I believe in the Tom Sawyer method of writing code. Suggest a neat idea and wait for some else to "Whitewash the fence" ie write the patches. On 01/18/2017 02:26 PM, Paul Moore wrote: > On Tue, Jan 17, 2017 at 10:51 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> On Tue, 2017-01-17 at 10:34 -0500, Daniel J Walsh wrote: >>> In order to allow processes to modify the cgroup hierarchy in a >>> container from an SELinux point of view, we need to allow read/write >>> access to cgroup_t, which means that a container process could break >>> out >>> and modify all cgroups, we want to allow them to only modify the >>> portion >>> of the hierarchy handed to them. >>> >>> Would be a nice security improvement for docker. >> Probably as easy as adding cgroup to the list of filesystem types that >> use genfscon but also support setxattr (like sysfs) in >> selinux_is_sblabel_mnt() in security/selinux/hooks.c. sysfs and cgroup >> are both implemented on top of kernfs in modern kernels, so they should >> both support proper setting of security labels. > .. and a test should be added to the selinux-testsuite. > > Come on Dan, you know you want to write some more kernel code ;) > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
