Allow systemd to relabel cgroupfs legacy symlinks

The cgroup directory under /sys/fs/cgroup contains a number of
pseudo-filesystems for each cgroup as well as two symbolic links for the
cpu and cpuacct groups, which were legacy symbolic links to the
cpu,cpuacct group.

These rules allow systemd to relabel these symbolic links from tmpfs_t
to their proper context, or otherwise denials will be printed for nearly
all systemd operation involving cgroups.

This change only grants systemd the possibility to relabel the
files. The actual relabelling needs to be done by systemd. The
accompanying change (commit 8739f23) will be released with systemd v236.
This commit is contained in:
Krzysztof Nowicki 2017-12-01 20:41:40 +01:00 committed by Chris PeBenito
parent 0553569445
commit 9b8c2d5393
2 changed files with 19 additions and 0 deletions

View File

@ -785,6 +785,24 @@ interface(`fs_relabel_cgroup_dirs',`
relabel_dirs_pattern($1, cgroup_t, cgroup_t) relabel_dirs_pattern($1, cgroup_t, cgroup_t)
') ')
########################################
## <summary>
## Relabel cgroup symbolic links.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_relabel_cgroup_lnk_files',`
gen_require(`
type cgroup_t;
')
relabel_lnk_files_pattern($1, cgroup_t, cgroup_t)
')
######################################## ########################################
## <summary> ## <summary>
## Get attributes of cgroup files. ## Get attributes of cgroup files.

View File

@ -355,6 +355,7 @@ ifdef(`init_systemd',`
fs_manage_hugetlbfs_dirs(init_t) fs_manage_hugetlbfs_dirs(init_t)
fs_getattr_tmpfs(init_t) fs_getattr_tmpfs(init_t)
fs_read_tmpfs_files(init_t) fs_read_tmpfs_files(init_t)
fs_relabel_cgroup_lnk_files(init_t)
fs_relabel_pstore_dirs(init_t) fs_relabel_pstore_dirs(init_t)
fs_dontaudit_getattr_xattr_fs(init_t) fs_dontaudit_getattr_xattr_fs(init_t)
fs_create_cgroup_links(init_t) fs_create_cgroup_links(init_t)