On Fri, Mar 10, 2017 at 3:21 PM, Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > On Fri, Mar 10, 2017 at 3:17 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> On Fri, 2017-03-10 at 15:01 -0500, Paul Moore wrote: >>> On Thu, Feb 9, 2017 at 10:58 AM, Antonio Murdaca <amurdaca@xxxxxxxxxx >>> > wrote: >>> > >>> > This patch allows genfscon per-file labeling for cgroupfs. For >>> > instance, >>> > this allows to label the "release_agent" file within each >>> > cgroup mount and limit writes to it. >>> > >>> > Signed-off-by: Antonio Murdaca <runcom@xxxxxxxxxx> >>> > --- >>> > security/selinux/hooks.c | 2 ++ >>> > 1 file changed, 2 insertions(+) >>> >>> Now that the merge window is behind us, let's get this merged, but >>> could you update it to use the selinux_policycap_cgroupseclabel >>> policy >>> capability? See 2651225b5ebcdde ("selinux: wrap cgroup seclabel >>> support with its own policy capability") for more information. >> >> I don't think that is necessary. This change unlike the other one >> should not yield any difference in behavior with existing policy; it >> just allows one to specify fine-grained labeling for cgroup nodes in >> future policy. It doesn't affect any userspace interface. > > Yes, I thought about that, and if the policy capability was already > present in a released kernel then I wouldn't worry about it much, but > since the policy capability still only lives in the v4.11-rcX kernels > I'd prefer to see this code wrapped with the policy capability ... > even if all it really does is give me that warm fuzzy feeling. FWIW, I just decided I didn't care that much about the policy capability restriction for this patch and went ahead and merged it into selinux/next. -- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html