On Tue, 2018-02-06 at 13:38 +0000, sajjad ahmed wrote: > Hi Smalley, > > I think the limitation comes from read-only rootfs to SELinux at boot > time, observed that if read/write access is granted for rootfs in > etc/fstab for the first boot, system works fine onward (even I revert > back that configuration to read-only), so I think this is related to > file-system labeling. I don't know modifying policy can help here. File system labeling should occur when the filesystem image is built, not on first boot. > > > ------------ </etc/fstab> ------------ > > # stock fstab - you probably want to override this with a machine > specific one > > /dev/root / auto ro > 1 0 > proc /proc proc defaults > 0 0 > devpts /dev/pts devpts mode=0620,gid=5 > 0 0 > tmpfs /run tmpfs > mode=0755,nodev,nosuid,strictatime 0 0 > > # uncomment this if your device has a SD/MMC/Transflash slot > #/dev/mmcblk0p1 /media/card auto > defaults,sync,noauto 0 0 > > PARTUUID=fda0c478-a588-4056-9961-b0d5ba71ef4b /var/volatile ext4 > defaults 0 0 > PARTUUID=9ee8d077-3fdc-455f-80ea-e3d016653f55 swap swap > defaults 0 0 > > > > > > On Friday, 2 February 2018, 6:38:22 pm GMT+5, Stephen Smalley <sds@ty > cho.nsa.gov> wrote: > > > On Fri, 2018-02-02 at 11:01 +0000, sajjad ahmed wrote: > > > Hi, > > > > Can SELinux enable Linux boot/operate with read-only rootfs? I'm > > working on an IoT project and read-only rootfs is a security > > constraint and SELinux enabled image is unable to properly > > boot/operate in this environment. Is this SELinux limitation, or we > > can fix this with proper mount configurations. > > > It should be possible to make this work. Android for example > operates > with SELinux and a read-only rootfs, although it has a very different > userspace and policy layout. What exactly is the problem you are > encountering with SELinux and a read-only rootfs? You should only > have > a problem if you are trying to make a change to the policy or the > rootfs labels at runtime (as opposed to setting them all up at image > build and having them remain static at runtime). > _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
