[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: problems with tmpfs and relabeling
- From: Stephen Smalley <sds tycho nsa gov>
- To: Bill Nottingham <notting redhat com>
- Cc: James Morris <jmorris redhat com>, Daniel J Walsh <dwalsh redhat com>, Joshua Brindle <jbrindle tresys com>, fedora-selinux-list redhat com
- Subject: Re: problems with tmpfs and relabeling
- Date: Fri, 21 Apr 2006 13:08:52 -0400
On Fri, 2006-04-21 at 12:54 -0400, Bill Nottingham wrote:
> Stephen Smalley (sds tycho nsa gov) said:
> > we need a rw mount on /etc/selinux separate from the
> > rest of root so that we can perform policy module operations.
>
> I'm not as sure about this now that I understand how semodule
> is supposed to work. If you're running a read-only system,
> you shouldn't need to add or remove modules at runtime - that's
> something you do when preparing the image to run read-only. That
> only leaves listing modules, which I presume can be fixed to not
> need write access?
Likely, but we'd want to distinguish the ro mount case from a rw mount
where the read lock acquisition fails for some other cause. Likely can
just test for errno EROFS when semanage_get_active_lock() fails, and
proceed with rdonly operations in that case? cc'd Tresys folks above.
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]