[systemd-devel] [PATCH 3/4] condition: add ConditionSELinux

Michal Schmidt mschmidt at redhat.com
Sun Apr 3 12:39:01 PDT 2011


On Sun, 03 Apr 2011 19:56:50 +0200 Tollef Fog Heen wrote:
> How does this interact with read-only /?

If the user
 1. boots with SELinux disabled and read-only /,
 2. remounts / read-write and thus destroys some files' contexts,
 3. and then reboots with SELinux enabled
then he's on his own to deal with the consequences.

If on the other hand / stays read-only for the whole duration of
working with SELinux disabled, then no contexts will be harmed and
relabeling will not be necessary.

> We should really stop having flag files like this outside
> of well-defined directories which exist for that purpose.

/.autorelabel is not new. Fedora's /etc/rc.sysinit has been doing
this since May 2005. I am only trying to prevent the loss of this
feature.
What directory would you suggest for this purpose?

Michal


More information about the systemd-devel mailing list