[PATCH 0/3] Allow initializing the kernfs node's secctx based on its parent

[Tejun Heo]

Hello,

On Wed, Jan 09, 2019 at 10:10:25AM +0100, Ondrej Mosnacek wrote:
> The main motivation for this change is that the userspace users of cgroupfs
> (which is built on kernfs) expect the usual security context inheritance
> to work under SELinux (see [1] and [2]). This functionality is required for
> better confinement of containers under SELinux.

Can you please go into details on what the expected use cases are like
for cgroupfs?  It shows up as a filesystem but isn't a real one and
has its own permission scheme for delegation and stuff.  If sysfs
hasn't needed selinux support, I'm having a bit of difficulty seeing
why cgroupfs would.

Thanks.

-- 
tejun