problems with tmpfs and relabeling
Stephen Smalley
sds at tycho.nsa.gov
Fri Apr 21 17:08:52 UTC 2006
On Fri, 2006-04-21 at 12:54 -0400, Bill Nottingham wrote:
> Stephen Smalley (sds at tycho.nsa.gov) said:
> > we need a rw mount on /etc/selinux separate from the
> > rest of root so that we can perform policy module operations.
>
> I'm not as sure about this now that I understand how semodule
> is supposed to work. If you're running a read-only system,
> you shouldn't need to add or remove modules at runtime - that's
> something you do when preparing the image to run read-only. That
> only leaves listing modules, which I presume can be fixed to not
> need write access?
Likely, but we'd want to distinguish the ro mount case from a rw mount
where the read lock acquisition fails for some other cause. Likely can
just test for errno EROFS when semanage_get_active_lock() fails, and
proceed with rdonly operations in that case? cc'd Tresys folks above.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list