From: Krzysztof Nowicki <[email protected]>
The cgroup directory under /sys/fs/cgroup contains a number of
pseudo-filesystems for each cgroup as well as two symbolic links for the
cpu and cpuacct groups, which were legacy symbolic links to the
cpu,cpuacct group.
These rules allow systemd to relabel these symbolic links from tmpfs_t
to their proper context, or otherwise denials will be printed for nearly
all systemd operation involving cgroups.
This change only grants systemd the possibility to relabel the
files. The actual relabelling needs to be done by systemd. The
accompanying change (commit 8739f23) will be released with systemd v236.
---
policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index e2e3a041d..1ae99ea50 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -787,6 +787,24 @@ interface(`fs_relabel_cgroup_dirs',`
########################################
## <summary>
+## Relabel cgroup symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_cgroup_lnk_files',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ relabel_lnk_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
## Get attributes of cgroup files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8a91df259..fe813a43f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -180,6 +180,7 @@ files_dontaudit_rw_root_chr_files(init_t)
fs_getattr_xattr_fs(init_t)
fs_list_inotifyfs(init_t)
+fs_relabel_cgroup_lnk_files(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
--
2.13.6
On Thu, 30 Nov 2017 21:47:47 +0100
Krzysztof Nowicki via refpolicy <[email protected]> wrote:
> diff --git a/policy/modules/system/init.te
> b/policy/modules/system/init.te index 8a91df259..fe813a43f 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -180,6 +180,7 @@ files_dontaudit_rw_root_chr_files(init_t)
>
> fs_getattr_xattr_fs(init_t)
> fs_list_inotifyfs(init_t)
> +fs_relabel_cgroup_lnk_files(init_t)
> # cjp: this may be related to /dev/log
> fs_write_ramfs_sockets(init_t)
>
Could you please move this into the ifdef(init_systemd) block?
Cheers,
Luis Ressel
From: Krzysztof Nowicki <[email protected]>
The cgroup directory under /sys/fs/cgroup contains a number of
pseudo-filesystems for each cgroup as well as two symbolic links for the
cpu and cpuacct groups, which were legacy symbolic links to the
cpu,cpuacct group.
These rules allow systemd to relabel these symbolic links from tmpfs_t
to their proper context, or otherwise denials will be printed for nearly
all systemd operation involving cgroups.
This change only grants systemd the possibility to relabel the
files. The actual relabelling needs to be done by systemd. The
accompanying change (commit 8739f23) will be released with systemd v236.
---
policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index e2e3a041d..1ae99ea50 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -787,6 +787,24 @@ interface(`fs_relabel_cgroup_dirs',`
########################################
## <summary>
+## Relabel cgroup symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_cgroup_lnk_files',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ relabel_lnk_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
## Get attributes of cgroup files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8a91df259..ff760a3e4 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -355,6 +355,7 @@ ifdef(`init_systemd',`
fs_manage_hugetlbfs_dirs(init_t)
fs_getattr_tmpfs(init_t)
fs_read_tmpfs_files(init_t)
+ fs_relabel_cgroup_lnk_files(init_t)
fs_relabel_pstore_dirs(init_t)
fs_dontaudit_getattr_xattr_fs(init_t)
fs_create_cgroup_links(init_t)
--
2.13.6
On 12/01/2017 02:41 PM, Krzysztof Nowicki via refpolicy wrote:
> From: Krzysztof Nowicki <[email protected]>
>
> The cgroup directory under /sys/fs/cgroup contains a number of
> pseudo-filesystems for each cgroup as well as two symbolic links for the
> cpu and cpuacct groups, which were legacy symbolic links to the
> cpu,cpuacct group.
>
> These rules allow systemd to relabel these symbolic links from tmpfs_t
> to their proper context, or otherwise denials will be printed for nearly
> all systemd operation involving cgroups.
>
> This change only grants systemd the possibility to relabel the
> files. The actual relabelling needs to be done by systemd. The
> accompanying change (commit 8739f23) will be released with systemd v236.
> ---
> policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
> policy/modules/system/init.te | 1 +
> 2 files changed, 19 insertions(+)
>
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index e2e3a041d..1ae99ea50 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -787,6 +787,24 @@ interface(`fs_relabel_cgroup_dirs',`
>
> ########################################
> ## <summary>
> +## Relabel cgroup symbolic links.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_relabel_cgroup_lnk_files',`
> + gen_require(`
> + type cgroup_t;
> + ')
> +
> + relabel_lnk_files_pattern($1, cgroup_t, cgroup_t)
> +')
> +
> +########################################
> +## <summary>
> ## Get attributes of cgroup files.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 8a91df259..ff760a3e4 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -355,6 +355,7 @@ ifdef(`init_systemd',`
> fs_manage_hugetlbfs_dirs(init_t)
> fs_getattr_tmpfs(init_t)
> fs_read_tmpfs_files(init_t)
> + fs_relabel_cgroup_lnk_files(init_t)
> fs_relabel_pstore_dirs(init_t)
> fs_dontaudit_getattr_xattr_fs(init_t)
> fs_create_cgroup_links(init_t)
Merged, though I renamed the interface.
--
Chris PeBenito