problems with tmpfs and relabeling
Bill Nottingham
notting at redhat.com
Fri Apr 21 18:58:25 UTC 2006
Joshua Brindle (jbrindle at tresys.com) said:
> > Yes, but that tends to imply some fairly severe gun -> foot
> > interactions on the part of the admin.
>
> The admin need not know what is going on, how many things happen on
> average linux systems without an average admins knowledge?
Well, I'd hope that remounting the root FS read-write wouldn't
be one of those. Arguably, you could even set up the policy to disallow
this.
> I retract the above statement. Even when making non-persistent boolean
> changes (which I can see happening on these systems) the lock is
> attempted. Its still unclear whether setsebool should fallback or if
> libsemanage should. I don't like the idea of lockless readers, even if
> the filesystem is RO when we start reading.
Hm, I didn't consider booleans. How (at an implementation level)
is setting of booleans done? (I've haven't looked at the backend guts
of the SELinux code that much.)
Bill
More information about the selinux
mailing list