I was wondering what peoples' thoughts where on doing this. At the moment cgroupfs does not support xattrs so no labelling of selinux types is permitted, but since /proc and other pseudo filesystems support it this should be possible. There are a number of use-cases which would benefit from this. For example I have recently been working with application layer integration of libcgroup with other services (apache being able to switch cgroups for vhosts for example) because cgroups offer an excellent means of offering resource control to prevent abuse of resources. Aa a typical example i'd like to be able to label some cgroups in cgroupfs as "httpd_cgroup_t" / "httpd_cgroup_task_t" so that I can control the access of the files it creates for administering tasks and altering what goes in the task list. But currently I must give httpd_t complete access to cgroup_t files. I can use DAC effectively enough to limit access but without SELinux backing me up it makes me feel somewhat naked. As a matter of fact, I started patching libcgroup to support labelling cgroupfs without realizing this facility is unsupported! So I have about 70% of an effective patch to do this work properly within libcgroup too. I welcome peoples' thoughts on this idea. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
