On Tue, 2017-01-17 at 10:34 -0500, Daniel J Walsh wrote: > In order to allow processes to modify the cgroup hierarchy in a > container from an SELinux point of view, we need to allow read/write > access to cgroup_t, which means that a container process could break > out > and modify all cgroups, we want to allow them to only modify the > portion > of the hierarchy handed to them. > > Would be a nice security improvement for docker. Probably as easy as adding cgroup to the list of filesystem types that use genfscon but also support setxattr (like sysfs) in selinux_is_sblabel_mnt() in security/selinux/hooks.c. sysfs and cgroup are both implemented on top of kernfs in modern kernels, so they should both support proper setting of security labels. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
