Bug 1322184

Summary: selinux policy for systemd and cgroup2
Product: [Fedora] Fedora Reporter: Zbigniew Jędrzejewski-Szmek <zbyszek>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 25CC: dominick.grift, dwalsh, lvrabec, mgrepl, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-181.fc25 selinux-policy-3.13.1-208.fc25 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-17 03:04:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Zbigniew Jędrzejewski-Szmek 2016-03-30 00:22:11 UTC 
Description of problem:
With the new "cgroup2" system added in kernel 4.5, systemd is getting selinux denials when manipulating the cgroup hierarchy.

Version-Release number of selected component (if applicable):
systemd-229+ (from git, see https://github.com/systemd/systemd/pull/2903)
selinux-policy-targeted-3.13.1-179.fc25.noarch

Steps to Reproduce:
1. install systemd from upstream git master
2. boot with systemd.unified_cgroup_hierarchy=1

AVCs:
#  when writing process numbers to move them to the right cgroup
Mar 29 19:58:30 rawhide kernel: audit: type=1400 audit(1459295910.257:68): avc:  denied  { write } for  pid=1 comm="systemd" name="cgroup.procs" dev="cgroup2" ino=6 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

# when creating a new level in the hierarchy
Mar 29 19:58:30 rawhide kernel: audit: type=1400 audit(1459295910.414:72): avc:  denied  { create } for  pid=1 comm="systemd" name="lvm2-monitor.service" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1

Unified cgroup hierarchy is not the default in systemd, but it will become so during the F25 development cycle.
Comment 1 Daniel Walsh 2016-03-30 17:18:24 UTC 
I take it this is a new filesystem cgroup2?

Probably need this patch.

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index b00be59..7e37941 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -85,6 +85,7 @@ fs_type(cgroup_t)
 files_mountpoint(cgroup_t)
 dev_associate_sysfs(cgroup_t)
 genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)
 
 type configfs_t;
 fs_type(configfs_t)
Comment 2 Zbigniew Jędrzejewski-Szmek 2016-03-30 17:21:49 UTC 
Yep, new filesystem (commmit 67e9c74b8a in the kernel).

Thanks, I'll try the patch.
Comment 3 Daniel Walsh 2016-03-30 17:24:57 UTC 
https://github.com/fedora-selinux/selinux-policy/pull/116
Comment 4 Lukas Vrabec 2016-03-31 08:40:21 UTC 
Thank you for the patch.
Comment 5 Zbigniew Jędrzejewski-Szmek 2016-03-31 11:49:36 UTC 
FTR, rawhide boots with this patch, but there's still some "permission denied" error about moving PIDs to a cgroup. But I haven't had time to debug it properly, so I don't know if this is an issue with systemd code or with the policy. So more changes might be necessary, but this patch is already a big improvement, so it's OK for it to go in.
Comment 6 Jan Kurik 2016-07-26 04:37:40 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.
Comment 7 Fedora Update System 2016-08-12 15:57:26 UTC 
selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-662487f8f1
Comment 8 Fedora Update System 2016-08-17 03:02:40 UTC 
selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.