[refpolicy] RFC: kernel_t exec rights on cgroup_t files

All of lore.kernel.org
 help / color / mirror / Atom feed

From: aranea@aixah.de (aranea at aixah.de)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] RFC: kernel_t exec rights on cgroup_t files
Date: Tue, 12 Feb 2013 21:47:44 +0100	[thread overview]
Message-ID: <20130212214744.5c799dc9@gentp.lnet> (raw)
In-Reply-To: <1360701299.2559.43.camel@d30>

On Tue, 12 Feb 2013 21:34:59 +0100
Dominick Grift <dominick.grift@gmail.com> wrote:

> On Tue, 2013-02-12 at 21:31 +0100, aranea at aixah.de wrote:
> > Hi, I made a mistake while debugging.
> > 
> > 
> > allow kernel_t cgroup_t:file exec_file_perms;
> > allow kernel_t cgroup_t:dir list_dir_perms;
> > 
> > (which I originally tried) doesn't solve the problem, and neither
> > does the proposed
> > 
> 
> So what does solve the problem and what AVC denials are you seeing?
> (can you enclose the AVC denials?)
> 
I haven't solved the problem until now. The errors which the OP
mentioned appear in a early boot phase, most probably while executing
this script:

        local agent="/lib64/rc/sh/cgroup-release-agent.sh"
        mkdir /sys/fs/cgroup/openrc
        mount -n -t cgroup \
                -o none,nodev,noexec,nosuid,name=openrc,release_agent="$agent" \
		openrc /sys/fs/cgroup/openrc echo 1 > /sys/fs/cgroup/openrc/notify_on_release


The problem is that there are no denial messages, even if I disable the dontaudit rules.
But I'm absolutely sure SELinux is causing the problem, as everything works in permissive mode.


Regards, Luis Ressel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20130212/d94af650/attachment.bin

next prev parent reply	other threads:[~2013-02-12 20:47 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-02-12 20:31 [refpolicy] RFC: kernel_t exec rights on cgroup_t files aranea at aixah.de
2013-02-12 20:34 ` Dominick Grift
2013-02-12 20:47   ` aranea at aixah.de [this message]
2013-02-12 21:12     ` Dominick Grift
2013-02-12 21:25       ` aranea at aixah.de
2013-02-12 21:32         ` aranea at aixah.de
2013-02-12 21:51           ` aranea at aixah.de
2013-02-15 21:12             ` Luis Ressel
  -- strict thread matches above, loose matches on Subject: below --
2013-02-12 19:47 Sven Vermeulen
2013-02-12 20:00 ` Dominick Grift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130212214744.5c799dc9@gentp.lnet \
    --to=aranea@aixah.de \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.