On Tue, Jun 19, 2018 at 11:48:39AM +0200, Lennart Poettering wrote: > On Mo, 18.06.18 16:54, R P Herrold (herrold@xxxxxxxxxxxx) wrote: > > > On Mon, 18 Jun 2018, Lennart Poettering wrote: > > > > > On Do, 14.06.18 14:20, Chris Murphy (lists@xxxxxxxxxxxxxxxxx) wrote: > > > > > > > The cited BLS spec is the original one, [1] > > > > ... later: L.P.: > > > [reduce] the size of the spec if possible, and drop as many > > > bits of it as we can, i.e. the stuff noone implements > > > anyway. > > > > > > > The cited BLS spec requires $BOOT be VFAT, are we doing that? > > > > Will cgroup and SElinux protections work in VFAT ? > > cgroups and file systems have little to do with each other. > > VFAT won't store selinux labels of course, but you can assign a fixed > label to all files of a vfat file system when mounting it. It's what > Fedora does when dealing with the ESP already. So regarding selinux > it's not whether to do selinux or not to do it, but whether is really > necessary to label the initrd file and the kernel differently, or > whether it's ok to give all files in /boot the same label. I am pretty > sure that's actually what already happens anyway, even if you have > ext4, but then again i am not running grub nor ext4, so I don't really know. Mostly everything is labelled with boot_t, but System.map files get given system_map_t, and there's a few filesystem house keeping labels too. You can view it with semanage: # semanage fcontext -l | grep '^/boot' /boot all files system_u:object_r:boot_t:s0 /boot/.* all files system_u:object_r:boot_t:s0 /boot/System\.map(-.*)? regular file system_u:object_r:system_map_t:s0 /boot/\.journal all files <<None>> /boot/a?quota\.(user|group) regular file system_u:object_r:quota_db_t:s0 /boot/efi(/.*)?/System\.map(-.*)? regular file system_u:object_r:system_map_t:s0 /boot/lost\+found directory system_u:object_r:lost_found_t:s0 /boot/lost\+found/.* all files <<None>> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/6B7P3Y7YCCKDODAHXWCJTVQX2SRQFO3Q/
