Allow systemd to relabel cgroupfs legacy symlinks
The cgroup directory under /sys/fs/cgroup contains a number of pseudo-filesystems for each cgroup as well as two symbolic links for the cpu and cpuacct groups, which were legacy symbolic links to the cpu,cpuacct group. These rules allow systemd to relabel these symbolic links from tmpfs_t to their proper context, or otherwise denials will be printed for nearly all systemd operation involving cgroups. This change only grants systemd the possibility to relabel the files. The actual relabelling needs to be done by systemd. The accompanying change (commit 8739f23) will be released with systemd v236.
This commit is contained in:
parent
0553569445
commit
9b8c2d5393
|
@ -785,6 +785,24 @@ interface(`fs_relabel_cgroup_dirs',`
|
||||||
relabel_dirs_pattern($1, cgroup_t, cgroup_t)
|
relabel_dirs_pattern($1, cgroup_t, cgroup_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Relabel cgroup symbolic links.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`fs_relabel_cgroup_lnk_files',`
|
||||||
|
gen_require(`
|
||||||
|
type cgroup_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
relabel_lnk_files_pattern($1, cgroup_t, cgroup_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Get attributes of cgroup files.
|
## Get attributes of cgroup files.
|
||||||
|
|
|
@ -355,6 +355,7 @@ ifdef(`init_systemd',`
|
||||||
fs_manage_hugetlbfs_dirs(init_t)
|
fs_manage_hugetlbfs_dirs(init_t)
|
||||||
fs_getattr_tmpfs(init_t)
|
fs_getattr_tmpfs(init_t)
|
||||||
fs_read_tmpfs_files(init_t)
|
fs_read_tmpfs_files(init_t)
|
||||||
|
fs_relabel_cgroup_lnk_files(init_t)
|
||||||
fs_relabel_pstore_dirs(init_t)
|
fs_relabel_pstore_dirs(init_t)
|
||||||
fs_dontaudit_getattr_xattr_fs(init_t)
|
fs_dontaudit_getattr_xattr_fs(init_t)
|
||||||
fs_create_cgroup_links(init_t)
|
fs_create_cgroup_links(init_t)
|
||||||
|
|
Loading…
Reference in New Issue