selinux: allow changing labels for cgroupfs
authorAntonio Murdaca <amurdaca@redhat.com>
Thu, 2 Feb 2017 15:22:57 +0000 (16:22 +0100)
committerPaul Moore <paul@paul-moore.com>
Wed, 8 Feb 2017 03:17:47 +0000 (22:17 -0500)
commit1ea0ce40690dff38935538e8dab7b12683ded0d3
treee7d8de7dc6c8d750658a368b8301f1a6ab1527c0
parent3a2f5a59a695a73e0cde9a61e0feae5fa730e936
selinux: allow changing labels for cgroupfs

This patch allows changing labels for cgroup mounts. Previously, running
chcon on cgroupfs would throw an "Operation not supported". This patch
specifically whitelist cgroupfs.

The patch could also allow containers to write only to the systemd cgroup
for instance, while the other cgroups are kept with cgroup_t label.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
security/selinux/hooks.c