LinuxLists.cc - [refpolicy] [PATCH 1/1] SELinux support for cgroup2 filesystem.

2016-03-31 10:26:30

Subject: [refpolicy] [PATCH 1/1] SELinux support for cgroup2 filesystem.

With the new "cgroup2" system added in kernel 4.5, systemd is getting
selinux denials when manipulating the cgroup hierarchy.

Pull request in systemd with cgroup2 support:
https://github.com/systemd/systemd/pull/2903

AVC when writing process numbers to move them to the right cgroup:
Mar 29 19:58:30 rawhide kernel: audit: type=1400
audit(1459295910.257:68): avc: denied { write } for pid=1
comm="systemd" name="cgroup.procs" dev="cgroup2" ino=6
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

In this case new filesystem "cgroup2" need to be labeled as cgroup_t.

Signed-off-by: Lukas Vrabec <[email protected]>
---
policy/modules/kernel/filesystem.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 14afaa8..1b28e23 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -77,6 +77,7 @@ fs_type(cgroup_t)
files_mountpoint(cgroup_t)
dev_associate_sysfs(cgroup_t)
genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)

type configfs_t;
fs_type(configfs_t)
--
2.5.5

2016-03-31 12:32:59

by cpebenito

[permalink] [raw]

Subject: [refpolicy] [PATCH 1/1] SELinux support for cgroup2 filesystem.

On 3/31/2016 6:26 AM, Lukas Vrabec wrote:
> With the new "cgroup2" system added in kernel 4.5, systemd is getting
> selinux denials when manipulating the cgroup hierarchy.
>
> Pull request in systemd with cgroup2 support:
> https://github.com/systemd/systemd/pull/2903
>
> AVC when writing process numbers to move them to the right cgroup:
> Mar 29 19:58:30 rawhide kernel: audit: type=1400
> audit(1459295910.257:68): avc: denied { write } for pid=1
> comm="systemd" name="cgroup.procs" dev="cgroup2" ino=6
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
>
> In this case new filesystem "cgroup2" need to be labeled as cgroup_t.

Merged.

> Signed-off-by: Lukas Vrabec <[email protected]>
> ---
> policy/modules/kernel/filesystem.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index 14afaa8..1b28e23 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -77,6 +77,7 @@ fs_type(cgroup_t)
> files_mountpoint(cgroup_t)
> dev_associate_sysfs(cgroup_t)
> genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
> +genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)
>
> type configfs_t;
> fs_type(configfs_t)
>

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com