Stephen Smalley (sds@xxxxxxxxxxxxx) said: > > > Do you expect them to follow the traditional > > > inherit-from-parent-directory behavior you get from ext3? > > > > Yes. > > Yes, and that's ok. I think we just need to adjust policy to allow > restorecon to fix the label on the root directory, and (on the separate > issue of policy), OK. > we need a rw mount on /etc/selinux separate from the > rest of root so that we can perform policy module operations. I'm not as sure about this now that I understand how semodule is supposed to work. If you're running a read-only system, you shouldn't need to add or remove modules at runtime - that's something you do when preparing the image to run read-only. That only leaves listing modules, which I presume can be fixed to not need write access? Bill -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
