| 1 |
commit: 7a74e7ba38497d870a3d3c51c8ffd6ffb876d00e |
| 2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 3 |
AuthorDate: Fri Nov 28 09:28:46 2014 +0000 |
| 4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Fri Nov 28 09:28:46 2014 +0000 |
| 6 |
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7a74e7ba |
| 7 |
|
| 8 |
Allow cgroup handler to access /sys/fs/cgroup as tmpfs_t |
| 9 |
|
| 10 |
Currently, the /sys/fs/cgroup location is mounted as a tmpfs_t. As the |
| 11 |
mount options cannot be easily modified as of yet, we grant the cgroup |
| 12 |
handler search privileges over tmpfs_t. |
| 13 |
|
| 14 |
Additional cgroup mounts within /sys/fs/cgroup do hold the right context |
| 15 |
(cgroup_t). |
| 16 |
|
| 17 |
--- |
| 18 |
policy/modules/contrib/openrc.te | 3 +++ |
| 19 |
1 file changed, 3 insertions(+) |
| 20 |
|
| 21 |
diff --git a/policy/modules/contrib/openrc.te b/policy/modules/contrib/openrc.te |
| 22 |
index 91afb6e..6a0d7cb 100644 |
| 23 |
--- a/policy/modules/contrib/openrc.te |
| 24 |
+++ b/policy/modules/contrib/openrc.te |
| 25 |
@@ -28,5 +28,8 @@ files_search_pids(openrc_cgroup_release_t) |
| 26 |
|
| 27 |
fs_manage_cgroup_dirs(openrc_cgroup_release_t) |
| 28 |
fs_manage_cgroup_files(openrc_cgroup_release_t) |
| 29 |
+# /sys/fs/cgroup is by default mounted as tmpfs_t |
| 30 |
+# Allow search until we can have it mounted correctly (TODO) |
| 31 |
+fs_search_tmpfs(openrc_cgroup_release_t) |
| 32 |
|
| 33 |
auth_use_nsswitch(openrc_cgroup_release_t) |
Archives