From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 3 Dec 2017 16:30:36 -0500
Subject: [refpolicy] [PATCH] Allow systemd to relabel cgroupfs legacy
 symlinks
In-Reply-To: <20171201194140.11927-1-krzysztof.a.nowicki@gmail.com>
References: <20171130233827.75c62be1@vega.skynet.aixah.de>
	<20171201194140.11927-1-krzysztof.a.nowicki@gmail.com>
Message-ID: <af22e78d-768f-4f5a-ac5a-3733769f8407@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/01/2017 02:41 PM, Krzysztof Nowicki via refpolicy wrote:
> From: Krzysztof Nowicki <krissn@op.pl>
> 
> The cgroup directory under /sys/fs/cgroup contains a number of
> pseudo-filesystems for each cgroup as well as two symbolic links for the
> cpu and cpuacct groups, which were legacy symbolic links to the
> cpu,cpuacct group.
> 
> These rules allow systemd to relabel these symbolic links from tmpfs_t
> to their proper context, or otherwise denials will be printed for nearly
> all systemd operation involving cgroups.
> 
> This change only grants systemd the possibility to relabel the
> files. The actual relabelling needs to be done by systemd. The
> accompanying change (commit 8739f23) will be released with systemd v236.
> ---
>   policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
>   policy/modules/system/init.te       |  1 +
>   2 files changed, 19 insertions(+)
> 
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index e2e3a041d..1ae99ea50 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -787,6 +787,24 @@ interface(`fs_relabel_cgroup_dirs',`
>   
>   ########################################
>   ## <summary>
> +##	Relabel cgroup symbolic links.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`fs_relabel_cgroup_lnk_files',`
> +	gen_require(`
> +		type cgroup_t;
> +	')
> +
> +	relabel_lnk_files_pattern($1, cgroup_t, cgroup_t)
> +')
> +
> +########################################
> +## <summary>
>   ##     Get attributes of cgroup files.
>   ## </summary>
>   ## <param name="domain">
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 8a91df259..ff760a3e4 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -355,6 +355,7 @@ ifdef(`init_systemd',`
>   	fs_manage_hugetlbfs_dirs(init_t)
>   	fs_getattr_tmpfs(init_t)
>   	fs_read_tmpfs_files(init_t)
> +	fs_relabel_cgroup_lnk_files(init_t)
>   	fs_relabel_pstore_dirs(init_t)
>   	fs_dontaudit_getattr_xattr_fs(init_t)
>   	fs_create_cgroup_links(init_t)

Merged, though I renamed the interface.

-- 
Chris PeBenito