On Sat, 2010-10-09 at 11:43 +0200, Dominick Grift wrote:
Why is /dev/hugepages specified to be labeled hugetlbfs_t? Any
particular reason for this?
In my branch i labelled it device_t like most directories in /dev.
This makes it easier because udev does some magic
in /lib/udev/devices(hugetables) which causes all kinds of extra
denials if i label the hugepages dir hugetlbfs_t.
For example hugetlbfs_t must associate to device_t etc. Much easier to
just label hugepages directories at both /dev/hugepage
and /lib/udev/devices/hugepages device_t.
Also i noticed that /sys/fs/cgroup is specified to be labeled
cgroup_t, but i think the kernel creates that directory with type
sysfs_t. So that would mean that it needs to be restored at each
boot-up.
/dev/hugepages and (I think) /sys/fs/cgroup are filesystem mount points
not actually files in the devfs or sysfs filesystem. So the labels are
picked probably picked up from the filesystem labeling rules at mount
time rather than from a later restorecon.
As to whether we need or want such labels on hugetlbfs and cgroupfs I'll
let you and Dan argue about :)
-Eric