[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
RE: problems with tmpfs and relabeling
- From: "Joshua Brindle" <jbrindle tresys com>
- To: "Stephen Smalley" <sds tycho nsa gov>, "Bill Nottingham" <notting redhat com>
- Cc: James Morris <jmorris redhat com>, Daniel J Walsh <dwalsh redhat com>, fedora-selinux-list redhat com
- Subject: RE: problems with tmpfs and relabeling
- Date: Fri, 21 Apr 2006 14:05:51 -0400
> From: Stephen Smalley [mailto:sds tycho nsa gov]
>
> On Fri, 2006-04-21 at 12:54 -0400, Bill Nottingham wrote:
> > Stephen Smalley (sds tycho nsa gov) said:
> > > we need a rw mount on /etc/selinux separate from the rest
> of root so
> > > that we can perform policy module operations.
> >
> > I'm not as sure about this now that I understand how semodule is
> > supposed to work. If you're running a read-only system, you
> shouldn't
> > need to add or remove modules at runtime - that's something you do
> > when preparing the image to run read-only. That only leaves listing
> > modules, which I presume can be fixed to not need write access?
>
> Likely, but we'd want to distinguish the ro mount case from a
> rw mount where the read lock acquisition fails for some other
> cause. Likely can just test for errno EROFS when
> semanage_get_active_lock() fails, and proceed with rdonly
> operations in that case? cc'd Tresys folks above.
Not sure about this, if the mount becomes rw in the middle of a EROFS
read the policy can changed underneath them. I guess I'm unsure where
this sudden push for ro filesystem support is coming from and why its
important. Any kind of read only / system is going to have a highly
abstracted interface. I have serious doubts that there would be any
users running a bash shell and trying to get a list of modules.
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]