problems with tmpfs and relabeling
Joshua Brindle
jbrindle at tresys.com
Fri Apr 21 18:05:51 UTC 2006
> From: Stephen Smalley [mailto:sds at tycho.nsa.gov]
>
> On Fri, 2006-04-21 at 12:54 -0400, Bill Nottingham wrote:
> > Stephen Smalley (sds at tycho.nsa.gov) said:
> > > we need a rw mount on /etc/selinux separate from the rest
> of root so
> > > that we can perform policy module operations.
> >
> > I'm not as sure about this now that I understand how semodule is
> > supposed to work. If you're running a read-only system, you
> shouldn't
> > need to add or remove modules at runtime - that's something you do
> > when preparing the image to run read-only. That only leaves listing
> > modules, which I presume can be fixed to not need write access?
>
> Likely, but we'd want to distinguish the ro mount case from a
> rw mount where the read lock acquisition fails for some other
> cause. Likely can just test for errno EROFS when
> semanage_get_active_lock() fails, and proceed with rdonly
> operations in that case? cc'd Tresys folks above.
Not sure about this, if the mount becomes rw in the middle of a EROFS
read the policy can changed underneath them. I guess I'm unsure where
this sudden push for ro filesystem support is coming from and why its
important. Any kind of read only / system is going to have a highly
abstracted interface. I have serious doubts that there would be any
users running a bash shell and trying to get a list of modules.
More information about the selinux
mailing list