1 |
commit: 7a74e7ba38497d870a3d3c51c8ffd6ffb876d00e |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Fri Nov 28 09:28:46 2014 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Nov 28 09:28:46 2014 +0000 |
6 |
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7a74e7ba |
7 |
|
8 |
Allow cgroup handler to access /sys/fs/cgroup as tmpfs_t |
9 |
|
10 |
Currently, the /sys/fs/cgroup location is mounted as a tmpfs_t. As the |
11 |
mount options cannot be easily modified as of yet, we grant the cgroup |
12 |
handler search privileges over tmpfs_t. |
13 |
|
14 |
Additional cgroup mounts within /sys/fs/cgroup do hold the right context |
15 |
(cgroup_t). |
16 |
|
17 |
--- |
18 |
policy/modules/contrib/openrc.te | 3 +++ |
19 |
1 file changed, 3 insertions(+) |
20 |
|
21 |
diff --git a/policy/modules/contrib/openrc.te b/policy/modules/contrib/openrc.te |
22 |
index 91afb6e..6a0d7cb 100644 |
23 |
--- a/policy/modules/contrib/openrc.te |
24 |
+++ b/policy/modules/contrib/openrc.te |
25 |
@@ -28,5 +28,8 @@ files_search_pids(openrc_cgroup_release_t) |
26 |
|
27 |
fs_manage_cgroup_dirs(openrc_cgroup_release_t) |
28 |
fs_manage_cgroup_files(openrc_cgroup_release_t) |
29 |
+# /sys/fs/cgroup is by default mounted as tmpfs_t |
30 |
+# Allow search until we can have it mounted correctly (TODO) |
31 |
+fs_search_tmpfs(openrc_cgroup_release_t) |
32 |
|
33 |
auth_use_nsswitch(openrc_cgroup_release_t) |