Description of problem: Peter Zijlstra pointed out to me that the control group kernel feature is not supported by the SELinux policy. Files in a mounted cgroup filesystem are unlabeled and the administrator is prevented by SELinux to create a new control group. Version-Release number of selected component (if applicable): selinux-policy-3.3.1-49.fc9 kernel-2.6.25-14.fc9.x86_64 How reproducible: 100% Steps to Reproduce: mkdir /dev/cgroup mount -t cgroup cpu /dev/cgroup ls -lZ /dev/cgroup mkdir /dev/cgroup/my_cool_new_group Actual results: The files have the type unlabeled_t and an AVC denial is generated: host=leela type=AVC msg=audit(1210681905.593:30): avc: denied { associate } for pid=1055 comm="mkdir" name="my_cool_new_group" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem Expected results: The filesystem should be labeled and new control groups should be allowed. Additional info: I propose the attached patch which I have tested on my system.
Created attachment 305239 [details] use genconfs for cgroup
Fixed in selinux-policy-3.3.1-72.fc9.noarch