Discussion:
About commit 901ef845fa2469c ("selinux: allow per-file labeling for cgroupfs")
Waiman Long
2017-10-06 17:53:07 UTC
Permalink
Antonio,

I have a question about your 4.14 upstream commit 901ef845fa2469c
("selinux: allow per-file labeling for cgroupfs"). With that, I am no
longer able to mount the cgroup2 filesystem with a 4.14 kernel. The
problem is that your commit sets the SE_SBGENFS flag, which causes
selinux to lookup the genfs database for a filesystem type match.
However, the filesystem type "cgroup2" isn't in the genfs database in my
RHEL7 based test system. The "cgroup" filesystem type is in the genfs database,
so I have no problem with v1 cgroup mount.

Do you know where the genfs database is defined? I need some way to add cgroup2
as a valid genfs fstype, or I have to manually back out the commit in order to
do my cgroup2 testing.

Thanks,
Longman
Stephen Smalley
2017-10-10 14:06:52 UTC
Permalink
Post by Waiman Long
Antonio,
I have a question about your 4.14 upstream commit 901ef845fa2469c
("selinux: allow per-file labeling for cgroupfs"). With that, I am no
longer able to mount the cgroup2 filesystem with a 4.14 kernel. The
problem is that your commit sets the SE_SBGENFS flag, which causes
selinux to lookup the genfs database for a filesystem type match.
However, the filesystem type "cgroup2" isn't in the genfs database in my
RHEL7 based test system. The "cgroup" filesystem type is in the genfs database,
so I have no problem with v1 cgroup mount.
Do you know where the genfs database is defined? I need some way to add cgroup2
as a valid genfs fstype, or I have to manually back out the commit in order to
do my cgroup2 testing.
It is part of the policy; you could add it via a policy module ala:
$ cat cgroup2.cil
(genfscon cgroup2 / (system_u object_r cgroup_t ((s0) (s0))))

$ sudo semodule -i cgroup2.cil

That said, the fact that you can't even mount it without that is
arguably a bug/regression. I guess this is due to the ENOENT from
security_genfs_sid being propagated all the way up instead of just
leaving it unlabeled and permitting the mount to proceed.
Waiman Long
2017-10-10 14:05:17 UTC
Permalink
Post by Stephen Smalley
Post by Waiman Long
Antonio,
I have a question about your 4.14 upstream commit 901ef845fa2469c
("selinux: allow per-file labeling for cgroupfs"). With that, I am no
longer able to mount the cgroup2 filesystem with a 4.14 kernel. The
problem is that your commit sets the SE_SBGENFS flag, which causes
selinux to lookup the genfs database for a filesystem type match.
However, the filesystem type "cgroup2" isn't in the genfs database in my
RHEL7 based test system. The "cgroup" filesystem type is in the genfs database,
so I have no problem with v1 cgroup mount.
Do you know where the genfs database is defined? I need some way to add cgroup2
as a valid genfs fstype, or I have to manually back out the commit in order to
do my cgroup2 testing.
$ cat cgroup2.cil
(genfscon cgroup2 / (system_u object_r cgroup_t ((s0) (s0))))
$ sudo semodule -i cgroup2.cil
Thanks for the workaround. I will try that next time.
Post by Stephen Smalley
That said, the fact that you can't even mount it without that is
arguably a bug/regression. I guess this is due to the ENOENT from
security_genfs_sid being propagated all the way up instead of just
leaving it unlabeled and permitting the mount to proceed.
Yes, the mount command got the ENOENT error and it printed out some
confusing message.

Cheers,
Longman

Loading...