On Di, 19.06.18 11:14, Daniel P. Berrangé (berrange@xxxxxxxxxx) wrote: > On Tue, Jun 19, 2018 at 11:48:39AM +0200, Lennart Poettering wrote: > > On Mo, 18.06.18 16:54, R P Herrold (herrold@xxxxxxxxxxxx) wrote: > > > > > On Mon, 18 Jun 2018, Lennart Poettering wrote: > > > > > > > On Do, 14.06.18 14:20, Chris Murphy (lists@xxxxxxxxxxxxxxxxx) wrote: > > > > > > > > > The cited BLS spec is the original one, [1] > > > > > > ... later: L.P.: > > > > [reduce] the size of the spec if possible, and drop as many > > > > bits of it as we can, i.e. the stuff noone implements > > > > anyway. > > > > > > > > > The cited BLS spec requires $BOOT be VFAT, are we doing that? > > > > > > Will cgroup and SElinux protections work in VFAT ? > > > > cgroups and file systems have little to do with each other. > > > > VFAT won't store selinux labels of course, but you can assign a fixed > > label to all files of a vfat file system when mounting it. It's what > > Fedora does when dealing with the ESP already. So regarding selinux > > it's not whether to do selinux or not to do it, but whether is really > > necessary to label the initrd file and the kernel differently, or > > whether it's ok to give all files in /boot the same label. I am pretty > > sure that's actually what already happens anyway, even if you have > > ext4, but then again i am not running grub nor ext4, so I don't really know. > > Mostly everything is labelled with boot_t, but System.map files get > given system_map_t, and there's a few filesystem house keeping labels > too. You can view it with semanage: > > # semanage fcontext -l | grep '^/boot' > /boot all files system_u:object_r:boot_t:s0 > /boot/.* all files system_u:object_r:boot_t:s0 > /boot/System\.map(-.*)? regular file system_u:object_r:system_map_t:s0 > /boot/\.journal all files <<None>> > /boot/a?quota\.(user|group) regular file system_u:object_r:quota_db_t:s0 > /boot/efi(/.*)?/System\.map(-.*)? regular file system_u:object_r:system_map_t:s0 > /boot/lost\+found directory system_u:object_r:lost_found_t:s0 > /boot/lost\+found/.* all files <<None>> Since the quota and lost+found stuff doesn't apply to vfat there are only two labels left: boot_t and system_map_t. The question is whether there's really benefit in separating these two... Lennart -- Lennart Poettering, Red Hat _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/UAD6KQPIMEEQJKE2CTKGIWBOZMCYX75U/
