Hi Smalley,
I think the limitation comes from read-only rootfs to SELinux at boot time, observed that if read/write access is granted for rootfs in etc/fstab for the first boot, system works fine onward (even I revert back that configuration to read-only), so I think this is related to file-system labeling. I don't know modifying policy can help here.
------------ </etc/fstab> ------------
# stock fstab - you probably want to override this with a machine specific one
/dev/root / auto ro 1 0
proc /proc proc defaults 0 0
devpts /dev/pts devpts mode=0620,gid=5 0 0
tmpfs /run tmpfs mode=0755,nodev,nosuid,strictatime 0 0
# uncomment this if your device has a SD/MMC/Transflash slot
#/dev/mmcblk0p1 /media/card auto defaults,sync,noauto 0 0
PARTUUID=fda0c478-a588-4056-9961-b0d5ba71ef4b /var/volatile ext4 defaults 0 0
PARTUUID=9ee8d077-3fdc-455f-80ea-e3d016653f55 swap swap defaults 0 0
On Friday, 2 February 2018, 6:38:22 pm GMT+5, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Fri, 2018-02-02 at 11:01 +0000, sajjad ahmed wrote:
> Hi,
>
> Can SELinux enable Linux boot/operate with read-only rootfs? I'm
> working on an IoT project and read-only rootfs is a security
> constraint and SELinux enabled image is unable to properly
> boot/operate in this environment. Is this SELinux limitation, or we
> can fix this with proper mount configurations.
It should be possible to make this work. Android for example operates
with SELinux and a read-only rootfs, although it has a very different
userspace and policy layout. What exactly is the problem you are
encountering with SELinux and a read-only rootfs? You should only have
a problem if you are trying to make a change to the policy or the
rootfs labels at runtime (as opposed to setting them all up at image
build and having them remain static at runtime).
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Hi,
>
> Can SELinux enable Linux boot/operate with read-only rootfs? I'm
> working on an IoT project and read-only rootfs is a security
> constraint and SELinux enabled image is unable to properly
> boot/operate in this environment. Is this SELinux limitation, or we
> can fix this with proper mount configurations.
It should be possible to make this work. Android for example operates
with SELinux and a read-only rootfs, although it has a very different
userspace and policy layout. What exactly is the problem you are
encountering with SELinux and a read-only rootfs? You should only have
a problem if you are trying to make a change to the policy or the
rootfs labels at runtime (as opposed to setting them all up at image
build and having them remain static at runtime).
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
