On 4/29/2011 4:05 PM, Matthew Ife wrote: > I was wondering what peoples' thoughts where on doing this. It's a good idea. Make it so. > At the moment cgroupfs does not support xattrs so no labelling of selinux > types is permitted, but since /proc and other pseudo filesystems support > it this should be possible. > > There are a number of use-cases which would benefit from this. For > example I have recently been working with application layer integration > of libcgroup with other services (apache being able to switch > cgroups for vhosts for example) because cgroups offer an excellent means > of offering resource control to prevent abuse of resources. > > Aa a typical example i'd like to be able to label some cgroups in > cgroupfs as "httpd_cgroup_t" / "httpd_cgroup_task_t" so that I can > control the access of the files it creates for administering tasks and > altering what goes in the task list. But currently I must give httpd_t > complete access to cgroup_t files. I can use DAC effectively enough to > limit access but without SELinux backing me up it makes me feel somewhat > naked. > > As a matter of fact, I started patching libcgroup to support labelling > cgroupfs without realizing this facility is unsupported! So I have about > 70% of an effective patch to do this work properly within libcgroup too. > > I welcome peoples' thoughts on this idea. > > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
