selinux: allow changing labels for cgroupfs
authorAntonio Murdaca <amurdaca@redhat.com>
Thu, 2 Feb 2017 15:22:57 +0000 (16:22 +0100)
committerPaul Moore <paul@paul-moore.com>
Wed, 8 Feb 2017 03:17:47 +0000 (22:17 -0500)
This patch allows changing labels for cgroup mounts. Previously, running
chcon on cgroupfs would throw an "Operation not supported". This patch
specifically whitelist cgroupfs.

The patch could also allow containers to write only to the systemd cgroup
for instance, while the other cgroups are kept with cgroup_t label.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
security/selinux/hooks.c

index a5398fea0966ec41e42dd1ebe669ca9adddddbce..76af95fa741ab306352114ae5860823980dedb11 100644 (file)
@@ -480,6 +480,8 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
                sbsec->behavior == SECURITY_FS_USE_NATIVE ||
                /* Special handling. Genfs but also in-core setxattr handler */
                !strcmp(sb->s_type->name, "sysfs") ||
+               !strcmp(sb->s_type->name, "cgroup") ||
+               !strcmp(sb->s_type->name, "cgroup2") ||
                !strcmp(sb->s_type->name, "pstore") ||
                !strcmp(sb->s_type->name, "debugfs") ||
                !strcmp(sb->s_type->name, "tracefs") ||