-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/09/2010 11:30 AM, Dominick Grift wrote: > On Sat, Oct 09, 2010 at 09:14:25AM -0400, Eric Paris wrote: >> On Sat, 2010-10-09 at 11:43 +0200, Dominick Grift wrote: >>> Why is /dev/hugepages specified to be labeled hugetlbfs_t? Any >>> particular reason for this? >>> >>> In my branch i labelled it device_t like most directories in /dev. >>> >>> This makes it easier because udev does some magic >>> in /lib/udev/devices(hugetables) which causes all kinds of extra >>> denials if i label the hugepages dir hugetlbfs_t. >>> >>> For example hugetlbfs_t must associate to device_t etc. Much easier to >>> just label hugepages directories at both /dev/hugepage >>> and /lib/udev/devices/hugepages device_t. >>> >>> Also i noticed that /sys/fs/cgroup is specified to be labeled >>> cgroup_t, but i think the kernel creates that directory with type >>> sysfs_t. So that would mean that it needs to be restored at each >>> boot-up. >> >> /dev/hugepages and (I think) /sys/fs/cgroup are filesystem mount points >> not actually files in the devfs or sysfs filesystem. So the labels are >> picked probably picked up from the filesystem labeling rules at mount >> time rather than from a later restorecon. > > In my branch i have the directory /dev/hugepages set to device_t and this location is labelled properly (udev or dracut did it?) > Unlike /sys/fs/cgroup directory which is set to cgroup_t but this location is not labelled properly (sysfs_t instead of specified cgroup_t) > >> >> As to whether we need or want such labels on hugetlbfs and cgroupfs I'll >> let you and Dan argue about :) >> >> -Eric >> >> >> >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux I think the problem is running tools like restorecon on /dev to check labels. ends up generating errors when hugetlbfs and cgroupfs are mounted. I guess we could change the label to <<none>> /dev/shm has the same problem. matchpathcon /dev/shm /dev/shm system_u:object_r:tmpfs_t:s0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky0eDcACgkQrlYvE4MpobNbLwCfTuarpot9DAt9EKJZyZgEeSwK qCEAoJfM4WUgM8V7yVY50sAjcJKSTBLx =pDD5 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
