I'm currently working with the stateless code, which mounts the root filesystem read-only, moving various things that need to be read-write to tmpfs bind-mounted in the appropriate location. This initially runs afoul of policy, and I need to write my own policy that allows you to mount on top of /etc/resolv.conf (standard targeted policy doesn't like that for some reason. :) ) However, relabeling the files then fails - for each type that I'm putting on tmpfs, I need to add: allow <type> tmpfs_t:filesystem associate; before relabelling works. This seems strange - is this something that should be fixed in the stock policy, or should I just carry this in my own module? Bill -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
