[refpolicy] kernel_filesystem.patch
Christopher J. PeBenito
cpebenito at tresys.com
Mon Jun 7 10:41:28 CDT 2010
On Mon, 2010-06-07 at 17:24 +0200, Dominick Grift wrote:
> On Mon, Jun 07, 2010 at 10:56:08AM -0400, Christopher J. PeBenito wrote:
> > On Mon, 2010-06-07 at 16:17 +0200, Dominick Grift wrote:
> > > On Mon, Jun 07, 2010 at 10:00:08AM -0400, Christopher J. PeBenito wrote:
> > > > On Mon, 2010-06-07 at 14:57 +0200, Dominick Grift wrote:
> > > > > On Mon, Jun 07, 2010 at 08:49:09AM -0400, Christopher J. PeBenito wrote:
> > > > > > On Fri, 2010-06-04 at 09:41 -0400, Daniel J Walsh wrote:
> > > > > > > On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
> > > > > > > > On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> > > > > > > >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
> > > > > > > >>
> > > > > > > >> Changes for /cgroup policy
> > > > > > > >
> > > > > > > > While moving the labeling of cgroup from kernel to filesystem modules
> > > > > > > > may make sense, I'm not sure why the type and interfaces need to be
> > > > > > > > renamed.
> > > > > > > >
> > > > > > > Well it is a file system?
> > > > > >
> > > > > > Thats not necessarily a good reason, since other pseudo filesystems
> > > > > > exist in other modules, for good reason. It also doesn't explain the
> > > > > > renaming.
> > > > >
> > > > > the libcgroup suite was one of the reasons to rename. libcgroup which
> > > > > automates cgroup management installs the /cgroup mountpoint. whilst
> > > > > that directories content is the cgroup pseudo filesystem. So we needed
> > > > > two types for almost the same purpose. So we choose cgroup_t for
> > > > > libcgroups /cgroup mountpoint and we decided to rename the cgroupfs
> > > > > pseudo fs cgroupfs
> > > >
> > > > I don't see a need for two different types.
> > >
> > > I guess strictly speaking there is no need for two types. We can just
> > > add the fc spec for /cgroup -d to filesystem.fc
> >
> > Thats what I had in mind.
>
> So.. you want cgroup_t instead of cgroupfs_t?
Yes, since the filesystem is called cgroup and the cgroup_t type already
exists to label it.
> You realize that when we merge the two, that the chosen type will get
> the mountpoint attribute even if its a directory under /cgroup?
Yes.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
More information about the refpolicy
mailing list