On 02/09/2017 06:04 PM, Paul Moore wrote: > On Thu, Feb 9, 2017 at 5:32 PM, Antonio Murdaca <amurdaca@xxxxxxxxxx> wrote: >> >> On Feb 9, 2017 20:23, "Paul Moore" <paul@xxxxxxxxxxxxxx> wrote: >> >> On Thu, Feb 9, 2017 at 12:39 PM, Antonio Murdaca <amurdaca@xxxxxxxxxx> >> wrote: >>> On Feb 9, 2017 17:14, "Paul Moore" <paul@xxxxxxxxxxxxxx> wrote: >>> On Thu, Feb 9, 2017 at 11:02 AM, Antonio Murdaca <amurdaca@xxxxxxxxxx> >>> wrote: >>>> From: Antonio Murdaca <runcom@xxxxxxxxxx> >>>> >>>> This patch allows genfscon per-file labeling for cgroupfs. For instance, >>>> this allows to label the "release_agent" file within each >>>> cgroup mount and limit writes to it. >>>> >>>> Signed-off-by: Antonio Murdaca <amurdaca@xxxxxxxxxx> >>>> --- >>>> security/selinux/hooks.c | 2 ++ >>>> 1 file changed, 2 insertions(+) >>> This was already merged ... ? >>> >>> >>> This is adding cgroup and cgroup2 to the other whitelist (afaict). >> Yes, my apologies, I read this patch too quickly and confused it with >> the previous cgroups patch. >> >> Just to set expectations, this patch is too late for the upcoming >> merge window, we can consider it in a few weeks once the merge window >> has closed. This should give you some time to do some further testing >> (hint, hint). >> >> >> Sure, I'm going to test this and add tests in selinux-testsuite as well > Great, thank you. > No problem on waiting for this patch. Stephen asked for this, but this is not something we are currently planning on using with containers. -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
