On Mon, Mar 20, 2023 at 1:28 PM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
> Hmm...that's interesting. I just tried in Fedora using one of the
> type_transitions already defined in the default policy and although it
> appears to use the type_transition to compute the new SID for the
> create check, ls -Z of the file after creation showed it labeled
> cgroup_t instead. So it doesn't appear to be working or I am doing it
> wrong.
Reproducer, on F34,
$ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots
mkdir: cannot create directory
‘/sys/fs/cgroup/system.slice/.snapshots’: Permission denied
$ sudo ausearch -m AVC -ts recent -i
----
type=AVC msg=audit(03/20/2023 13:00:04.699:47156) : avc: denied {
associate } for pid=152325 comm=mkdir name=.snapshots
scontext=unconfined_u:object_r:snapperd_data_t:s0
tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0
$ seinfo --fs_use | grep cgroup
$ seinfo --genfscon | grep cgroup
genfscon cgroup / system_u:object_r:cgroup_t:s0
genfscon cgroup2 / system_u:object_r:cgroup_t:s0
$ sesearch -T -s unconfined_t -t cgroup_t -c dir
type_transition unconfined_t cgroup_t:dir snapperd_data_t .snapshots
$ sudo setenforce 0
$ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots
$ ls -Zd /sys/fs/cgroup/system.slice/.snapshots
system_u:object_r:cgroup_t:s0 /sys/fs/cgroup/system.slice/.snapshots
