On Tue, May 3, 2011 at 11:33 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On Tue, 2011-05-03 at 10:50 -0400, Daniel J Walsh wrote: >> NOTE: We added the check for RO, to allow tools like mock to be able to >> tell a chroot that SELinux is disabled while enforcing it outside the >> chroot. >> >> >> # getenforce >> Enabled >> # mount -t selinuxfs -o remount,ro selinuxfs /var/chroot/selinux > > Just to clarify, the right commands to use are: > mount --bind /selinux /var/chroot/selinux > mount -o remount,ro /var/chroot/selinux > > Do not use: > mount -t selinuxfs -o ro selinuxfs /var/chroot/selinux > as this will in fact change the flags on /selinux as well. Surprise! > Result of there only being a single instance (superblock) of selinuxfs, > although you can have multiple vfsmounts of it. surprise, this doesn't work either! # cat mount.F16 | grep selinux mount --bind /selinux /mnt/F16/sys/fs/selinux/ mount -o remount,ro /mnt/F16/sys/fs/selinux/ # cat /proc/mounts | grep selinux selinuxfs /selinux selinuxfs ro,relatime 0 0 selinuxfs /mnt/F16/sys/fs/selinux selinuxfs ro,relatime 0 0 crap. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
