> From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] > > On Fri, 2006-04-21 at 12:54 -0400, Bill Nottingham wrote: > > Stephen Smalley (sds@xxxxxxxxxxxxx) said: > > > we need a rw mount on /etc/selinux separate from the rest > of root so > > > that we can perform policy module operations. > > > > I'm not as sure about this now that I understand how semodule is > > supposed to work. If you're running a read-only system, you > shouldn't > > need to add or remove modules at runtime - that's something you do > > when preparing the image to run read-only. That only leaves listing > > modules, which I presume can be fixed to not need write access? > > Likely, but we'd want to distinguish the ro mount case from a > rw mount where the read lock acquisition fails for some other > cause. Likely can just test for errno EROFS when > semanage_get_active_lock() fails, and proceed with rdonly > operations in that case? cc'd Tresys folks above. Not sure about this, if the mount becomes rw in the middle of a EROFS read the policy can changed underneath them. I guess I'm unsure where this sudden push for ro filesystem support is coming from and why its important. Any kind of read only / system is going to have a highly abstracted interface. I have serious doubts that there would be any users running a bash shell and trying to get a list of modules. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
