From: Dominick Grift <dominick.grift@defensec.nl>
To: selinux@vger.kernel.org
Subject: cgroup2 labeling question
Date: Mon, 20 Mar 2023 08:23:58 +0100 [thread overview]
Message-ID: <87mt47ga29.fsf@defensec.nl> (raw)
Hi,
I was reading this pull request [1] and looked into how I might be able
to implement this in policy but there seem to be some technical
difficulties.
* I already use getfscon to seperate the systemd user.slice because the
system manager delegates the user.slice to the user manager.
(genfscon "cgroup2" "/user.slice" cgroupfile_context)
In the past the proved to be a racy where systemd attempts to
write before the object has the context associated with the genfscon.
I decided to dontaudit attempts to write to the mislabeled object and
it *seems* as if systemd retries until it can write it i.e. when the
object carries the expected label and so that seems to work eventually
but it looks fragile.
* The challenge with memory pressure implementation [2] is that these
"memory.pressure" files end up in random locations under
"/system.slice" for example:
/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure
Where in the above systemd-journald.service might be
templated (systemd-journald@FOO.service). Point is that the path is
random. genfscon does not support regex and glob. I can't do for example:
(genfscon "cgroup2" "/system.slice/.*/memory.pressure"
cgroupfile_context)
Fortunately cgroup2fs supports relabeling but if systemd has to
manually relabel the cgroup files then I would imagine that this is
racy as well, and that does not really solve the underlying issue.
I am looking for ideas and suggestions
[1] https://github.com/SELinuxProject/refpolicy/pull/607
[2] https://github.com/systemd/systemd/blob/main/docs/MEMORY_PRESSURE.md
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
next reply other threads:[~2023-03-20 7:24 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-20 7:23 Dominick Grift [this message]
2023-03-20 13:35 ` cgroup2 labeling question Stephen Smalley
2023-03-20 13:57 ` Dominick Grift
2023-03-20 14:12 ` Ondrej Mosnacek
2023-03-20 14:19 ` Dominick Grift
2023-03-20 14:43 ` Dominick Grift
2023-03-20 14:46 ` Ondrej Mosnacek
2023-03-20 15:16 ` Stephen Smalley
2023-03-20 15:23 ` Dominick Grift
2023-03-20 16:32 ` Stephen Smalley
2023-03-20 16:37 ` Dominick Grift
2023-03-20 17:28 ` Stephen Smalley
2023-03-20 17:53 ` Stephen Smalley
2023-03-20 18:07 ` Dominick Grift
2023-03-20 18:22 ` Christian Göttsche
2023-03-20 20:23 ` Stephen Smalley
2023-03-21 13:40 ` Ondrej Mosnacek
2023-03-21 14:42 ` Dominick Grift
2023-03-22 17:07 ` Matthew Sheets
2023-03-22 17:15 ` Dominick Grift
2023-03-22 17:27 ` Stephen Smalley
2023-03-23 13:55 ` Matthew Sheets
2023-03-23 14:42 ` Matthew Sheets
2023-03-23 14:53 ` Dominick Grift
2023-03-23 16:56 ` Stephen Smalley
2023-03-20 18:15 ` Stephen Smalley
2023-03-20 18:19 ` Dominick Grift
2023-03-20 18:22 ` Stephen Smalley
2023-03-20 18:26 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mt47ga29.fsf@defensec.nl \
--to=dominick.grift@defensec.nl \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.