On Mo, 25.06.18 11:23, Daniel P. Berrangé (berrange(a)redhat.com) wrote:
That would break applications like libguestfs which run as non-root
and
have valid need to access /boot/vmlinuz*
Hmm, can you elaborate on that? What precisely do they need there?
If it's just the kernel image itself then they shouldn't really use
/boot anyway I figure, but instead the kernel in
/usr/lib/modules/`uname -r`/vmlinux. It's the same thing really.
Generally I think it'd be a good idea to ensure that only the boot
loader and tools setting up the boot loader would access /boot.
Lennart
--
Lennart Poettering, Red Hat