From: lvrabec@redhat.com (Lukas Vrabec)
Date: Thu, 31 Mar 2016 12:26:30 +0200
Subject: [refpolicy] [PATCH 1/1] SELinux support for cgroup2 filesystem.
Message-ID: <1459419990-2755-1-git-send-email-lvrabec@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

With the new "cgroup2" system added in kernel 4.5, systemd is getting
selinux denials when manipulating the cgroup hierarchy.

Pull request in systemd with cgroup2 support:
https://github.com/systemd/systemd/pull/2903

AVC when writing process numbers to move them to the right cgroup:
Mar 29 19:58:30 rawhide kernel: audit: type=1400
audit(1459295910.257:68): avc:  denied  { write } for  pid=1
comm="systemd" name="cgroup.procs" dev="cgroup2" ino=6
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

In this case new filesystem "cgroup2" need to be labeled as cgroup_t.

Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
---
 policy/modules/kernel/filesystem.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 14afaa8..1b28e23 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -77,6 +77,7 @@ fs_type(cgroup_t)
 files_mountpoint(cgroup_t)
 dev_associate_sysfs(cgroup_t)
 genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)
 
 type configfs_t;
 fs_type(configfs_t)
-- 
2.5.5