Thanks On Aug 22, 2017 21:47, "Paul Moore" <[email protected]> wrote:
> On Fri, Mar 10, 2017 at 3:21 PM, Paul Moore <[email protected]> wrote: > > On Fri, Mar 10, 2017 at 3:17 PM, Stephen Smalley <[email protected]> > wrote: > >> On Fri, 2017-03-10 at 15:01 -0500, Paul Moore wrote: > >>> On Thu, Feb 9, 2017 at 10:58 AM, Antonio Murdaca <[email protected] > >>> > wrote: > >>> > > >>> > This patch allows genfscon per-file labeling for cgroupfs. For > >>> > instance, > >>> > this allows to label the "release_agent" file within each > >>> > cgroup mount and limit writes to it. > >>> > > >>> > Signed-off-by: Antonio Murdaca <[email protected]> > >>> > --- > >>> > security/selinux/hooks.c | 2 ++ > >>> > 1 file changed, 2 insertions(+) > >>> > >>> Now that the merge window is behind us, let's get this merged, but > >>> could you update it to use the selinux_policycap_cgroupseclabel > >>> policy > >>> capability? See 2651225b5ebcdde ("selinux: wrap cgroup seclabel > >>> support with its own policy capability") for more information. > >> > >> I don't think that is necessary. This change unlike the other one > >> should not yield any difference in behavior with existing policy; it > >> just allows one to specify fine-grained labeling for cgroup nodes in > >> future policy. It doesn't affect any userspace interface. > > > > Yes, I thought about that, and if the policy capability was already > > present in a released kernel then I wouldn't worry about it much, but > > since the policy capability still only lives in the v4.11-rcX kernels > > I'd prefer to see this code wrapped with the policy capability ... > > even if all it really does is give me that warm fuzzy feeling. > > FWIW, I just decided I didn't care that much about the policy > capability restriction for this patch and went ahead and merged it > into selinux/next. > > -- > paul moore > www.paul-moore.com >
