Bug 446203
| Summary: | Control group (cgroup) support | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michal Schmidt <mschmidt> | ||||
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 9 | CC: | jkubin | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | 72 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-07-02 19:36:19 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 305239 [details]
use genconfs for cgroup
Fixed in selinux-policy-3.3.1-72.fc9.noarch |
Description of problem: Peter Zijlstra pointed out to me that the control group kernel feature is not supported by the SELinux policy. Files in a mounted cgroup filesystem are unlabeled and the administrator is prevented by SELinux to create a new control group. Version-Release number of selected component (if applicable): selinux-policy-3.3.1-49.fc9 kernel-2.6.25-14.fc9.x86_64 How reproducible: 100% Steps to Reproduce: mkdir /dev/cgroup mount -t cgroup cpu /dev/cgroup ls -lZ /dev/cgroup mkdir /dev/cgroup/my_cool_new_group Actual results: The files have the type unlabeled_t and an AVC denial is generated: host=leela type=AVC msg=audit(1210681905.593:30): avc: denied { associate } for pid=1055 comm="mkdir" name="my_cool_new_group" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem Expected results: The filesystem should be labeled and new control groups should be allowed. Additional info: I propose the attached patch which I have tested on my system.