On 08/22/2011 02:45 PM, Stephen Smalley wrote:
> On Mon, 2011-08-22 at 13:52 -0400, Eric Paris wrote:
>> On 08/22/2011 01:33 PM, Stephen Smalley wrote:
>>> On Mon, 2011-08-22 at 13:26 -0400, Eric Paris wrote:
>>>> On Tue, May 3, 2011 at 11:33 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>>>>> On Tue, 2011-05-03 at 10:50 -0400, Daniel J Walsh wrote:
>>>>
>>>>>> NOTE: We added the check for RO, to allow tools like mock to be able to
>>>>>> tell a chroot that SELinux is disabled while enforcing it outside the
>>>>>> chroot.
>>>>>>
>>>>>>
>>>>>> # getenforce
>>>>>> Enabled
>>>>>> # mount -t selinuxfs -o remount,ro selinuxfs /var/chroot/selinux
>>>>>
>>>>> Just to clarify, the right commands to use are:
>>>>> mount --bind /selinux /var/chroot/selinux
>>>>> mount -o remount,ro /var/chroot/selinux
>>>>>
>>>>> Do not use:
>>>>> mount -t selinuxfs -o ro selinuxfs /var/chroot/selinux
>>>>> as this will in fact change the flags on /selinux as well. Surprise!
>>>>> Result of there only being a single instance (superblock) of selinuxfs,
>>>>> although you can have multiple vfsmounts of it.
>>>>
>>>> surprise, this doesn't work either!
>>>> # cat mount.F16 | grep selinux
>>>> mount --bind /selinux /mnt/F16/sys/fs/selinux/
>>>> mount -o remount,ro /mnt/F16/sys/fs/selinux/
>>>>
>>>> # cat /proc/mounts | grep selinux
>>>> selinuxfs /selinux selinuxfs ro,relatime 0 0
>>>> selinuxfs /mnt/F16/sys/fs/selinux selinuxfs ro,relatime 0 0
>>>>
>>>> crap.
>>>
>>> Hmmm...works for me on F14 (yeah, I know - ancient history).
>>>
>>> # mkdir -p /var/chroot/selinux
>>> # mount --bind /selinux /var/chroot/selinux
>>> # mount -o remount,ro /var/chroot/selinux
>>> # cat /proc/mounts | grep selinux
>>> none /selinux selinuxfs rw,relatime 0 0
>>> none /var/chroot/selinux selinuxfs ro,relatime 0 0
>>> # echo 0 > /selinux/enforce
>>> # echo 0 > /var/chroot/selinux/enforce
>>> bash: /var/chroot/selinux/enforce: Read-only file system
>>>
>>> Did something change recently in the kernel or mount?
>>
>> mount(8)
>>
>> under F15 mount does:
>> mount("selinuxfs", "/mnt/F16/sys/fs/selinux", 0x7f613d1ce7b0,
>> MS_RDONLY|MS_REMOUNT|MS_RELATIME, NULL) = 0
>>
>> whereas under F14 mount does:
>> mount("/sleinux", "/var/chroot/selinux", 0x7ff5f154ea69,
>> NS_MGC_VAL|MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = 0
>>
>> under F15 I can get it to work if I use the command:
>>
>> mount -o remount,ro,bind /var/chroot/selinux
>>
>> now for me to hunt down who owns mount(8)
>
> Does F15 and later have /etc/mtab? The man page for mount(8) on F14
> says that you have to explicitly pass bind on the remount if you lack
> an /etc/mtab on your system, as mount(8) figures out whether or not it
> was a bind mount originally from the /etc/mtab entry.
that's it:
# ls -l /etc/mtab
lrwxrwxrwx. 1 root root 12 Aug 19 09:21 /etc/mtab -> /proc/mounts
At least now we know. the right operations (which also work on F14)
mount --bind /selinux /var/chroot/selinux
mount -o remount,ro,bind /var/chroot/selinux
-Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
