|
 |
aed857 |
From c043ae5b2ef2e1e437bf738bbf522799c6213230 Mon Sep 17 00:00:00 2001
|
|
|
aed857 |
From: Krzysztof Nowicki <krzysztof.a.nowicki+github@gmail.com>
|
|
|
aed857 |
Date: Thu, 30 Nov 2017 11:59:29 +0100
|
|
|
aed857 |
Subject: [PATCH] Fix SELinux labels in cgroup filesystem root directory
|
|
|
aed857 |
(#7496)
|
|
|
aed857 |
|
|
|
aed857 |
When using SELinux with legacy cgroups the tmpfs on /sys/fs/cgroup is by
|
|
|
aed857 |
default labelled as tmpfs_t. This label is also inherited by the "cpu"
|
|
|
aed857 |
and "cpuacct" symbolic links. Unfortunately the policy expects them to
|
|
|
aed857 |
be labelled as cgroup_t, which is used for all the actual cgroup
|
|
|
aed857 |
filesystems. Failure to do so results in a stream of denials.
|
|
|
aed857 |
|
|
|
aed857 |
This state cannot be fixed reliably when the cgroup filesystem structure
|
|
|
aed857 |
is set-up as the SELinux policy is not yet loaded at this
|
|
|
aed857 |
moment. It also cannot be fixed later as the root of the cgroup
|
|
|
aed857 |
filesystem is remounted read-only. In order to fix it the root of the
|
|
|
aed857 |
cgroup filesystem needs to be temporary remounted read-write, relabelled
|
|
|
aed857 |
and remounted back read-only.
|
|
|
aed857 |
|
|
|
aed857 |
(cherry picked from commit 8739f23e3c26bbf8b0296421578e56daa63cbf4b)
|
|
|
aed857 |
---
|
|
|
aed857 |
src/core/mount-setup.c | 10 +++++++++-
|
|
|
aed857 |
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
aed857 |
|
|
|
aed857 |
diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
|
|
|
c62b8e |
index 521545e5ce..7a2cae4a39 100644
|
|
|
aed857 |
--- a/src/core/mount-setup.c
|
|
|
aed857 |
+++ b/src/core/mount-setup.c
|
|
|
aed857 |
@@ -363,14 +363,22 @@ int mount_setup(bool loaded_policy) {
|
|
|
aed857 |
usec_t before_relabel, after_relabel;
|
|
|
aed857 |
char timespan[FORMAT_TIMESPAN_MAX];
|
|
|
aed857 |
|
|
|
aed857 |
+ mkdir_label("/run/systemd/policy-relabelling", 0755);
|
|
|
aed857 |
before_relabel = now(CLOCK_MONOTONIC);
|
|
|
aed857 |
|
|
|
aed857 |
nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
|
|
|
aed857 |
nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
|
|
|
aed857 |
|
|
|
aed857 |
+ /* Temporarily remount the root cgroup filesystem to give it a proper label. */
|
|
|
aed857 |
+ (void) mount(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT, NULL);
|
|
|
aed857 |
+ label_fix("/sys/fs/cgroup", false, false);
|
|
|
aed857 |
+ nftw("/sys/fs/cgroup", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL);
|
|
|
aed857 |
+ (void) mount(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT|MS_RDONLY, NULL);
|
|
|
aed857 |
+
|
|
|
aed857 |
after_relabel = now(CLOCK_MONOTONIC);
|
|
|
aed857 |
|
|
|
aed857 |
- log_info("Relabelled /dev and /run in %s.",
|
|
|
aed857 |
+ mkdir_label("/run/systemd/policy-relabelled", 0755);
|
|
|
aed857 |
+ log_info("Relabelled /dev, /run and /sys/fs/cgroup in %s.",
|
|
|
aed857 |
format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel, 0));
|
|
|
aed857 |
}
|
|
|
aed857 |
#endif
|