[systemd-devel] [PATCH 3/4] condition: add ConditionSELinux
Lennart Poettering
lennart at poettering.net
Tue Apr 5 05:59:44 PDT 2011
On Tue, 05.04.11 08:42, Daniel J Walsh (dwalsh at redhat.com) wrote:
> systemd should check if the mount flag includes seclabel field.
> before labeling.
> If a file system does not support labeling or does is mounted with a
> context mount option, the file system will not show the label seclabel.
>
> grep seclabel /proc/self/mountinfo
What happens if we try to relabel those file systems nonetheless? Just errors?
Hmm, we currently only relabel /run and /dev recursively, plus the
top-level inode of all API file systems we mount.
I presume devtmpfs and tmpfs do support "seclabel", right? Do we really
have to code a check for this flag? Given that the list of API mount points
we mount at early boot is pretty much fixed
(http://cgit.freedesktop.org/systemd/tree/src/mount-setup.c#n51) we
could just hardcod the invocation of the relabelling per-filesystem.
Do you have any particular file system in mind where we currently
relabel where we shouldn't?
I'd like to understand what the precise implications of the seclabel
option are, is there some doc available somewhere? The mount man page
doesn't mention it... :-(
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel
mailing list