fedora-selinux October 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: why label /dev/hugepages directory hugetlbfs

Re: why label /dev/hugepages directory hugetlbfs_t?

From: Dominick Grift <domg472_at_nospam>
Date: Sat Oct 09 2010 - 15:30:27 GMT
To: selinux@lists.fedoraproject.org

On Sat, Oct 09, 2010 at 09:14:25AM -0400, Eric Paris wrote:
> On Sat, 2010-10-09 at 11:43 +0200, Dominick Grift wrote:
> > Why is /dev/hugepages specified to be labeled hugetlbfs_t? Any
> > particular reason for this?
> >
> > In my branch i labelled it device_t like most directories in /dev.
> >
> > This makes it easier because udev does some magic
> > in /lib/udev/devices(hugetables) which causes all kinds of extra
> > denials if i label the hugepages dir hugetlbfs_t.
> >
> > For example hugetlbfs_t must associate to device_t etc. Much easier to
> > just label hugepages directories at both /dev/hugepage
> > and /lib/udev/devices/hugepages device_t.
> >
> > Also i noticed that /sys/fs/cgroup is specified to be labeled
> > cgroup_t, but i think the kernel creates that directory with type
> > sysfs_t. So that would mean that it needs to be restored at each
> > boot-up.
>
> /dev/hugepages and (I think) /sys/fs/cgroup are filesystem mount points
> not actually files in the devfs or sysfs filesystem. So the labels are
> picked probably picked up from the filesystem labeling rules at mount
> time rather than from a later restorecon.

In my branch i have the directory /dev/hugepages set to device_t and this location is labelled properly (udev or dracut did it?)
Unlike /sys/fs/cgroup directory which is set to cgroup_t but this location is not labelled properly (sysfs_t instead of specified cgroup_t)

>
> As to whether we need or want such labels on hugetlbfs and cgroupfs I'll
> let you and Dan argue about :)
>
> -Eric
>

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux