Joshua Brindle (jbrindle@xxxxxxxxxx) said: > > Yes, but that tends to imply some fairly severe gun -> foot > > interactions on the part of the admin. > > The admin need not know what is going on, how many things happen on > average linux systems without an average admins knowledge? Well, I'd hope that remounting the root FS read-write wouldn't be one of those. Arguably, you could even set up the policy to disallow this. > I retract the above statement. Even when making non-persistent boolean > changes (which I can see happening on these systems) the lock is > attempted. Its still unclear whether setsebool should fallback or if > libsemanage should. I don't like the idea of lockless readers, even if > the filesystem is RO when we start reading. Hm, I didn't consider booleans. How (at an implementation level) is setting of booleans done? (I've haven't looked at the backend guts of the SELinux code that much.) Bill -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
