Bug 1316278

Summary: incorrect SELinux label on /sys/fs/cgroup and restorecon fails with "Read-only file system"
Product: Red Hat Enterprise Linux 7 Reporter: k2eric
Component: systemdAssignee: David Tardon <dtardon>
Status: CLOSED ERRATA QA Contact: Frantisek Sumsal <fsumsal>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: cww, dtardon, fsumsal, kwalker, lvrabec, mgrepl, mmalik, msekleta, plautrba, pvrabec, ssekidde, systemd-maint-list, v.tolstov, zpytela
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: systemd-219-58.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1481966 (view as bug list) Environment:
Last Closed: 2018-10-30 11:32:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1420851, 1481966, 1549617, 1551061    

Description k2eric 2016-03-09 21:10:39 UTC 
Description of problem:

(originally reported on the CentOS bug tracker and someone suggested that I should report here instead)

/sys/fs/cgroup is currently assigned the incorrect SELinux label of

system_u:object_r:tmpfs_t:s0

but restorecon reports that it should be

system_u:object_r:cgroup_t:s0

restorecon is unable to fix the issue as it returns an error: Read-only file system


Version-Release number of selected component (if applicable):

CentOS 7.2.1511

selinux-policy 3.13.1 (release 60.el7_2.3, Based off of reference policy: Checked out revision  2.20091117)


How reproducible:

always


Steps to Reproduce:

1. run ls -aZ /sys/fs/cgroup to verify directory has label of system_u:object_r:tmpfs_t:s0

2. run sudo restorecon -v /sys/fs/cgroup to correct the label


Actual results:

You will see the following error message:

restorecon set context /sys/fs/cgroup->system_u:object_r:cgroup_t:s0 failed:'Read-only file system'


Expected results:

restorecon should have have corrected the label of /sys/fs/cgroup to system_u:object_r:cgroup_t


Additional info:

You can confirm the correct label here:

https://github.com/TresysTechnology/refpolicy/blob/778dfaf776800887d1f9c320a7ac6199139b694b/policy/modules/kernel/filesystem.fc#L14 [^]
Comment 3 Lukas Vrabec 2016-07-12 14:23:12 UTC 
I cannot remember. But I don't think so.
Comment 6 Lukas Vrabec 2017-08-16 07:46:36 UTC 
This should be fixed in systemd code. 

Michal, 
Could you add labeling for /sys/fs/cgroup dir cgroup_t ? 

Thanks.
Comment 8 Vasiliy G Tolstov 2017-10-27 11:53:34 UTC 
any news about this issue?
Comment 12 David Tardon 2018-05-28 08:19:16 UTC 
https://github.com/lnykryn/systemd-rhel/pull/207
Comment 13 Lukáš Nykrýn 2018-06-21 10:11:39 UTC 
fix merged to staging branch -> https://github.com/lnykryn/systemd-rhel/pull/207 -> post
Comment 17 errata-xmlrpc 2018-10-30 11:32:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3245