| Message ID | 20170209155823.22148-1-runcom@redhat.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
On Thu, Feb 9, 2017 at 10:58 AM, Antonio Murdaca <amurdaca@redhat.com> wrote: > This patch allows genfscon per-file labeling for cgroupfs. For instance, > this allows to label the "release_agent" file within each > cgroup mount and limit writes to it. > > Signed-off-by: Antonio Murdaca <runcom@redhat.com> > --- > security/selinux/hooks.c | 2 ++ > 1 file changed, 2 insertions(+) Now that the merge window is behind us, let's get this merged, but could you update it to use the selinux_policycap_cgroupseclabel policy capability? See 2651225b5ebcdde ("selinux: wrap cgroup seclabel support with its own policy capability") for more information. Also, how goes the testing? > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 9a8f12f..5a3138e 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -808,6 +808,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, > > if (!strcmp(sb->s_type->name, "debugfs") || > !strcmp(sb->s_type->name, "sysfs") || > + !strcmp(sb->s_type->name, "cgroup") || > + !strcmp(sb->s_type->name, "cgroup2") || > !strcmp(sb->s_type->name, "pstore")) > sbsec->flags |= SE_SBGENFS; > > -- > 2.9.3 > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
On Fri, 2017-03-10 at 15:01 -0500, Paul Moore wrote: > On Thu, Feb 9, 2017 at 10:58 AM, Antonio Murdaca <amurdaca@redhat.com > > wrote: > > > > This patch allows genfscon per-file labeling for cgroupfs. For > > instance, > > this allows to label the "release_agent" file within each > > cgroup mount and limit writes to it. > > > > Signed-off-by: Antonio Murdaca <runcom@redhat.com> > > --- > > security/selinux/hooks.c | 2 ++ > > 1 file changed, 2 insertions(+) > > Now that the merge window is behind us, let's get this merged, but > could you update it to use the selinux_policycap_cgroupseclabel > policy > capability? See 2651225b5ebcdde ("selinux: wrap cgroup seclabel > support with its own policy capability") for more information. I don't think that is necessary. This change unlike the other one should not yield any difference in behavior with existing policy; it just allows one to specify fine-grained labeling for cgroup nodes in future policy. It doesn't affect any userspace interface. > Also, how goes the testing? > > > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > index 9a8f12f..5a3138e 100644 > > --- a/security/selinux/hooks.c > > +++ b/security/selinux/hooks.c > > @@ -808,6 +808,8 @@ static int selinux_set_mnt_opts(struct > > super_block *sb, > > > > if (!strcmp(sb->s_type->name, "debugfs") || > > !strcmp(sb->s_type->name, "sysfs") || > > + !strcmp(sb->s_type->name, "cgroup") || > > + !strcmp(sb->s_type->name, "cgroup2") || > > !strcmp(sb->s_type->name, "pstore")) > > sbsec->flags |= SE_SBGENFS; > > > > -- > > 2.9.3 > > > > _______________________________________________ > > Selinux mailing list > > Selinux@tycho.nsa.gov > > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > > To get help, send an email containing "help" to Selinux-request@tyc > > ho.nsa.gov. >
On Fri, Mar 10, 2017 at 3:17 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Fri, 2017-03-10 at 15:01 -0500, Paul Moore wrote: >> On Thu, Feb 9, 2017 at 10:58 AM, Antonio Murdaca <amurdaca@redhat.com >> > wrote: >> > >> > This patch allows genfscon per-file labeling for cgroupfs. For >> > instance, >> > this allows to label the "release_agent" file within each >> > cgroup mount and limit writes to it. >> > >> > Signed-off-by: Antonio Murdaca <runcom@redhat.com> >> > --- >> > security/selinux/hooks.c | 2 ++ >> > 1 file changed, 2 insertions(+) >> >> Now that the merge window is behind us, let's get this merged, but >> could you update it to use the selinux_policycap_cgroupseclabel >> policy >> capability? See 2651225b5ebcdde ("selinux: wrap cgroup seclabel >> support with its own policy capability") for more information. > > I don't think that is necessary. This change unlike the other one > should not yield any difference in behavior with existing policy; it > just allows one to specify fine-grained labeling for cgroup nodes in > future policy. It doesn't affect any userspace interface. Yes, I thought about that, and if the policy capability was already present in a released kernel then I wouldn't worry about it much, but since the policy capability still only lives in the v4.11-rcX kernels I'd prefer to see this code wrapped with the policy capability ... even if all it really does is give me that warm fuzzy feeling. >> Also, how goes the testing? >> >> > >> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c >> > index 9a8f12f..5a3138e 100644 >> > --- a/security/selinux/hooks.c >> > +++ b/security/selinux/hooks.c >> > @@ -808,6 +808,8 @@ static int selinux_set_mnt_opts(struct >> > super_block *sb, >> > >> > if (!strcmp(sb->s_type->name, "debugfs") || >> > !strcmp(sb->s_type->name, "sysfs") || >> > + !strcmp(sb->s_type->name, "cgroup") || >> > + !strcmp(sb->s_type->name, "cgroup2") || >> > !strcmp(sb->s_type->name, "pstore")) >> > sbsec->flags |= SE_SBGENFS; >> > >> > -- >> > 2.9.3 >> > >> > _______________________________________________ >> > Selinux mailing list >> > Selinux@tycho.nsa.gov >> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. >> > To get help, send an email containing "help" to Selinux-request@tyc >> > ho.nsa.gov. >>
On Fri, Mar 10, 2017 at 3:21 PM, Paul Moore <paul@paul-moore.com> wrote: > On Fri, Mar 10, 2017 at 3:17 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: >> On Fri, 2017-03-10 at 15:01 -0500, Paul Moore wrote: >>> On Thu, Feb 9, 2017 at 10:58 AM, Antonio Murdaca <amurdaca@redhat.com >>> > wrote: >>> > >>> > This patch allows genfscon per-file labeling for cgroupfs. For >>> > instance, >>> > this allows to label the "release_agent" file within each >>> > cgroup mount and limit writes to it. >>> > >>> > Signed-off-by: Antonio Murdaca <runcom@redhat.com> >>> > --- >>> > security/selinux/hooks.c | 2 ++ >>> > 1 file changed, 2 insertions(+) >>> >>> Now that the merge window is behind us, let's get this merged, but >>> could you update it to use the selinux_policycap_cgroupseclabel >>> policy >>> capability? See 2651225b5ebcdde ("selinux: wrap cgroup seclabel >>> support with its own policy capability") for more information. >> >> I don't think that is necessary. This change unlike the other one >> should not yield any difference in behavior with existing policy; it >> just allows one to specify fine-grained labeling for cgroup nodes in >> future policy. It doesn't affect any userspace interface. > > Yes, I thought about that, and if the policy capability was already > present in a released kernel then I wouldn't worry about it much, but > since the policy capability still only lives in the v4.11-rcX kernels > I'd prefer to see this code wrapped with the policy capability ... > even if all it really does is give me that warm fuzzy feeling. FWIW, I just decided I didn't care that much about the policy capability restriction for this patch and went ahead and merged it into selinux/next.
Thanks On Aug 22, 2017 21:47, "Paul Moore" <paul@paul-moore.com> wrote: > On Fri, Mar 10, 2017 at 3:21 PM, Paul Moore <paul@paul-moore.com> wrote: > > On Fri, Mar 10, 2017 at 3:17 PM, Stephen Smalley <sds@tycho.nsa.gov> > wrote: > >> On Fri, 2017-03-10 at 15:01 -0500, Paul Moore wrote: > >>> On Thu, Feb 9, 2017 at 10:58 AM, Antonio Murdaca <amurdaca@redhat.com > >>> > wrote: > >>> > > >>> > This patch allows genfscon per-file labeling for cgroupfs. For > >>> > instance, > >>> > this allows to label the "release_agent" file within each > >>> > cgroup mount and limit writes to it. > >>> > > >>> > Signed-off-by: Antonio Murdaca <runcom@redhat.com> > >>> > --- > >>> > security/selinux/hooks.c | 2 ++ > >>> > 1 file changed, 2 insertions(+) > >>> > >>> Now that the merge window is behind us, let's get this merged, but > >>> could you update it to use the selinux_policycap_cgroupseclabel > >>> policy > >>> capability? See 2651225b5ebcdde ("selinux: wrap cgroup seclabel > >>> support with its own policy capability") for more information. > >> > >> I don't think that is necessary. This change unlike the other one > >> should not yield any difference in behavior with existing policy; it > >> just allows one to specify fine-grained labeling for cgroup nodes in > >> future policy. It doesn't affect any userspace interface. > > > > Yes, I thought about that, and if the policy capability was already > > present in a released kernel then I wouldn't worry about it much, but > > since the policy capability still only lives in the v4.11-rcX kernels > > I'd prefer to see this code wrapped with the policy capability ... > > even if all it really does is give me that warm fuzzy feeling. > > FWIW, I just decided I didn't care that much about the policy > capability restriction for this patch and went ahead and merged it > into selinux/next. > > -- > paul moore > www.paul-moore.com >
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9a8f12f..5a3138e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -808,6 +808,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, if (!strcmp(sb->s_type->name, "debugfs") || !strcmp(sb->s_type->name, "sysfs") || + !strcmp(sb->s_type->name, "cgroup") || + !strcmp(sb->s_type->name, "cgroup2") || !strcmp(sb->s_type->name, "pstore")) sbsec->flags |= SE_SBGENFS;
This patch allows genfscon per-file labeling for cgroupfs. For instance, this allows to label the "release_agent" file within each cgroup mount and limit writes to it. Signed-off-by: Antonio Murdaca <runcom@redhat.com> --- security/selinux/hooks.c | 2 ++ 1 file changed, 2 insertions(+)