[systemd-devel] [PATCH 3/4] condition: add ConditionSELinux
Kay Sievers
kay.sievers at vrfy.org
Mon Apr 4 15:32:44 PDT 2011
On Mon, Apr 4, 2011 at 23:39, Michal Schmidt <mschmidt at redhat.com> wrote:
> On Mon, 4 Apr 2011 22:51:55 +0200 Kay Sievers wrote:
>> We really need something here that is not tied to the / inode, because
>> we want to support r/o / or / on tmpfs with only the subdirs mounted
>> from disk. xattrs of / just have the same issues as /.-files, it's
>> just a different storage format regarding that problem.
>
> The key is it would a _per-filesystem_ flag meaning "this fs is tainted
> for use with SELinux and needs relabeling".
> The xattr containing the value of the flag would be attached to the
> relative / of every mounted filesystem.
>
> filesystems mounted ro don't matter, because they cannot get their
> file contexts changed and therefore do not need to be marked tainted.
>
> mount itself should write the xattr when it mounts the filesystem
> read-write and SELinux is disabled.
>
> Bill Nottingham noted on IRC that relabeling would then be done by
> systemd in the same pass that handles fsck.
Yeah, sounds good if that works.
The setup we might want to support in the future is that the couple of
needed / directories are populated by btrfs subvolumes. Something like
such a flag on the root of the individual subvolume that gets mounted
might work just fine.
Kay
More information about the systemd-devel
mailing list