From: lvrabec@redhat.com (Lukas Vrabec) Date: Thu, 31 Mar 2016 12:26:30 +0200 Subject: [refpolicy] [PATCH 1/1] SELinux support for cgroup2 filesystem. Message-ID: <1459419990-2755-1-git-send-email-lvrabec@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com With the new "cgroup2" system added in kernel 4.5, systemd is getting selinux denials when manipulating the cgroup hierarchy. Pull request in systemd with cgroup2 support: https://github.com/systemd/systemd/pull/2903 AVC when writing process numbers to move them to the right cgroup: Mar 29 19:58:30 rawhide kernel: audit: type=1400 audit(1459295910.257:68): avc: denied { write } for pid=1 comm="systemd" name="cgroup.procs" dev="cgroup2" ino=6 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 In this case new filesystem "cgroup2" need to be labeled as cgroup_t. Signed-off-by: Lukas Vrabec --- policy/modules/kernel/filesystem.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 14afaa8..1b28e23 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -77,6 +77,7 @@ fs_type(cgroup_t) files_mountpoint(cgroup_t) dev_associate_sysfs(cgroup_t) genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) +genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0) type configfs_t; fs_type(configfs_t) -- 2.5.5