Description of problem: With the new "cgroup2" system added in kernel 4.5, systemd is getting selinux denials when manipulating the cgroup hierarchy. Version-Release number of selected component (if applicable): systemd-229+ (from git, see https://github.com/systemd/systemd/pull/2903) selinux-policy-targeted-3.13.1-179.fc25.noarch Steps to Reproduce: 1. install systemd from upstream git master 2. boot with systemd.unified_cgroup_hierarchy=1 AVCs: # when writing process numbers to move them to the right cgroup Mar 29 19:58:30 rawhide kernel: audit: type=1400 audit(1459295910.257:68): avc: denied { write } for pid=1 comm="systemd" name="cgroup.procs" dev="cgroup2" ino=6 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 # when creating a new level in the hierarchy Mar 29 19:58:30 rawhide kernel: audit: type=1400 audit(1459295910.414:72): avc: denied { create } for pid=1 comm="systemd" name="lvm2-monitor.service" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Unified cgroup hierarchy is not the default in systemd, but it will become so during the F25 development cycle.
I take it this is a new filesystem cgroup2? Probably need this patch. diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index b00be59..7e37941 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -85,6 +85,7 @@ fs_type(cgroup_t) files_mountpoint(cgroup_t) dev_associate_sysfs(cgroup_t) genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) +genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0) type configfs_t; fs_type(configfs_t)
Yep, new filesystem (commmit 67e9c74b8a in the kernel). Thanks, I'll try the patch.
https://github.com/fedora-selinux/selinux-policy/pull/116
Thank you for the patch.
FTR, rawhide boots with this patch, but there's still some "permission denied" error about moving PIDs to a cgroup. But I haven't had time to debug it properly, so I don't know if this is an issue with systemd code or with the policy. So more changes might be necessary, but this patch is already a big improvement, so it's OK for it to go in.
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'.
selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-662487f8f1
selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.