diff options
| author | Krzysztof Nowicki <krzysztof.a.nowicki+github@gmail.com> | 2017-11-30 11:59:29 +0100 |
|---|---|---|
| committer | Sven Eden <yamakuzure@gmx.net> | 2017-11-30 11:59:29 +0100 |
| commit | dab5bf7faede9be76986f2be5f2309082329da7d (patch) | |
| tree | 614740af723bf9d3675c2039676c6c105fdd79c4 /src/core/mount-setup.c | |
| parent | dbb2a1701b25ee00e2f6eb069ccda28cfc0ece7a (diff) | |
Fix SELinux labels in cgroup filesystem root directory (#7496)
When using SELinux with legacy cgroups the tmpfs on /sys/fs/cgroup is by
default labelled as tmpfs_t. This label is also inherited by the "cpu"
and "cpuacct" symbolic links. Unfortunately the policy expects them to
be labelled as cgroup_t, which is used for all the actual cgroup
filesystems. Failure to do so results in a stream of denials.
This state cannot be fixed reliably when the cgroup filesystem structure
is set-up as the SELinux policy is not yet loaded at this
moment. It also cannot be fixed later as the root of the cgroup
filesystem is remounted read-only. In order to fix it the root of the
cgroup filesystem needs to be temporary remounted read-write, relabelled
and remounted back read-only.
Diffstat (limited to 'src/core/mount-setup.c')
| -rw-r--r-- | src/core/mount-setup.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c index bd979bcee..011950cb3 100644 --- a/src/core/mount-setup.c +++ b/src/core/mount-setup.c @@ -399,9 +399,19 @@ int mount_setup(bool loaded_policy) { nftw("/dev/shm", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL); nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL); + /* Temporarily remount the root cgroup filesystem to give it a proper label. */ + r = cg_all_unified(); + if (r == 0) { + (void) mount(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT, NULL); + label_fix("/sys/fs/cgroup", false, false); + nftw("/sys/fs/cgroup", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL); + (void) mount(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT|MS_RDONLY, NULL); + } else if (r < 0) + return log_error_errno(r, "Failed to determine whether we are in all unified mode: %m"); + after_relabel = now(CLOCK_MONOTONIC); - log_info("Relabelled /dev and /run in %s.", + log_info("Relabelled /dev, /run and /sys/fs/cgroup in %s.", format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel, 0)); } #endif |