On Fri, 2006-04-21 at 12:54 -0400, Bill Nottingham wrote: > Stephen Smalley (sds@xxxxxxxxxxxxx) said: > > we need a rw mount on /etc/selinux separate from the > > rest of root so that we can perform policy module operations. > > I'm not as sure about this now that I understand how semodule > is supposed to work. If you're running a read-only system, > you shouldn't need to add or remove modules at runtime - that's > something you do when preparing the image to run read-only. That > only leaves listing modules, which I presume can be fixed to not > need write access? Likely, but we'd want to distinguish the ro mount case from a rw mount where the read lock acquisition fails for some other cause. Likely can just test for errno EROFS when semanage_get_active_lock() fails, and proceed with rdonly operations in that case? cc'd Tresys folks above. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
