Re: cgroup2 labeling question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes:

> On Mon, Mar 20, 2023 at 1:53 PM Stephen Smalley
> <stephen.smalley.work@xxxxxxxxx> wrote:
>>
>> On Mon, Mar 20, 2023 at 1:28 PM Stephen Smalley
>> <stephen.smalley.work@xxxxxxxxx> wrote:
>> > Hmm...that's interesting. I just tried in Fedora using one of the
>> > type_transitions already defined in the default policy and although it
>> > appears to use the type_transition to compute the new SID for the
>> > create check, ls -Z of the file after creation showed it labeled
>> > cgroup_t instead. So it doesn't appear to be working or I am doing it
>> > wrong.
>>
>> Reproducer, on F34,
>> $ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots
>> mkdir: cannot create directory
>> ‘/sys/fs/cgroup/system.slice/.snapshots’: Permission denied
>> $ sudo ausearch -m AVC -ts recent -i
>> ----
>> type=AVC msg=audit(03/20/2023 13:00:04.699:47156) : avc:  denied  {
>> associate } for  pid=152325 comm=mkdir name=.snapshots
>> scontext=unconfined_u:object_r:snapperd_data_t:s0
>> tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0
>> $ seinfo --fs_use | grep cgroup
>> $ seinfo --genfscon | grep cgroup
>>    genfscon cgroup /  system_u:object_r:cgroup_t:s0
>>    genfscon cgroup2 /  system_u:object_r:cgroup_t:s0
>> $ sesearch -T -s unconfined_t -t cgroup_t -c dir
>> type_transition unconfined_t cgroup_t:dir snapperd_data_t .snapshots
>> $ sudo setenforce 0
>> $ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots
>> $ ls -Zd /sys/fs/cgroup/system.slice/.snapshots
>> system_u:object_r:cgroup_t:s0 /sys/fs/cgroup/system.slice/.snapshots
>
> Unless systemd is coming along after file creation and relabeling it
> to cgroup_t at that time.

That wouldnt make sense to me, but yes i considered that as well. Ruled
it out without actually confirming it. I actually added a rule:

auditallow domain cgroup_t:dir create;

and that also does not show grants for all the dirs in /sys/fs/cgroup
(just some)

voodoo

-- 
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux