Hi, I was reading this pull request [1] and looked into how I might be able to implement this in policy but there seem to be some technical difficulties. * I already use getfscon to seperate the systemd user.slice because the system manager delegates the user.slice to the user manager. (genfscon "cgroup2" "/user.slice" cgroupfile_context) In the past the proved to be a racy where systemd attempts to write before the object has the context associated with the genfscon. I decided to dontaudit attempts to write to the mislabeled object and it *seems* as if systemd retries until it can write it i.e. when the object carries the expected label and so that seems to work eventually but it looks fragile. * The challenge with memory pressure implementation [2] is that these "memory.pressure" files end up in random locations under "/system.slice" for example: /sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure Where in the above systemd-journald.service might be templated (systemd-journald@FOO.service). Point is that the path is random. genfscon does not support regex and glob. I can't do for example: (genfscon "cgroup2" "/system.slice/.*/memory.pressure" cgroupfile_context) Fortunately cgroup2fs supports relabeling but if systemd has to manually relabel the cgroup files then I would imagine that this is racy as well, and that does not really solve the underlying issue. I am looking for ideas and suggestions [1] https://github.com/SELinuxProject/refpolicy/pull/607 [2] https://github.com/systemd/systemd/blob/main/docs/MEMORY_PRESSURE.md -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift
