commit: 48506484a821aadad30275f31b50bb636564e031 Author: Lukas Vrabec <lvrabec <AT> redhat <DOT> com> AuthorDate: Thu Mar 31 10:26:30 2016 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Fri May 13 05:07:33 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=48506484
SELinux support for cgroup2 filesystem. With the new "cgroup2" system added in kernel 4.5, systemd is getting selinux denials when manipulating the cgroup hierarchy. Pull request in systemd with cgroup2 support: https://github.com/systemd/systemd/pull/2903 AVC when writing process numbers to move them to the right cgroup: Mar 29 19:58:30 rawhide kernel: audit: type=1400 audit(1459295910.257:68): avc: denied { write } for pid=1 comm="systemd" name="cgroup.procs" dev="cgroup2" ino=6 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 In this case new filesystem "cgroup2" need to be labeled as cgroup_t. Signed-off-by: Lukas Vrabec <lvrabec <AT> redhat.com> policy/modules/kernel/filesystem.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 8de310b..86d59bf 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -78,6 +78,7 @@ fs_type(cgroup_t) files_mountpoint(cgroup_t) dev_associate_sysfs(cgroup_t) genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) +genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0) type configfs_t; fs_type(configfs_t)
