Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933866AbdCJUNo (ORCPT ); Fri, 10 Mar 2017 15:13:44 -0500 Received: from emsm-gh1-uea10.nsa.gov ([8.44.101.8]:54809 "EHLO emsm-gh1-uea10.nsa.gov" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932764AbdCJUNg (ORCPT ); Fri, 10 Mar 2017 15:13:36 -0500 X-IronPort-AV: E=Sophos;i="5.36,142,1486425600"; d="scan'208";a="4742512" IronPort-PHdr: =?us-ascii?q?9a23=3ArDfvhRbAzKFGiRcgmfaezy//LSx+4OfEezUN459i?= =?us-ascii?q?sYplN5qZps24YR7h7PlgxGXEQZ/co6odzbGH7ua8CSdZusrJmUtBWaQEbwUCh8?= =?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYdFRrlKAV6?= =?us-ascii?q?OPn+FJLMgMSrzeCy/IDYbxlViDanb75/KBW7oR/eu8QVjoduN6g8xxTUqXZUZu?= =?us-ascii?q?pawn9lK0iOlBjm/Mew+5Bj8yVUu/0/8sNLTLv3caclQ7FGFToqK2866tHluhnF?= =?us-ascii?q?VguP+2ATUn4KnRpSAgjK9w/1U5HsuSbnrOV92S2aPcrrTbAoXDmp8qlmRAP0hC?= =?us-ascii?q?oBKjU063/chNBug61HoRKhvx1/zJDSYIGJL/p1Y6fRccoHSWZdQspdUipMDY2m?= =?us-ascii?q?b4sLEuEPI+BWoYfgrFcKtBeyGxWgCObpxzRVhHH5wLc63vwiHw/b3AIuAdwAv3?= =?us-ascii?q?barNXyKKgcVu+6wqbTwDXfbP5bwyvx5ZLUfh0jp/yHQLJ+cdDWyUkqDw7Lk0mQ?= =?us-ascii?q?ppL9PzOVyOsNtXWQ4fdlVe21j24nrx9+oziyzcorkYnGm5kVx0vY9SR53Ik1Jd?= =?us-ascii?q?q4RFR9Yd6/CpRcrS6aN4xoQs47RWxjpSg0yroDuZGhfSgKzowqxxjEa/OdaYSI?= =?us-ascii?q?7RXjVPiXLDxlh3xlYKqyiwu9/EWv0OHxVtS43ExUoidKjNXArG0B2hrO4cadUP?= =?us-ascii?q?R95F2u2TOX2gDW7eFLPF47mLLAK54k3r4wjp0TsVnfHiPumEX5kquWdkI89+i0?= =?us-ascii?q?8evneLTmpoKHN4NulgH/Mrghmsy4AegiNAgBQ3Ob9vim2L3m/E35RK1Gjvwwkq?= =?us-ascii?q?bHrJDXPdkXq6G2DgNP0osv9gyzAymp3dgGh3ULMUpJeBedgIjoP1HOLur4DfC6?= =?us-ascii?q?g1m0izdk2uvGM6b9ApTNMnfDkLDhcax7605H0gU/199f55VKCr0ZOvL8RlfxtM?= =?us-ascii?q?DEDh8+KwG03ennCNJ914wEXWKCGbWZP73Pvl+I/O0vP/OAa5MSuDb4M/Il/eLh?= =?us-ascii?q?jWclmV8BeqmkxZ8XaHG+HvR7LESVeHnsjckbEWcMoAU+SPfniEONUTFNfXa+Ra?= =?us-ascii?q?E86S8hCIKgE4jDQpqhgLub3Ce0BpdWfHxJCkiQEXf0cIWJQ+sDaC2IIs9mjzwE?= =?us-ascii?q?TaOhRpQ/1RGhqgD60aBrLunK9S0Cs5Lsytx16/fUlREo+jx+F96d3H2VT2Fogm?= =?us-ascii?q?MIQCc707p6oUxg0FeMzLJ3jOBCGtFI/fNGTBo1NZ7GwOxmEdz9RgXBftKRQla8?= =?us-ascii?q?XtqmGS0xTs42w9IWe0ZyAciijhTY0iqyGbAViriLCIUx8qLb2HjxPdhyx2za26?= =?us-ascii?q?kmill1CvZJLnCs0654sQ7IDsjGlFvKq6H/Ta0B2Gbo82CZwCLapEhFVCZoWLjB?= =?us-ascii?q?GHUYYVHb69/+4xWGB5aoFbMhMwwJ7NOYJqJBY5W9hFBbXvvqM932eW+9m26sQx?= =?us-ascii?q?2Pw+XfQpDtfjAmwCjFCEUC2zsW9HKCOBl2UjytuErCHTduEhTpeEqq/u5g/iDo?= =?us-ascii?q?BnQoxh2HOhUyn4G+/QQY0LnFEase?= X-IPAS-Result: =?us-ascii?q?A2FVAwCXCMNY/wHyM5BdGgEBAQECAQEBAQgBAQEBFgEBAQM?= =?us-ascii?q?BAQEJAQEBgyZhgQqDYJovAQEBAQEBBoEjkymDWkMihgACgkFXAQEBAQEBAQECA?= =?us-ascii?q?QJoKIIzBAIDGQEECEYmMgEBAQEBAQEBAQEBAQEBARoCHjIBARgBAQEBAgEjBAs?= =?us-ascii?q?BGyALBQsJAg0LAgImAgIxFREGAQcLHQSJUgUIlBqdW4FsOiYCij8BAQEBAQUBA?= =?us-ascii?q?QEBAQEBIYELhH6FNIQmCwYBgyKCQB8Fj1l/i2SGdotCgXuIbYY8iESKfFh7CBk?= =?us-ascii?q?JAhQIHQ8/hnMiNYdeDhcwgWcBAQE?= Message-ID: <1489177036.6824.57.camel@tycho.nsa.gov> Subject: Re: [PATCH] security: selinux: allow per-file labeling for cgroupfs From: Stephen Smalley To: Paul Moore , Antonio Murdaca Cc: cgroups@vger.kernel.org, linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov, vgoyal@redhat.com Date: Fri, 10 Mar 2017 15:17:16 -0500 In-Reply-To: References: <20170209155823.22148-1-runcom@redhat.com> Organization: National Security Agency Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1995 Lines: 53 On Fri, 2017-03-10 at 15:01 -0500, Paul Moore wrote: > On Thu, Feb 9, 2017 at 10:58 AM, Antonio Murdaca > wrote: > > > > This patch allows genfscon per-file labeling for cgroupfs. For > > instance, > > this allows to label the "release_agent" file within each > > cgroup mount and limit writes to it. > > > > Signed-off-by: Antonio Murdaca > > --- > >  security/selinux/hooks.c | 2 ++ > >  1 file changed, 2 insertions(+) > > Now that the merge window is behind us, let's get this merged, but > could you update it to use the selinux_policycap_cgroupseclabel > policy > capability?  See 2651225b5ebcdde ("selinux: wrap cgroup seclabel > support with its own policy capability") for more information. I don't think that is necessary.  This change unlike the other one should not yield any difference in behavior with existing policy; it just allows one to specify fine-grained labeling for cgroup nodes in future policy.  It doesn't affect any userspace interface. > Also, how goes the testing? > > > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > index 9a8f12f..5a3138e 100644 > > --- a/security/selinux/hooks.c > > +++ b/security/selinux/hooks.c > > @@ -808,6 +808,8 @@ static int selinux_set_mnt_opts(struct > > super_block *sb, > > > >         if (!strcmp(sb->s_type->name, "debugfs") || > >             !strcmp(sb->s_type->name, "sysfs") || > > +           !strcmp(sb->s_type->name, "cgroup") || > > +           !strcmp(sb->s_type->name, "cgroup2") || > >             !strcmp(sb->s_type->name, "pstore")) > >                 sbsec->flags |= SE_SBGENFS; > > > > -- > > 2.9.3 > > > > _______________________________________________ > > Selinux mailing list > > Selinux@tycho.nsa.gov > > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > > To get help, send an email containing "help" to Selinux-request@tyc > > ho.nsa.gov. >