diff options
author | Antonio Murdaca <runcom@redhat.com> | 2017-02-09 17:02:42 +0100 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2017-08-22 15:38:18 -0400 |
commit | 901ef845fa2469c211ce3b1e955d9e7245ab5d50 (patch) | |
tree | b09c7e1bb1705c4db7dd5468b19fb7f243aa37b6 /security | |
parent | 5d72801538eb59cfd9ca25d00aa439cfbc02ac9a (diff) | |
download | op-kernel-dev-901ef845fa2469c211ce3b1e955d9e7245ab5d50.zip op-kernel-dev-901ef845fa2469c211ce3b1e955d9e7245ab5d50.tar.gz |
selinux: allow per-file labeling for cgroupfs
This patch allows genfscon per-file labeling for cgroupfs. For instance,
this allows to label the "release_agent" file within each
cgroup mount and limit writes to it.
Signed-off-by: Antonio Murdaca <amurdaca@redhat.com>
[PM: subject line and merge tweaks]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/hooks.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 2bd7b82..f803fdc 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -815,7 +815,9 @@ static int selinux_set_mnt_opts(struct super_block *sb, if (!strcmp(sb->s_type->name, "debugfs") || !strcmp(sb->s_type->name, "tracefs") || !strcmp(sb->s_type->name, "sysfs") || - !strcmp(sb->s_type->name, "pstore")) + !strcmp(sb->s_type->name, "pstore") || + !strcmp(sb->s_type->name, "cgroup") || + !strcmp(sb->s_type->name, "cgroup2")) sbsec->flags |= SE_SBGENFS; if (!sbsec->behavior) { |