move into cgroupseclabelfs

author: John Turner <jturner.usa@gmail.com> 2025-08-12 15:35:36 -0400
committer: John Turner <jturner.usa@gmail.com> 2025-08-12 15:35:36 -0400
commit: 3eadbdbc7ce1752556136f24142dd5f291abc1f6 (patch)
tree: 9849cad96dab94fcfe3e2c49979a7d6e8f648661 /src/fs
parent: 629aabf63c253be5348b4ed3409e07694927adf6 (diff)
download: selinux-policy-3eadbdbc7ce1752556136f24142dd5f291abc1f6.tar.gz
1 files changed, 13 insertions, 5 deletions
diff --git a/src/fs/seclabelfs/cgroupseclabelfs.cil b/src/fs/seclabelfs/cgroupseclabelfs.cil
index d2931b0..18266a1 100644
--- a/src/fs/seclabelfs/cgroupseclabelfs.cil
+++ b/src/fs/seclabelfs/cgroupseclabelfs.cil
@@ -2,10 +2,18 @@
 ;; SPDX-License-Identifier: Unlicense
 
 (block cgroup
+    (filecon "/sys/fs/cgroup" dir fs_context)
+    (filecon "/sys/fs/cgroup/.*" any ())
 
-  (genfscon "cgroup" "/" fs_context)
-  (genfscon "cgroup2" "/" fs_context)
+    (allow fs self (filesystem (associate)))
 
-  (blockinherit .fs.macro_template_dirs)
-  (blockinherit .fs.macro_template_files)
-  (blockinherit .seclabelfs.template))
+    (call .rbacsep.exempt.obj.type (fs))
+
+    (call .sys.associate_fs (fs))
+    
+    (genfscon "cgroup" "/" fs_context)
+    (genfscon "cgroup2" "/" fs_context)
+
+    (blockinherit .fs.macro_template_dirs)
+    (blockinherit .fs.macro_template_files)
+    (blockinherit .seclabelfs.template))
author	John Turner <jturner.usa@gmail.com>	2025-08-12 15:35:36 -0400
committer	John Turner <jturner.usa@gmail.com>	2025-08-12 15:35:36 -0400
commit	3eadbdbc7ce1752556136f24142dd5f291abc1f6 (patch)
tree	9849cad96dab94fcfe3e2c49979a7d6e8f648661 /src/fs
parent	629aabf63c253be5348b4ed3409e07694927adf6 (diff)
download	selinux-policy-3eadbdbc7ce1752556136f24142dd5f291abc1f6.tar.gz