On Fri, 29.04.11 11:21, Daniel J Walsh (dwalsh@xxxxxxxxxx) wrote:
> > I guess I missed some discussion of this. You'd need to update
> > libselinux at least, definition of SELINUXMNT in
> > libselinux/src/policy.h, used by selinux_init_load_policy() to mount
> > selinuxfs for initial policy load. And it may break rc scripts and
> > other scripts/programs that have become accustomed to /selinux.
> >
>
> Here is the patch I am thinking about.
>
> I think mock might need to be updated, maybe livecd tools.
>
>
> + /* We check to see if the original mount point for selinux file
> + * system has a selinuxfs. */
> + do {
> + rc = statfs("/selinux", &sfbuf);
> + } while (rc < 0 && errno == EINTR);
> + if (rc == 0) {
> + if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
> + selinux_mnt = strdup("/selinux");
> + return;
> + }
I like the patch.
One little feature request where we already are on this:
Given that there is a statfs() in here anyway, could we also maybe
extend this a tiny bit, and add a statvfs() call as well, and if
ST_RDONLY is set in .f_flag consider selinux to be off? That would be
very handy in containers/chroots and stuff like that, where you might
want to make the container assume selinux is off even though the host
has it enabled. If the container/chroot manager simply bind mounts
/selinux into the namespace read-only this would then be an effective
way to make selinux appear off to the container code.
I think using whether /selinux is read-only as a flag for selinux off is
a pretty natural nice way.
mock currently tries do work-around this by placing a fake
/proc/filesystems file in the namespace, and I think that's quite
ugly. Using read-only /selinux as flag appears much nicer to me, since
it in itself already disables a number of selinux operations.
Lennart
--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
