* [refpolicy] [PATCH 1/1] SELinux support for cgroup2 filesystem.
@ 2016-03-31 10:26 Lukas Vrabec
2016-03-31 12:32 ` Christopher J. PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Lukas Vrabec @ 2016-03-31 10:26 UTC (permalink / raw)
To: refpolicy
With the new "cgroup2" system added in kernel 4.5, systemd is getting
selinux denials when manipulating the cgroup hierarchy.
Pull request in systemd with cgroup2 support:
https://github.com/systemd/systemd/pull/2903
AVC when writing process numbers to move them to the right cgroup:
Mar 29 19:58:30 rawhide kernel: audit: type=1400
audit(1459295910.257:68): avc: denied { write } for pid=1
comm="systemd" name="cgroup.procs" dev="cgroup2" ino=6
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
In this case new filesystem "cgroup2" need to be labeled as cgroup_t.
Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
---
policy/modules/kernel/filesystem.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 14afaa8..1b28e23 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -77,6 +77,7 @@ fs_type(cgroup_t)
files_mountpoint(cgroup_t)
dev_associate_sysfs(cgroup_t)
genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)
type configfs_t;
fs_type(configfs_t)
--
2.5.5
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH 1/1] SELinux support for cgroup2 filesystem.
2016-03-31 10:26 [refpolicy] [PATCH 1/1] SELinux support for cgroup2 filesystem Lukas Vrabec
@ 2016-03-31 12:32 ` Christopher J. PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2016-03-31 12:32 UTC (permalink / raw)
To: refpolicy
On 3/31/2016 6:26 AM, Lukas Vrabec wrote:
> With the new "cgroup2" system added in kernel 4.5, systemd is getting
> selinux denials when manipulating the cgroup hierarchy.
>
> Pull request in systemd with cgroup2 support:
> https://github.com/systemd/systemd/pull/2903
>
> AVC when writing process numbers to move them to the right cgroup:
> Mar 29 19:58:30 rawhide kernel: audit: type=1400
> audit(1459295910.257:68): avc: denied { write } for pid=1
> comm="systemd" name="cgroup.procs" dev="cgroup2" ino=6
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
>
> In this case new filesystem "cgroup2" need to be labeled as cgroup_t.
Merged.
> Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
> ---
> policy/modules/kernel/filesystem.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index 14afaa8..1b28e23 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -77,6 +77,7 @@ fs_type(cgroup_t)
> files_mountpoint(cgroup_t)
> dev_associate_sysfs(cgroup_t)
> genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
> +genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)
>
> type configfs_t;
> fs_type(configfs_t)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-03-31 12:32 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-31 10:26 [refpolicy] [PATCH 1/1] SELinux support for cgroup2 filesystem Lukas Vrabec
2016-03-31 12:32 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.