From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 2066013825A for ; Fri, 13 May 2016 05:37:31 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7126C21C028; Fri, 13 May 2016 05:37:28 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E80DA21C012 for ; Fri, 13 May 2016 05:37:26 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id B5CAF340A38 for ; Fri, 13 May 2016 05:37:25 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 7F93596B for ; Fri, 13 May 2016 05:37:22 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1463116053.48506484a821aadad30275f31b50bb636564e031.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/filesystem.te X-VCS-Directories: policy/modules/kernel/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 48506484a821aadad30275f31b50bb636564e031 X-VCS-Branch: master Date: Fri, 13 May 2016 05:37:22 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: fb0498f1-07ee-4829-8d58-7329aa1aa276 X-Archives-Hash: dc1cd4efa1312ebcbc90a23d4cca9b67 commit: 48506484a821aadad30275f31b50bb636564e031 Author: Lukas Vrabec redhat com> AuthorDate: Thu Mar 31 10:26:30 2016 +0000 Commit: Jason Zaman gentoo org> CommitDate: Fri May 13 05:07:33 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=48506484 SELinux support for cgroup2 filesystem. With the new "cgroup2" system added in kernel 4.5, systemd is getting selinux denials when manipulating the cgroup hierarchy. Pull request in systemd with cgroup2 support: https://github.com/systemd/systemd/pull/2903 AVC when writing process numbers to move them to the right cgroup: Mar 29 19:58:30 rawhide kernel: audit: type=1400 audit(1459295910.257:68): avc: denied { write } for pid=1 comm="systemd" name="cgroup.procs" dev="cgroup2" ino=6 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 In this case new filesystem "cgroup2" need to be labeled as cgroup_t. Signed-off-by: Lukas Vrabec redhat.com> policy/modules/kernel/filesystem.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 8de310b..86d59bf 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -78,6 +78,7 @@ fs_type(cgroup_t) files_mountpoint(cgroup_t) dev_associate_sysfs(cgroup_t) genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) +genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0) type configfs_t; fs_type(configfs_t)