On Thu, Feb 2, 2017 at 4:01 PM, Gary Tierney <gary.tier...@gmx.com> wrote:
> On Thu, Feb 02, 2017 at 03:42:28PM +0100, Antonio Murdaca wrote: > > This patch allows changing labels for cgroup mounts. Previously, running > > chcon on cgroupfs would throw an "Operation not supported". This patch > > specifically whitelist cgroupfs. > > > > The patch could also allow containers to write only to the systemd cgroup > > for instance, while the other cgroups are kept with cgroup_t label. > > > > Signed-off-by: Antonio Murdaca <run...@redhat.com> > > --- > > security/selinux/hooks.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > index 3b955c6..4e84211 100644 > > --- a/security/selinux/hooks.c > > +++ b/security/selinux/hooks.c > > @@ -480,6 +480,7 @@ static int selinux_is_sblabel_mnt(struct super_block > *sb) > > sbsec->behavior == SECURITY_FS_USE_NATIVE || > > /* Special handling. Genfs but also in-core setxattr > handler */ > > !strcmp(sb->s_type->name, "sysfs") || > > + !strcmp(sb->s_type->name, "cgroup") || > > Should we also include "cgroup2" here, since they are defined as 2 > distinct filesystems? https://github.com/SELinuxProject/selinux-kernel/ > blob/master/kernel/cgroup.c#L2314-L2326 likely yes > > > > !strcmp(sb->s_type->name, "pstore") || > > !strcmp(sb->s_type->name, "debugfs") || > > !strcmp(sb->s_type->name, "tracefs") || > > -- > > 2.9.3 > > > > _______________________________________________ > > Selinux mailing list > > Selinux@tycho.nsa.gov > > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > > To get help, send an email containing "help" to > selinux-requ...@tycho.nsa.gov. > -- Antonio (runcom) Murdaca, RHCE Senior Software Engineer - Containers 09B9 8F09 3E2D C310 E250 69B5 B2BE AD15 0DE9 36B9 <https://pgp.mit.edu/pks/lookup?op=get&search=0xB2BEAD150DE936B9>
_______________________________________________ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
