problems with tmpfs and relabeling

Joshua Brindle jbrindle at tresys.com
Fri Apr 21 18:05:51 UTC 2006


> From: Stephen Smalley [mailto:sds at tycho.nsa.gov] 
> 
> On Fri, 2006-04-21 at 12:54 -0400, Bill Nottingham wrote:
> > Stephen Smalley (sds at tycho.nsa.gov) said: 
> > > we need a rw mount on /etc/selinux separate from the rest 
> of root so 
> > > that we can perform policy module operations.
> > 
> > I'm not as sure about this now that I understand how semodule is 
> > supposed to work. If you're running a read-only system, you 
> shouldn't 
> > need to add or remove modules at runtime - that's something you do 
> > when preparing the image to run read-only. That only leaves listing 
> > modules, which I presume can be fixed to not need write access?
> 
> Likely, but we'd want to distinguish the ro mount case from a 
> rw mount where the read lock acquisition fails for some other 
> cause.  Likely can just test for errno EROFS when 
> semanage_get_active_lock() fails, and proceed with rdonly 
> operations in that case?  cc'd Tresys folks above.

Not sure about this, if the mount becomes rw in the middle of a EROFS
read the policy can changed underneath them. I guess I'm unsure where
this sudden push for ro filesystem support is coming from and why its
important. Any kind of read only / system is going to have a highly
abstracted interface. I have serious doubts that there would be any
users running a bash shell and trying to get a list of modules.




More information about the selinux mailing list