From mboxrd@z Thu Jan 1 00:00:00 1970 From: aranea@aixah.de (aranea at aixah.de) Date: Tue, 12 Feb 2013 21:47:44 +0100 Subject: [refpolicy] RFC: kernel_t exec rights on cgroup_t files In-Reply-To: <1360701299.2559.43.camel@d30> References: <20130212213109.5a3b0e72@gentp.lnet> <1360701299.2559.43.camel@d30> Message-ID: <20130212214744.5c799dc9@gentp.lnet> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 12 Feb 2013 21:34:59 +0100 Dominick Grift wrote: > On Tue, 2013-02-12 at 21:31 +0100, aranea at aixah.de wrote: > > Hi, I made a mistake while debugging. > > > > > > allow kernel_t cgroup_t:file exec_file_perms; > > allow kernel_t cgroup_t:dir list_dir_perms; > > > > (which I originally tried) doesn't solve the problem, and neither > > does the proposed > > > > So what does solve the problem and what AVC denials are you seeing? > (can you enclose the AVC denials?) > I haven't solved the problem until now. The errors which the OP mentioned appear in a early boot phase, most probably while executing this script: local agent="/lib64/rc/sh/cgroup-release-agent.sh" mkdir /sys/fs/cgroup/openrc mount -n -t cgroup \ -o none,nodev,noexec,nosuid,name=openrc,release_agent="$agent" \ openrc /sys/fs/cgroup/openrc echo 1 > /sys/fs/cgroup/openrc/notify_on_release The problem is that there are no denial messages, even if I disable the dontaudit rules. But I'm absolutely sure SELinux is causing the problem, as everything works in permissive mode. Regards, Luis Ressel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20130212/d94af650/attachment.bin