On Fri, Jan 11, 2019 at 9:51 PM Tejun Heo <tj@xxxxxxxxxx> wrote: > Hello, > > On Wed, Jan 09, 2019 at 10:10:25AM +0100, Ondrej Mosnacek wrote: > > The main motivation for this change is that the userspace users of cgroupfs > > (which is built on kernfs) expect the usual security context inheritance > > to work under SELinux (see [1] and [2]). This functionality is required for > > better confinement of containers under SELinux. > > Can you please go into details on what the expected use cases are like > for cgroupfs? It shows up as a filesystem but isn't a real one and > has its own permission scheme for delegation and stuff. If sysfs > hasn't needed selinux support, I'm having a bit of difficulty seeing > why cgroupfs would. I'm not sure what are the exact needs of the container people, but IIUC the goal is to make it possible to have a subtree labeled with a specific label (that gets inherited by newly created cgroups in that subtree by default) so that container processes do not need to be given permissions for the whole cgroupfs tree. I'm cc'ing Dan Walsh, who should be able to explain the use cases in more details. Dan, this is related to the cgroupfs labeling problem ([1] and [2]). See [3] for the root of this discussion. [1] https://github.com/SELinuxProject/selinux-kernel/issues/39 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1553803 [3] https://lore.kernel.org/selinux/CAFqZXNsxfjwDaCWDrqxP736y_3Jm-r=twaHtkkTDtMuym774Jw@xxxxxxxxxxxxxx/T/ -- Ondrej Mosnacek <omosnace at redhat dot com> Associate Software Engineer, Security Technologies Red Hat, Inc.