[systemd-devel] [PATCH 3/4] condition: add ConditionSELinux
Daniel J Walsh
dwalsh at redhat.com
Tue Apr 5 05:42:43 PDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/04/2011 06:32 PM, Kay Sievers wrote:
> On Mon, Apr 4, 2011 at 23:39, Michal Schmidt <mschmidt at redhat.com> wrote:
>> On Mon, 4 Apr 2011 22:51:55 +0200 Kay Sievers wrote:
>>> We really need something here that is not tied to the / inode, because
>>> we want to support r/o / or / on tmpfs with only the subdirs mounted
>>> from disk. xattrs of / just have the same issues as /.-files, it's
>>> just a different storage format regarding that problem.
>>
>> The key is it would a _per-filesystem_ flag meaning "this fs is tainted
>> for use with SELinux and needs relabeling".
>> The xattr containing the value of the flag would be attached to the
>> relative / of every mounted filesystem.
>>
>> filesystems mounted ro don't matter, because they cannot get their
>> file contexts changed and therefore do not need to be marked tainted.
>>
>> mount itself should write the xattr when it mounts the filesystem
>> read-write and SELinux is disabled.
>>
>> Bill Nottingham noted on IRC that relabeling would then be done by
>> systemd in the same pass that handles fsck.
>
> Yeah, sounds good if that works.
>
> The setup we might want to support in the future is that the couple of
> needed / directories are populated by btrfs subvolumes. Something like
> such a flag on the root of the individual subvolume that gets mounted
> might work just fine.
>
> Kay
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
systemd should check if the mount flag includes seclabel field.
before labeling.
If a file system does not support labeling or does is mounted with a
context mount option, the file system will not show the label seclabel.
grep seclabel /proc/self/mountinfo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2bDkMACgkQrlYvE4MpobN9zQCfWIFyN/v867REStweuQjjFNbi
7ZUAoK8w6DDOz3+B9VYvYENDi6g4MOY0
=jz/r
-----END PGP SIGNATURE-----
More information about the systemd-devel
mailing list