1316278 – incorrect SELinux label on /sys/fs/cgroup and restorecon fails with "Read-only file system"

Bug 1316278 - incorrect SELinux label on /sys/fs/cgroup and restorecon fails with "Read-only file system"

Summary: incorrect SELinux label on /sys/fs/cgroup and restorecon fails with "Read-onl...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	systemd
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	David Tardon
QA Contact:	Frantisek Sumsal
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1420851 1481966 1549617 1551061
TreeView+	depends on / blocked

Reported:	2016-03-09 21:10 UTC by k2eric
Modified:	2020-05-14 15:08 UTC (History)
CC List:	14 users (show)
Fixed In Version:	systemd-219-58.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1481966 (view as bug list)
Environment:
Last Closed:	2018-10-30 11:32:10 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
CentOS	0010078	0	None	None	None	2016-03-09 21:10:39 UTC
Red Hat Knowledge Base (Solution)	3005761	0	None	None	None	2017-04-19 06:54:08 UTC

Description k2eric 2016-03-09 21:10:39 UTC

Description of problem:

(originally reported on the CentOS bug tracker and someone suggested that I should report here instead)

/sys/fs/cgroup is currently assigned the incorrect SELinux label of

system_u:object_r:tmpfs_t:s0

but restorecon reports that it should be

system_u:object_r:cgroup_t:s0

restorecon is unable to fix the issue as it returns an error: Read-only file system


Version-Release number of selected component (if applicable):

CentOS 7.2.1511

selinux-policy 3.13.1 (release 60.el7_2.3, Based off of reference policy: Checked out revision  2.20091117)


How reproducible:

always


Steps to Reproduce:

1. run ls -aZ /sys/fs/cgroup to verify directory has label of system_u:object_r:tmpfs_t:s0

2. run sudo restorecon -v /sys/fs/cgroup to correct the label


Actual results:

You will see the following error message:

restorecon set context /sys/fs/cgroup->system_u:object_r:cgroup_t:s0 failed:'Read-only file system'


Expected results:

restorecon should have have corrected the label of /sys/fs/cgroup to system_u:object_r:cgroup_t


Additional info:

You can confirm the correct label here:

https://github.com/TresysTechnology/refpolicy/blob/778dfaf776800887d1f9c320a7ac6199139b694b/policy/modules/kernel/filesystem.fc#L14 [^]

Comment 3 Lukas Vrabec 2016-07-12 14:23:12 UTC

I cannot remember. But I don't think so.

Comment 6 Lukas Vrabec 2017-08-16 07:46:36 UTC

This should be fixed in systemd code. 

Michal, 
Could you add labeling for /sys/fs/cgroup dir cgroup_t ? 

Thanks.

Comment 8 Vasiliy G Tolstov 2017-10-27 11:53:34 UTC

any news about this issue?

Comment 12 David Tardon 2018-05-28 08:19:16 UTC

https://github.com/lnykryn/systemd-rhel/pull/207

Comment 13 Lukáš Nykrýn 2018-06-21 10:11:39 UTC

fix merged to staging branch -> https://github.com/lnykryn/systemd-rhel/pull/207 -> post

Comment 17 errata-xmlrpc 2018-10-30 11:32:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3245

Note You need to log in before you can comment on or make changes to this bug.