On Wed, Jan 09, 2019 at 05:28:30PM +0100, Ondrej Mosnacek wrote: > Use the new security_object_init_security() hook to allow LSMs to > possibly assign a non-default security context to newly created nodes > based on the context of their parent node. > > This fixes an issue with cgroupfs under SELinux, where newly created > cgroup subdirectories would not inherit its parent's context if it had > been set explicitly to a non-default value (other than the genfs context > specified by the policy). This can be reproduced as follows: I'm not yet sure about using selinux on cgroupfs. Let's please discuss that first. Thanks. -- tejun