-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/22/2011 03:19 PM, Daniel J Walsh wrote:
> On 08/22/2011 02:52 PM, Eric Paris wrote:
>> On 08/22/2011 02:45 PM, Stephen Smalley wrote:
>>> On Mon, 2011-08-22 at 13:52 -0400, Eric Paris wrote:
>>>> On 08/22/2011 01:33 PM, Stephen Smalley wrote:
>>>>> On Mon, 2011-08-22 at 13:26 -0400, Eric Paris wrote:
>>>>>> On Tue, May 3, 2011 at 11:33 AM, Stephen Smalley
>>>>>> <sds@xxxxxxxxxxxxx> wrote:
>>>>>>> On Tue, 2011-05-03 at 10:50 -0400, Daniel J Walsh
>>>>>>> wrote:
>>>>>>
>>>>>>>> NOTE: We added the check for RO, to allow tools
>>>>>>>> like mock to be able to tell a chroot that SELinux
>>>>>>>> is disabled while enforcing it outside the chroot.
>>>>>>>>
>>>>>>>>
>>>>>>>> # getenforce Enabled # mount -t selinuxfs -o
>>>>>>>> remount,ro selinuxfs /var/chroot/selinux
>>>>>>>
>>>>>>> Just to clarify, the right commands to use are: mount
>>>>>>> --bind /selinux /var/chroot/selinux mount -o
>>>>>>> remount,ro /var/chroot/selinux
>>>>>>>
>>>>>>> Do not use: mount -t selinuxfs -o ro selinuxfs
>>>>>>> /var/chroot/selinux as this will in fact change the
>>>>>>> flags on /selinux as well. Surprise! Result of there
>>>>>>> only being a single instance (superblock) of selinuxfs,
>>>>>>> although you can have multiple vfsmounts of it.
>>>>>>
>>>>>> surprise, this doesn't work either! # cat mount.F16 |
>>>>>> grep selinux mount --bind /selinux
>>>>>> /mnt/F16/sys/fs/selinux/ mount -o remount,ro
>>>>>> /mnt/F16/sys/fs/selinux/
>>>>>>
>>>>>> # cat /proc/mounts | grep selinux selinuxfs /selinux
>>>>>> selinuxfs ro,relatime 0 0 selinuxfs
>>>>>> /mnt/F16/sys/fs/selinux selinuxfs ro,relatime 0 0
>>>>>>
>>>>>> crap.
>>>>>
>>>>> Hmmm...works for me on F14 (yeah, I know - ancient
>>>>> history).
>>>>>
>>>>> # mkdir -p /var/chroot/selinux # mount --bind /selinux
>>>>> /var/chroot/selinux # mount -o remount,ro
>>>>> /var/chroot/selinux # cat /proc/mounts | grep selinux none
>>>>> /selinux selinuxfs rw,relatime 0 0 none
>>>>> /var/chroot/selinux selinuxfs ro,relatime 0 0 # echo 0 >
>>>>> /selinux/enforce # echo 0 > /var/chroot/selinux/enforce
>>>>> bash: /var/chroot/selinux/enforce: Read-only file system
>>>>>
>>>>> Did something change recently in the kernel or mount?
>>>>
>>>> mount(8)
>>>>
>>>> under F15 mount does: mount("selinuxfs",
>>>> "/mnt/F16/sys/fs/selinux", 0x7f613d1ce7b0,
>>>> MS_RDONLY|MS_REMOUNT|MS_RELATIME, NULL) = 0
>>>>
>>>> whereas under F14 mount does: mount("/sleinux",
>>>> "/var/chroot/selinux", 0x7ff5f154ea69,
>>>> NS_MGC_VAL|MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = 0
>>>>
>>>> under F15 I can get it to work if I use the command:
>>>>
>>>> mount -o remount,ro,bind /var/chroot/selinux
>>>>
>>>> now for me to hunt down who owns mount(8)
>>>
>>> Does F15 and later have /etc/mtab? The man page for mount(8)
>>> on F14 says that you have to explicitly pass bind on the
>>> remount if you lack an /etc/mtab on your system, as mount(8)
>>> figures out whether or not it was a bind mount originally from
>>> the /etc/mtab entry.
>
>> that's it:
>
>> # ls -l /etc/mtab lrwxrwxrwx. 1 root root 12 Aug 19 09:21
>> /etc/mtab -> /proc/mounts
>
>> At least now we know. the right operations (which also work on
>> F14)
>
>> mount --bind /selinux /var/chroot/selinux mount -o
>> remount,ro,bind /var/chroot/selinux
>
>> -Eric
>
>
>> -- This message was distributed to subscribers of the selinux
>> mailing list. If you no longer wish to subscribe, send mail to
>> majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux"
>> without quotes as the message.
>
>
>
> If only the kernel would record this info...
>
> Why not just execute
>
> # mount -t selinuxfs -o ro /selinux /var/chroot/selinux
>
>
>
>
>
>
> -- This message was distributed to subscribers of the selinux
> mailing list. If you no longer wish to subscribe, send mail to
> majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux"
> without quotes as the message.
Never mind that breaks.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5SrFsACgkQrlYvE4MpobORUwCfU0dMWCt/v2DeMYNHeo/Ax5W8
PEMAn0BPiOA/6w5t/00dF+AWhCX8JyKi
=NiiC
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
