From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antonio Murdaca Subject: [PATCH] security: selinux: allow per-file labeling for cgroupfs Date: Thu, 9 Feb 2017 16:58:23 +0100 Message-ID: <20170209155823.22148-1-runcom@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: List-Id: List-Post: List-Help: Errors-To: selinux-bounces-+05T5uksL2qpZYMLLGbcSA@public.gmane.org Sender: "Selinux" To: selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, vgoyal-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org This patch allows genfscon per-file labeling for cgroupfs. For instance, this allows to label the "release_agent" file within each cgroup mount and limit writes to it. Signed-off-by: Antonio Murdaca --- security/selinux/hooks.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9a8f12f..5a3138e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -808,6 +808,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, if (!strcmp(sb->s_type->name, "debugfs") || !strcmp(sb->s_type->name, "sysfs") || + !strcmp(sb->s_type->name, "cgroup") || + !strcmp(sb->s_type->name, "cgroup2") || !strcmp(sb->s_type->name, "pstore")) sbsec->flags |= SE_SBGENFS; -- 2.9.3 _______________________________________________ Selinux mailing list Selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org To unsubscribe, send email to Selinux-leave-+05T5uksL2pAGbPMOrvdOA@public.gmane.org To get help, send an email containing "help" to Selinux-request-+05T5uksL2pAGbPMOrvdOA@public.gmane.org