[systemd-devel] [PATCH 3/4] condition: add ConditionSELinux
kay.sievers at vrfy.org
Mon Apr 4 13:51:55 PDT 2011
2011/4/4 Michal Schmidt <mschmidt at redhat.com>:
> On Mon, 04 Apr 2011 20:59:58 +0200 Alexander Boström wrote:
>> > If on the other hand / stays read-only for the whole duration of
>> > working with SELinux disabled, then no contexts will be harmed and
>> > relabeling will not be necessary.
>> If / is ro but /var is rw then a relabel is still useful, right?
>> And /var is more likely to be mounted rw than / is, so it would make
>> sense to store this flag somewhere in /var.
>> Or even better, in each filesystem. (An xattr on the root inode?)
> hehe, I was rethinking this today and came to the same conclusion :-)
> i.e. that it really ought to be per-filesystem. I didn't think of
> using xattrs for this though. It's an interesting idea. I was
> thinking about adding a field to the fs superblock, but that would
> require kernel changes in several filesystems. xattr is easier.
We really need something here that is not tied to the / inode, because
we want to support r/o / or / on tmpfs with only the subdirs mounted
from disk. xattrs of / just have the same issues as /.-files, it's
just a different storage format regarding that problem.
More information about the systemd-devel