selinux: allow per-file labeling for cgroupfs
This patch allows genfscon per-file labeling for cgroupfs. For instance, this allows to label the "release_agent" file within each cgroup mount and limit writes to it. Signed-off-by: Antonio Murdaca <amurdaca@redhat.com> [PM: subject line and merge tweaks] Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Родитель
5d72801538
Коммит
901ef845fa
|
@ -815,7 +815,9 @@ static int selinux_set_mnt_opts(struct super_block *sb,
|
|||
if (!strcmp(sb->s_type->name, "debugfs") ||
|
||||
!strcmp(sb->s_type->name, "tracefs") ||
|
||||
!strcmp(sb->s_type->name, "sysfs") ||
|
||||
!strcmp(sb->s_type->name, "pstore"))
|
||||
!strcmp(sb->s_type->name, "pstore") ||
|
||||
!strcmp(sb->s_type->name, "cgroup") ||
|
||||
!strcmp(sb->s_type->name, "cgroup2"))
|
||||
sbsec->flags |= SE_SBGENFS;
|
||||
|
||||
if (!sbsec->behavior) {
|
||||
|
|
Загрузка…
Ссылка в новой задаче