From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 21 Apr 2014 09:41:36 -0400 Subject: [refpolicy] [PATCH] filesystem: label cgroup symlinks In-Reply-To: <1397510311-6159-1-git-send-email-nicolas.iooss@m4x.org> References: <1397510311-6159-1-git-send-email-nicolas.iooss@m4x.org> Message-ID: <53552010.90204@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/14/2014 05:18 PM, Nicolas Iooss wrote: > /sys/fs/cgroup is a tmpfs which contains cgroup mounts and symlinks such as > cpu and cpuacct. Running restorecon makes this warning happen: > > restorecon: Warning no default label for /sys/fs/cgroup/cpu > > Declare a file context for every symlink in the cgroup tmpfs montpoint to > no longer have such warning. > --- > policy/modules/kernel/filesystem.fc | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc > index d7c11a0..f5cfe84 100644 > --- a/policy/modules/kernel/filesystem.fc > +++ b/policy/modules/kernel/filesystem.fc > @@ -13,6 +13,7 @@ > > /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) > /sys/fs/cgroup/.* <> > +/sys/fs/cgroup/[^/]+ -l gen_context(system_u:object_r:cgroup_t,s0) > > /sys/fs/pstore -d gen_context(system_u:object_r:pstore_t,s0) > /sys/fs/pstore/.* <> Merged. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com