search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
156 stars 157 forks source link

Allow cgred_t to get attributes of cgroup filesystems #2060

Closed naokitnk closed 4 months ago

naokitnk commented 4 months ago

Need to allow cgred_t to get attributes of cgroup filesystems as libcgroup package adds support for systemd.

FYI, below is the denial this commit addresses:

type=AVC msg=audit(1704959348.276:880): avc: denied { getattr } for pid=4938 comm="cgrulesengd" name="/" dev="cgroup" ino=1 scontext=system_u:system_r:cgred_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0

This is observed with libcgroup v3.1.0, which added support for systemd:

https://github.com/libcgroup/libcgroup/tree/release-3.1

zpytela commented 4 months ago

@naokitnk I see the denial was caught in selinux enforcing, is getattr sufficient?

naokitnk commented 4 months ago

@naokitnk I see the denial was caught in selinux enforcing, is getattr sufficient?

Yes, getattr is sufficient. No further related denials are observed once that permission is granted.

zpytela commented 4 months ago

Thank you, merging.