nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SELinux support for cgroup2 filesystem.

Browse Source 
With the new "cgroup2" system added in kernel 4.5, systemd is getting
selinux denials when manipulating the cgroup hierarchy.

Pull request in systemd with cgroup2 support:
https://github.com/systemd/systemd/pull/2903

AVC when writing process numbers to move them to the right cgroup:
Mar 29 19:58:30 rawhide kernel: audit: type=1400
audit(1459295910.257:68): avc:  denied  { write } for  pid=1
comm="systemd" name="cgroup.procs" dev="cgroup2" ino=6
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

In this case new filesystem "cgroup2" need to be labeled as cgroup_t.

Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
This commit is contained in:
Lukas Vrabec 2016-03-31 12:26:30 +02:00 committed by Chris PeBenito
parent 3c9fa86f15
commit 78d42e648b
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
policy/modules/kernel/filesystem.te
View File

@ -77,6 +77,7 @@ fs_type(cgroup_t)
files_mountpoint(cgroup_t)
dev_associate_sysfs(cgroup_t)
genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)
type configfs_t;
fs_type(configfs_t)