[refpolicy] [PATCH] Allow systemd to relabel cgroupfs legacy symlinks

Krzysztof Nowicki krzysztof.a.nowicki at gmail.com
Fri Dec 1 19:41:40 UTC 2017


From: Krzysztof Nowicki <krissn at op.pl>

The cgroup directory under /sys/fs/cgroup contains a number of
pseudo-filesystems for each cgroup as well as two symbolic links for the
cpu and cpuacct groups, which were legacy symbolic links to the
cpu,cpuacct group.

These rules allow systemd to relabel these symbolic links from tmpfs_t
to their proper context, or otherwise denials will be printed for nearly
all systemd operation involving cgroups.

This change only grants systemd the possibility to relabel the
files. The actual relabelling needs to be done by systemd. The
accompanying change (commit 8739f23) will be released with systemd v236.
---
 policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
 policy/modules/system/init.te       |  1 +
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index e2e3a041d..1ae99ea50 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -787,6 +787,24 @@ interface(`fs_relabel_cgroup_dirs',`
 
 ########################################
 ## <summary>
+##	Relabel cgroup symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabel_cgroup_lnk_files',`
+	gen_require(`
+		type cgroup_t;
+	')
+
+	relabel_lnk_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
 ##     Get attributes of cgroup files.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8a91df259..ff760a3e4 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -355,6 +355,7 @@ ifdef(`init_systemd',`
 	fs_manage_hugetlbfs_dirs(init_t)
 	fs_getattr_tmpfs(init_t)
 	fs_read_tmpfs_files(init_t)
+	fs_relabel_cgroup_lnk_files(init_t)
 	fs_relabel_pstore_dirs(init_t)
 	fs_dontaudit_getattr_xattr_fs(init_t)
 	fs_create_cgroup_links(init_t)
-- 
2.13.6



More information about the refpolicy mailing list