diff options
| author | Krzysztof Nowicki <krzysztof.a.nowicki+github@gmail.com> | 2017-11-30 11:59:29 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2017-11-30 11:59:29 +0100 |
| commit | 8739f23e3c26bbf8b0296421578e56daa63cbf4b (patch) | |
| tree | cde4525429be85fe9f19490c09d7dd322a9182dc | |
| parent | 949befd3f09e8c06a908ec99efd241666c21d944 (diff) | |
| download | systemd-8739f23e3c26bbf8b0296421578e56daa63cbf4b.tar.gz | |
Fix SELinux labels in cgroup filesystem root directory (#7496)
When using SELinux with legacy cgroups the tmpfs on /sys/fs/cgroup is by
default labelled as tmpfs_t. This label is also inherited by the "cpu"
and "cpuacct" symbolic links. Unfortunately the policy expects them to
be labelled as cgroup_t, which is used for all the actual cgroup
filesystems. Failure to do so results in a stream of denials.
This state cannot be fixed reliably when the cgroup filesystem structure
is set-up as the SELinux policy is not yet loaded at this
moment. It also cannot be fixed later as the root of the cgroup
filesystem is remounted read-only. In order to fix it the root of the
cgroup filesystem needs to be temporary remounted read-write, relabelled
and remounted back read-only.
| -rw-r--r-- | src/core/mount-setup.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c index d5c0fcddcb..7171d8fda4 100644 --- a/src/core/mount-setup.c +++ b/src/core/mount-setup.c @@ -390,9 +390,19 @@ int mount_setup(bool loaded_policy) { nftw("/dev/shm", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL); nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL); + /* Temporarily remount the root cgroup filesystem to give it a proper label. */ + r = cg_all_unified(); + if (r == 0) { + (void) mount(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT, NULL); + label_fix("/sys/fs/cgroup", false, false); + nftw("/sys/fs/cgroup", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL); + (void) mount(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT|MS_RDONLY, NULL); + } else if (r < 0) + return log_error_errno(r, "Failed to determine whether we are in all unified mode: %m"); + after_relabel = now(CLOCK_MONOTONIC); - log_info("Relabelled /dev and /run in %s.", + log_info("Relabelled /dev, /run and /sys/fs/cgroup in %s.", format_timespan(timespan, sizeof(timespan), after_relabel - before_relabel, 0)); } #endif |