From mboxrd@z Thu Jan  1 00:00:00 1970
From: aranea@aixah.de (aranea at aixah.de)
Date: Tue, 12 Feb 2013 22:51:11 +0100
Subject: [refpolicy] RFC: kernel_t exec rights on cgroup_t files
In-Reply-To: <20130212223207.38c2af27@gentp.lnet>
References: <20130212213109.5a3b0e72@gentp.lnet> <1360701299.2559.43.camel@d30>
	<20130212214744.5c799dc9@gentp.lnet> <1360703574.2559.50.camel@d30>
	<20130212222544.3b9a6498@gentp.lnet>
	<20130212223207.38c2af27@gentp.lnet>
Message-ID: <20130212225111.3ee8e60d@gentp.lnet>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 12 Feb 2013 22:32:07 +0100
<aranea@aixah.de> wrote:

> Here's another interesting thing: The file in question
> (/sys/fs/cgroup/openrc/notify_on_release) does not even exist!
> In fact, this directory doesn't include any files (but some
> directories) when booting in enforcing mode.
> 
> In permissive mode however, there are some files
> (cgroup.clone_children, cgroup.event_control, cgroup.procs,
> notify_on_release, release_agent, tasks) there.
> 
> This could mean that the error messages at 7 secs are only reactions
> to something which happens even earlier, when there's really no
> logging taking place.

Sorry, looks like I had one of these attacks of extreme dumbness you
sometimes have when the uptime is > 10h. Clearly these files don't
exist, as that's exactly what the error messages are complaining
about: It was for some reason not possible to create them.

I'll continue to debug this tommorow.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20130212/d30ff030/attachment-0001.bin