manage_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
manage_sock_files_pattern(cgmanager_t, cgmanager_cgroup_t, cgmanager_cgroup_t)
fs_cgroup_filetrans(cgmanager_t, cgmanager_cgroup_t, dir, "cgmanager")

can_exec(cgmanager_t, cgmanager_exec_t)

manage_dirs_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
manage_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
manage_lnk_files_pattern(cgmanager_t, cgmanager_run_t, cgmanager_run_t)
files_pid_filetrans(cgmanager_t, cgmanager_run_t, { file dir })
allow cgmanager_t cgmanager_run_t:dir mounton;

# for the release agent
kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
kernel_read_system_state(cgmanager_t)

auth_use_nsswitch(cgmanager_t)

corecmd_exec_bin(cgmanager_t)

domain_read_all_domains_state(cgmanager_t)

files_read_etc_files(cgmanager_t)
# cgmanager unmounts everything in its own mount namespace and mounts tmpfs on some things
files_mounton_all_mountpoints(cgmanager_t)
files_unmount_all_file_type_fs(cgmanager_t)

fs_unmount_xattr_fs(cgmanager_t)
fs_manage_cgroup_dirs(cgmanager_t)
fs_manage_cgroup_files(cgmanager_t)
fs_getattr_tmpfs(cgmanager_t)
fs_manage_tmpfs_dirs(cgmanager_t)
fs_manage_tmpfs_files(cgmanager_t)
fs_mount_cgroup(cgmanager_t)
fs_mount_tmpfs(cgmanager_t)
fs_mounton_tmpfs(cgmanager_t)
fs_remount_cgroup(cgmanager_t)
fs_remount_tmpfs(cgmanager_t)
fs_unmount_cgroup(cgmanager_t)
fs_unmount_tmpfs(cgmanager_t)