http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
Changes for /cgroup policy
On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
>
> Changes for /cgroup policy
While moving the labeling of cgroup from kernel to filesystem modules
may make sense, I'm not sure why the type and interfaces need to be
renamed.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
> On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
>>
>> Changes for /cgroup policy
>
> While moving the labeling of cgroup from kernel to filesystem modules
> may make sense, I'm not sure why the type and interfaces need to be
> renamed.
>
Well it is a file system?
On Fri, Jun 04, 2010 at 09:34:13AM -0400, Christopher J. PeBenito wrote:
> On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> > http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
> >
> > Changes for /cgroup policy
>
> While moving the labeling of cgroup from kernel to filesystem modules
> may make sense, I'm not sure why the type and interfaces need to be
> renamed.
Because /cgroup (dir) is owned by the libcg package. The cgroupfs files are not. Besides that cgroupfs_t seems an appropriate name.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100604/7b9c3dec/attachment.bin
On Fri, 2010-06-04 at 09:41 -0400, Daniel J Walsh wrote:
> On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
> > On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
> >>
> >> Changes for /cgroup policy
> >
> > While moving the labeling of cgroup from kernel to filesystem modules
> > may make sense, I'm not sure why the type and interfaces need to be
> > renamed.
> >
> Well it is a file system?
Thats not necessarily a good reason, since other pseudo filesystems
exist in other modules, for good reason. It also doesn't explain the
renaming.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Mon, Jun 07, 2010 at 08:49:09AM -0400, Christopher J. PeBenito wrote:
> On Fri, 2010-06-04 at 09:41 -0400, Daniel J Walsh wrote:
> > On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
> > > On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> > >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
> > >>
> > >> Changes for /cgroup policy
> > >
> > > While moving the labeling of cgroup from kernel to filesystem modules
> > > may make sense, I'm not sure why the type and interfaces need to be
> > > renamed.
> > >
> > Well it is a file system?
>
> Thats not necessarily a good reason, since other pseudo filesystems
> exist in other modules, for good reason. It also doesn't explain the
> renaming.
the libcgroup suite was one of the reasons to rename. libcgroup which automates cgroup management installs the /cgroup mountpoint. whilst that directories content is the cgroup pseudo filesystem. So we needed two types for almost the same purpose. So we choose cgroup_t for libcgroups /cgroup mountpoint and we decided to rename the cgroupfs pseudo fs cgroupfs
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100607/6a39ad43/attachment.bin
On Mon, 2010-06-07 at 14:57 +0200, Dominick Grift wrote:
> On Mon, Jun 07, 2010 at 08:49:09AM -0400, Christopher J. PeBenito wrote:
> > On Fri, 2010-06-04 at 09:41 -0400, Daniel J Walsh wrote:
> > > On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
> > > > On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> > > >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
> > > >>
> > > >> Changes for /cgroup policy
> > > >
> > > > While moving the labeling of cgroup from kernel to filesystem modules
> > > > may make sense, I'm not sure why the type and interfaces need to be
> > > > renamed.
> > > >
> > > Well it is a file system?
> >
> > Thats not necessarily a good reason, since other pseudo filesystems
> > exist in other modules, for good reason. It also doesn't explain the
> > renaming.
>
> the libcgroup suite was one of the reasons to rename. libcgroup which
> automates cgroup management installs the /cgroup mountpoint. whilst
> that directories content is the cgroup pseudo filesystem. So we needed
> two types for almost the same purpose. So we choose cgroup_t for
> libcgroups /cgroup mountpoint and we decided to rename the cgroupfs
> pseudo fs cgroupfs
I don't see a need for two different types.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Mon, Jun 07, 2010 at 10:00:08AM -0400, Christopher J. PeBenito wrote:
> On Mon, 2010-06-07 at 14:57 +0200, Dominick Grift wrote:
> > On Mon, Jun 07, 2010 at 08:49:09AM -0400, Christopher J. PeBenito wrote:
> > > On Fri, 2010-06-04 at 09:41 -0400, Daniel J Walsh wrote:
> > > > On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
> > > > > On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> > > > >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
> > > > >>
> > > > >> Changes for /cgroup policy
> > > > >
> > > > > While moving the labeling of cgroup from kernel to filesystem modules
> > > > > may make sense, I'm not sure why the type and interfaces need to be
> > > > > renamed.
> > > > >
> > > > Well it is a file system?
> > >
> > > Thats not necessarily a good reason, since other pseudo filesystems
> > > exist in other modules, for good reason. It also doesn't explain the
> > > renaming.
> >
> > the libcgroup suite was one of the reasons to rename. libcgroup which
> > automates cgroup management installs the /cgroup mountpoint. whilst
> > that directories content is the cgroup pseudo filesystem. So we needed
> > two types for almost the same purpose. So we choose cgroup_t for
> > libcgroups /cgroup mountpoint and we decided to rename the cgroupfs
> > pseudo fs cgroupfs
>
> I don't see a need for two different types.
I guess strictly speaking there is no need for two types. We can just add the fc spec for /cgroup -d to filesystem.fc
And let libcgroup and other domains call cgroup filesystem interfaces.
We might lose a bit flexibility but most likely insignificant anyway.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100607/3246972a/attachment.bin
On Mon, 2010-06-07 at 16:17 +0200, Dominick Grift wrote:
> On Mon, Jun 07, 2010 at 10:00:08AM -0400, Christopher J. PeBenito wrote:
> > On Mon, 2010-06-07 at 14:57 +0200, Dominick Grift wrote:
> > > On Mon, Jun 07, 2010 at 08:49:09AM -0400, Christopher J. PeBenito wrote:
> > > > On Fri, 2010-06-04 at 09:41 -0400, Daniel J Walsh wrote:
> > > > > On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
> > > > > > On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> > > > > >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
> > > > > >>
> > > > > >> Changes for /cgroup policy
> > > > > >
> > > > > > While moving the labeling of cgroup from kernel to filesystem modules
> > > > > > may make sense, I'm not sure why the type and interfaces need to be
> > > > > > renamed.
> > > > > >
> > > > > Well it is a file system?
> > > >
> > > > Thats not necessarily a good reason, since other pseudo filesystems
> > > > exist in other modules, for good reason. It also doesn't explain the
> > > > renaming.
> > >
> > > the libcgroup suite was one of the reasons to rename. libcgroup which
> > > automates cgroup management installs the /cgroup mountpoint. whilst
> > > that directories content is the cgroup pseudo filesystem. So we needed
> > > two types for almost the same purpose. So we choose cgroup_t for
> > > libcgroups /cgroup mountpoint and we decided to rename the cgroupfs
> > > pseudo fs cgroupfs
> >
> > I don't see a need for two different types.
>
> I guess strictly speaking there is no need for two types. We can just
> add the fc spec for /cgroup -d to filesystem.fc
Thats what I had in mind.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Mon, Jun 07, 2010 at 10:56:08AM -0400, Christopher J. PeBenito wrote:
> On Mon, 2010-06-07 at 16:17 +0200, Dominick Grift wrote:
> > On Mon, Jun 07, 2010 at 10:00:08AM -0400, Christopher J. PeBenito wrote:
> > > On Mon, 2010-06-07 at 14:57 +0200, Dominick Grift wrote:
> > > > On Mon, Jun 07, 2010 at 08:49:09AM -0400, Christopher J. PeBenito wrote:
> > > > > On Fri, 2010-06-04 at 09:41 -0400, Daniel J Walsh wrote:
> > > > > > On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
> > > > > > > On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> > > > > > >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
> > > > > > >>
> > > > > > >> Changes for /cgroup policy
> > > > > > >
> > > > > > > While moving the labeling of cgroup from kernel to filesystem modules
> > > > > > > may make sense, I'm not sure why the type and interfaces need to be
> > > > > > > renamed.
> > > > > > >
> > > > > > Well it is a file system?
> > > > >
> > > > > Thats not necessarily a good reason, since other pseudo filesystems
> > > > > exist in other modules, for good reason. It also doesn't explain the
> > > > > renaming.
> > > >
> > > > the libcgroup suite was one of the reasons to rename. libcgroup which
> > > > automates cgroup management installs the /cgroup mountpoint. whilst
> > > > that directories content is the cgroup pseudo filesystem. So we needed
> > > > two types for almost the same purpose. So we choose cgroup_t for
> > > > libcgroups /cgroup mountpoint and we decided to rename the cgroupfs
> > > > pseudo fs cgroupfs
> > >
> > > I don't see a need for two different types.
> >
> > I guess strictly speaking there is no need for two types. We can just
> > add the fc spec for /cgroup -d to filesystem.fc
>
> Thats what I had in mind.
So.. you want cgroup_t instead of cgroupfs_t?
You realize that when we merge the two, that the chosen type will get the mountpoint attribute even if its a directory under /cgroup?
If we can come to some agreement i will submit a patch with the changes if required.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100607/d4227978/attachment.bin
On Mon, 2010-06-07 at 17:24 +0200, Dominick Grift wrote:
> On Mon, Jun 07, 2010 at 10:56:08AM -0400, Christopher J. PeBenito wrote:
> > On Mon, 2010-06-07 at 16:17 +0200, Dominick Grift wrote:
> > > On Mon, Jun 07, 2010 at 10:00:08AM -0400, Christopher J. PeBenito wrote:
> > > > On Mon, 2010-06-07 at 14:57 +0200, Dominick Grift wrote:
> > > > > On Mon, Jun 07, 2010 at 08:49:09AM -0400, Christopher J. PeBenito wrote:
> > > > > > On Fri, 2010-06-04 at 09:41 -0400, Daniel J Walsh wrote:
> > > > > > > On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
> > > > > > > > On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> > > > > > > >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
> > > > > > > >>
> > > > > > > >> Changes for /cgroup policy
> > > > > > > >
> > > > > > > > While moving the labeling of cgroup from kernel to filesystem modules
> > > > > > > > may make sense, I'm not sure why the type and interfaces need to be
> > > > > > > > renamed.
> > > > > > > >
> > > > > > > Well it is a file system?
> > > > > >
> > > > > > Thats not necessarily a good reason, since other pseudo filesystems
> > > > > > exist in other modules, for good reason. It also doesn't explain the
> > > > > > renaming.
> > > > >
> > > > > the libcgroup suite was one of the reasons to rename. libcgroup which
> > > > > automates cgroup management installs the /cgroup mountpoint. whilst
> > > > > that directories content is the cgroup pseudo filesystem. So we needed
> > > > > two types for almost the same purpose. So we choose cgroup_t for
> > > > > libcgroups /cgroup mountpoint and we decided to rename the cgroupfs
> > > > > pseudo fs cgroupfs
> > > >
> > > > I don't see a need for two different types.
> > >
> > > I guess strictly speaking there is no need for two types. We can just
> > > add the fc spec for /cgroup -d to filesystem.fc
> >
> > Thats what I had in mind.
>
> So.. you want cgroup_t instead of cgroupfs_t?
Yes, since the filesystem is called cgroup and the cgroup_t type already
exists to label it.
> You realize that when we merge the two, that the chosen type will get
> the mountpoint attribute even if its a directory under /cgroup?
Yes.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 06/07/2010 11:41 AM, Christopher J. PeBenito wrote:
> On Mon, 2010-06-07 at 17:24 +0200, Dominick Grift wrote:
>> On Mon, Jun 07, 2010 at 10:56:08AM -0400, Christopher J. PeBenito wrote:
>>> On Mon, 2010-06-07 at 16:17 +0200, Dominick Grift wrote:
>>>> On Mon, Jun 07, 2010 at 10:00:08AM -0400, Christopher J. PeBenito wrote:
>>>>> On Mon, 2010-06-07 at 14:57 +0200, Dominick Grift wrote:
>>>>>> On Mon, Jun 07, 2010 at 08:49:09AM -0400, Christopher J. PeBenito wrote:
>>>>>>> On Fri, 2010-06-04 at 09:41 -0400, Daniel J Walsh wrote:
>>>>>>>> On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
>>>>>>>>> On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
>>>>>>>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
>>>>>>>>>>
>>>>>>>>>> Changes for /cgroup policy
>>>>>>>>>
>>>>>>>>> While moving the labeling of cgroup from kernel to filesystem modules
>>>>>>>>> may make sense, I'm not sure why the type and interfaces need to be
>>>>>>>>> renamed.
>>>>>>>>>
>>>>>>>> Well it is a file system?
>>>>>>>
>>>>>>> Thats not necessarily a good reason, since other pseudo filesystems
>>>>>>> exist in other modules, for good reason. It also doesn't explain the
>>>>>>> renaming.
>>>>>>
>>>>>> the libcgroup suite was one of the reasons to rename. libcgroup which
>>>>>> automates cgroup management installs the /cgroup mountpoint. whilst
>>>>>> that directories content is the cgroup pseudo filesystem. So we needed
>>>>>> two types for almost the same purpose. So we choose cgroup_t for
>>>>>> libcgroups /cgroup mountpoint and we decided to rename the cgroupfs
>>>>>> pseudo fs cgroupfs
>>>>>
>>>>> I don't see a need for two different types.
>>>>
>>>> I guess strictly speaking there is no need for two types. We can just
>>>> add the fc spec for /cgroup -d to filesystem.fc
>>>
>>> Thats what I had in mind.
>>
>> So.. you want cgroup_t instead of cgroupfs_t?
>
> Yes, since the filesystem is called cgroup and the cgroup_t type already
> exists to label it.
>
>> You realize that when we merge the two, that the chosen type will get
>> the mountpoint attribute even if its a directory under /cgroup?
>
> Yes.
>
I don't care either way. Just want to get it settled.