Re: cgroup2 labeling question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 20 Mar 2023 at 19:14, Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote:
>
> Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes:
>
> > On Mon, Mar 20, 2023 at 1:28 PM Stephen Smalley
> > <stephen.smalley.work@xxxxxxxxx> wrote:
> >> Hmm...that's interesting. I just tried in Fedora using one of the
> >> type_transitions already defined in the default policy and although it
> >> appears to use the type_transition to compute the new SID for the
> >> create check, ls -Z of the file after creation showed it labeled
> >> cgroup_t instead. So it doesn't appear to be working or I am doing it
> >> wrong.
>
> I am totally confused now as well because Christian on IRC say's it
> works for him but I cannot get it to work here and I tried various
> combinations
>
> >
> > Reproducer, on F34,
> > $ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots
> > mkdir: cannot create directory
> > ‘/sys/fs/cgroup/system.slice/.snapshots’: Permission denied
> > $ sudo ausearch -m AVC -ts recent -i
> > ----
> > type=AVC msg=audit(03/20/2023 13:00:04.699:47156) : avc:  denied  {
> > associate } for  pid=152325 comm=mkdir name=.snapshots
> > scontext=unconfined_u:object_r:snapperd_data_t:s0
> > tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0
> > $ seinfo --fs_use | grep cgroup
> > $ seinfo --genfscon | grep cgroup
> >    genfscon cgroup /  system_u:object_r:cgroup_t:s0
> >    genfscon cgroup2 /  system_u:object_r:cgroup_t:s0
> > $ sesearch -T -s unconfined_t -t cgroup_t -c dir
> > type_transition unconfined_t cgroup_t:dir snapperd_data_t .snapshots
> > $ sudo setenforce 0
> > $ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots
> > $ ls -Zd /sys/fs/cgroup/system.slice/.snapshots
> > system_u:object_r:cgroup_t:s0 /sys/fs/cgroup/system.slice/.snapshots
>
> --
> gpg --locate-keys dominick.grift@xxxxxxxxxxx
> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
> Dominick Grift

Debian sid (Linux debianBullseye 6.1.0-6-amd64 #1 SMP PREEMPT_DYNAMIC
Debian 6.1.15-1 (2023-03-05) x86_64 GNU/Linux):

type cgroup_test_t;
allow cgroup_test_t cgroup_t:filesystem associate;
filetrans_pattern(sysadm_t, cgroup_t, cgroup_test_t, dir, "testdir")
allow sysadm_t cgroup_test_t:dir { create_dir_perms list_dir_perms };
allow sysadm_t cgroup_test_t:file getattr;


$ seinfo --all | grep cgroup
genfscon cgroup /  system_u:object_r:cgroup_t:s0
genfscon cgroup2 /  system_u:object_r:cgroup_t:s0
genfscon proc /cgroups  system_u:object_r:proc_info_t:s0
cgroup_seclabel
cgroup_t
cgroup_test_t
systemd_cgroups_agent_exec_t
systemd_cgroups_agent_runtime_t
systemd_cgroups_agent_t


$ grep cgroup /etc/selinux/debian/contexts/files/file_contexts
/cgroup/.*              <<none>>
/sys/fs/cgroup/.*               <<none>>
/sys/fs/cgroup/[^/]+            -l      system_u:object_r:cgroup_t:s0
/cgroup         -d      system_u:object_r:cgroup_t:s0
/sys/fs/cgroup          -d      system_u:object_r:cgroup_t:s0
/usr/lib/systemd/systemd-cgroups-agent          --
system_u:object_r:systemd_cgroups_agent_exec_t:s0


$ mkdir /sys/fs/cgroup/system.slice/testdir
$ ls -laZ /sys/fs/cgroup/system.slice/testdir/
total 0
drwxr-x---.  2 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
.
drwxr-xr-x. 19 root root system_u:object_r:cgroup_t:s0  0 Mar 20 19:19
..
-r--r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
cgroup.controllers
-r--r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
cgroup.events
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
cgroup.freeze
--w-------.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
cgroup.kill
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
cgroup.max.depth
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
cgroup.max.descendants
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
cgroup.pressure
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
cgroup.procs
-r--r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
cgroup.stat
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
cgroup.subtree_control
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
cgroup.threads
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
cgroup.type
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
cpu.pressure
-r--r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
cpu.stat
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
io.pressure
-r--r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.current
-r--r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.events
-r--r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.events.local
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.high
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.low
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.max
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.min
-r--r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.numa_stat
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.oom.group
-r--r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.peak
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.pressure
--w-------.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.reclaim
-r--r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.stat
-r--r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.swap.current
-r--r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.swap.events
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.swap.high
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.swap.max
-r--r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.zswap.current
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
memory.zswap.max
-r--r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
pids.current
-r--r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19
pids.events
-rw-r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19 pids.max
-r--r--r--.  1 root root root:object_r:cgroup_test_t:s0 0 Mar 20 19:19 pids.peak
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux