On Mon, Mar 20, 2023 at 1:53 PM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> On Mon, Mar 20, 2023 at 1:28 PM Stephen Smalley
> <stephen.smalley.work@xxxxxxxxx> wrote:
> > Hmm...that's interesting. I just tried in Fedora using one of the
> > type_transitions already defined in the default policy and although it
> > appears to use the type_transition to compute the new SID for the
> > create check, ls -Z of the file after creation showed it labeled
> > cgroup_t instead. So it doesn't appear to be working or I am doing it
> > wrong.
>
> Reproducer, on F34,
> $ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots
> mkdir: cannot create directory
> ‘/sys/fs/cgroup/system.slice/.snapshots’: Permission denied
> $ sudo ausearch -m AVC -ts recent -i
> ----
> type=AVC msg=audit(03/20/2023 13:00:04.699:47156) : avc: denied {
> associate } for pid=152325 comm=mkdir name=.snapshots
> scontext=unconfined_u:object_r:snapperd_data_t:s0
> tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0
> $ seinfo --fs_use | grep cgroup
> $ seinfo --genfscon | grep cgroup
> genfscon cgroup / system_u:object_r:cgroup_t:s0
> genfscon cgroup2 / system_u:object_r:cgroup_t:s0
> $ sesearch -T -s unconfined_t -t cgroup_t -c dir
> type_transition unconfined_t cgroup_t:dir snapperd_data_t .snapshots
> $ sudo setenforce 0
> $ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots
> $ ls -Zd /sys/fs/cgroup/system.slice/.snapshots
> system_u:object_r:cgroup_t:s0 /sys/fs/cgroup/system.slice/.snapshots
Unless systemd is coming along after file creation and relabeling it
to cgroup_t at that time.
