why label /dev/hugepages directory hugetlbfs_t?
Eric Paris
eparis at redhat.com
Sat Oct 9 13:14:25 UTC 2010
On Sat, 2010-10-09 at 11:43 +0200, Dominick Grift wrote:
> Why is /dev/hugepages specified to be labeled hugetlbfs_t? Any
> particular reason for this?
>
> In my branch i labelled it device_t like most directories in /dev.
>
> This makes it easier because udev does some magic
> in /lib/udev/devices(hugetables) which causes all kinds of extra
> denials if i label the hugepages dir hugetlbfs_t.
>
> For example hugetlbfs_t must associate to device_t etc. Much easier to
> just label hugepages directories at both /dev/hugepage
> and /lib/udev/devices/hugepages device_t.
>
> Also i noticed that /sys/fs/cgroup is specified to be labeled
> cgroup_t, but i think the kernel creates that directory with type
> sysfs_t. So that would mean that it needs to be restored at each
> boot-up.
/dev/hugepages and (I think) /sys/fs/cgroup are filesystem mount points
not actually files in the devfs or sysfs filesystem. So the labels are
picked probably picked up from the filesystem labeling rules at mount
time rather than from a later restorecon.
As to whether we need or want such labels on hugetlbfs and cgroupfs I'll
let you and Dan argue about :)
-Eric
More information about the selinux
mailing list