From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 31 Mar 2016 08:32:59 -0400 Subject: [refpolicy] [PATCH 1/1] SELinux support for cgroup2 filesystem. In-Reply-To: <1459419990-2755-1-git-send-email-lvrabec@redhat.com> References: <1459419990-2755-1-git-send-email-lvrabec@redhat.com> Message-ID: <56FD18FB.8010303@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 3/31/2016 6:26 AM, Lukas Vrabec wrote: > With the new "cgroup2" system added in kernel 4.5, systemd is getting > selinux denials when manipulating the cgroup hierarchy. > > Pull request in systemd with cgroup2 support: > https://github.com/systemd/systemd/pull/2903 > > AVC when writing process numbers to move them to the right cgroup: > Mar 29 19:58:30 rawhide kernel: audit: type=1400 > audit(1459295910.257:68): avc: denied { write } for pid=1 > comm="systemd" name="cgroup.procs" dev="cgroup2" ino=6 > scontext=system_u:system_r:init_t:s0 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 > > In this case new filesystem "cgroup2" need to be labeled as cgroup_t. Merged. > Signed-off-by: Lukas Vrabec > --- > policy/modules/kernel/filesystem.te | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te > index 14afaa8..1b28e23 100644 > --- a/policy/modules/kernel/filesystem.te > +++ b/policy/modules/kernel/filesystem.te > @@ -77,6 +77,7 @@ fs_type(cgroup_t) > files_mountpoint(cgroup_t) > dev_associate_sysfs(cgroup_t) > genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) > +genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0) > > type configfs_t; > fs_type(configfs_t) > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com