git.ipfire.org Git - thirdparty/systemd.git/commit

Fix SELinux labels in cgroup filesystem root directory (#7496)

When using SELinux with legacy cgroups the tmpfs on /sys/fs/cgroup is by
default labelled as tmpfs_t. This label is also inherited by the "cpu"
and "cpuacct" symbolic links. Unfortunately the policy expects them to
be labelled as cgroup_t, which is used for all the actual cgroup
filesystems. Failure to do so results in a stream of denials.

This state cannot be fixed reliably when the cgroup filesystem structure
is set-up as the SELinux policy is not yet loaded at this
moment. It also cannot be fixed later as the root of the cgroup
filesystem is remounted read-only. In order to fix it the root of the
cgroup filesystem needs to be temporary remounted read-write, relabelled
and remounted back read-only.

author	Krzysztof Nowicki <krzysztof.a.nowicki+github@gmail.com>
	Thu, 30 Nov 2017 10:59:29 +0000 (11:59 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Thu, 30 Nov 2017 10:59:29 +0000 (11:59 +0100)
commit	8739f23e3c26bbf8b0296421578e56daa63cbf4b
tree	cde4525429be85fe9f19490c09d7dd322a9182dc	tree \| snapshot
parent	949befd3f09e8c06a908ec99efd241666c21d944	commit \| diff