On Mon, Oct 5, 2020 at 2:02 PM Ashish Mishra <ashishm@xxxxxxxxxx> wrote: > Hi Ondrej , > > Thanks for sharing valuable information. > > 1) Since it's in an evaluation state , we might have a chance to look at tmpfs options . > Can you please share some pointers on this option ? It should be pretty much a "drop in replacement" for ramfs, it just has a couple more filesystem features (including the extended attributes needed by SELinux). It will probably have a bit higher per-file memory overhead though. It would be helpful if you could share why you want to use ramfs as the root filesystem? Is it just to have a fast I/O? If all your files fit into RAM, then the disk cache should already hold all used files in memory anyway. And obviously you'll have to load the files initially from some storage anyway, no? And how are you going to handle software updates? > > > 2) Worst case scenario , if we can't go ahead with a tmpfs approach .. > a) Are there any specific files / directories or services that might create a problem ? Well, now that I think about it a little bit deeper, I think without a way to label (system) files, you'd pretty much lose the security advantages of SELinux completely. Because if you can't label the binaries, then you also can't have (automatic) type transitions, so in the end all your system would run as a single domain, making SELinux entirely pointless. > Or if > b) Any way we can customize STOCK fedora policies ( so that they can work with RAMFS) > ( I can sense that this option might be complex , time-consuming & risky . > But in case ramfs is mandatory , at-least we will know the effort & plan schedule accordingly ) Well, you could probably create your own minimal policy that would allow booting and running such a system, but as I said above there would be no point in using SELinux at all then. I mean, you could probably selectively "sandbox" some programs using dynamic transitions, but that would require both modifying the programs and writing the policy from scratch... So I strongly recommend using tmpfs instead of ramfs. Ramfs is simply too minimal for SELinux and probably doesn't give you any practical advantage over tmpfs anyway. > > > Thanks for sharing the comment as it has definitely saved us some time & > will help us to use Fedora in a better way . > > > Thanks , > Ashish Kumar Mishra -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx