From: krzysztof.a.nowicki@gmail.com (Krzysztof Nowicki) Date: Fri, 1 Dec 2017 20:41:40 +0100 Subject: [refpolicy] [PATCH] Allow systemd to relabel cgroupfs legacy symlinks In-Reply-To: <20171130233827.75c62be1@vega.skynet.aixah.de> References: <20171130233827.75c62be1@vega.skynet.aixah.de> Message-ID: <20171201194140.11927-1-krzysztof.a.nowicki@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Krzysztof Nowicki The cgroup directory under /sys/fs/cgroup contains a number of pseudo-filesystems for each cgroup as well as two symbolic links for the cpu and cpuacct groups, which were legacy symbolic links to the cpu,cpuacct group. These rules allow systemd to relabel these symbolic links from tmpfs_t to their proper context, or otherwise denials will be printed for nearly all systemd operation involving cgroups. This change only grants systemd the possibility to relabel the files. The actual relabelling needs to be done by systemd. The accompanying change (commit 8739f23) will be released with systemd v236. --- policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++ policy/modules/system/init.te | 1 + 2 files changed, 19 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index e2e3a041d..1ae99ea50 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -787,6 +787,24 @@ interface(`fs_relabel_cgroup_dirs',` ######################################## ## +## Relabel cgroup symbolic links. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_relabel_cgroup_lnk_files',` + gen_require(` + type cgroup_t; + ') + + relabel_lnk_files_pattern($1, cgroup_t, cgroup_t) +') + +######################################## +## ## Get attributes of cgroup files. ## ## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 8a91df259..ff760a3e4 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -355,6 +355,7 @@ ifdef(`init_systemd',` fs_manage_hugetlbfs_dirs(init_t) fs_getattr_tmpfs(init_t) fs_read_tmpfs_files(init_t) + fs_relabel_cgroup_lnk_files(init_t) fs_relabel_pstore_dirs(init_t) fs_dontaudit_getattr_xattr_fs(init_t) fs_create_cgroup_links(init_t) -- 2.13.6