On Sa, 04.07.20 12:49, Chris Murphy (lists@xxxxxxxxxxxxxxxxx) wrote: > Why do the security folks want POSIX and SELinux labels on the > contents of /boot? I've never really gotten a straight answer on this, > but I know it's considered important and a sticking point for why some > folks do not want the kernel and initramfs and bootloader > configuration files on FAT. And can it be mitigated some other way? > Maybe not persistently mounting /boot and /boot/efi or mounting them > on-demand elsewhere only when they need to be modified? You can assign an SELinux label onto a whole file system at mount time via the context= mount option and related ones. Hence the question is why it is supposedly so essential to be able to label the initrd differently than the kernel itself... Note that systemd can automatically mount the ESP and XBOOTLDR partition for you if you let it. If done so it will set it up via automounts, so that the file systems are: 1) automatically fsck'ed on first mount 2) only mounted when actually accessed 3) very quickly after the last access unmounted again This should provide the best data integrity guarantees on those file systems as the file system is almost always unmounted, and thus in a clean state, and automatically fixed in the unlikely case that the system was turned off right at the moment the fs was accessed. Note that this mechanism is independent of the boot loader spec, or sd-boot or anything like that. It's automatically used if /boot or /efi are not listed in /etc/fstab and if partitions of the right type are found in the partition table. (Note that this automatism doesn't support /boot/efi/, first of al because it's weird, but mostly because in order to establish the second automount point we'd have to activate the first one, which defeats the whole excercise of having file systems that are never mounted, except if they are accessed) Hence, a couple of changes independent of the sd-boot/grub/boot loader spec situation would make a lot of sense for Fedora: 1) Use the XBOOTLDR uuid for /boot 2) Mount ESP to /efi instead of /boot/efi (you can keep a symlink in /boot/efi/ if you like) 3) Drop generation of ESP and /boot entries in /etc/fstab in the installer, and let the automatic logic do its thing. > There are other use cases folks are interested in. Here's one: > https://fedoraproject.org/wiki/Changes/BtrfsByDefault#Boot_on_Btrfs You know using a journalling file system on /boot means means you drastically complicate things if you want to implement boot counting, because then you need a writable fs, and then things become complex because you need a ful fs implementation in grub. Do the btrfs upstream folks commit to support an alternative writable btrfs implementation in grub? I doubt so? > That aims to make it possible to support a snapshot/rollback regime. > There needs to be a way to pair the states of /boot and / so that the > kernel we're using to boot a rollback, has modules available on the > rolledback /usr. That does not need to be done with Btrfs, even > though You are just reimplementing OSTree/Atomic/FedoraCoreOS with that... Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
