Hi Dominick , Will look at the re-labelling as you suggested. Is there any doc / blog / implementation etc to understand the sequence and commands to do this. To understand this step in a better way. We are working with such a setup freshly so any inputs / guidance will be helpful. Thanks for your time & inputs for this long thread . Thanks , Ashish On Wed, Jan 6, 2021 at 8:34 PM Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote: > > Ashish Mishra <ashishm@xxxxxxxxxx> writes: > > > Hi Dominick , > > Thanks for your valuable time and inputs . > > > > As a background w.r.t ROOTFS : > > a) We had an custom SDK which is a basic makefile based SDK . > > > > b) The rootfs was RAMFS based . > > For selinux we switched from RAMFS to TEMPFS > > > > c) It was not having SELINUX , so we added refpolicy & selinux-userland > > Expectation was we will get working selinux context & policy. > > I have the policy but the context is being the same for each file > > and folder . > > You also have to address labeling. If your filesystem is ram-based > (volatile) then I > suspect you will have to address labeling at runtime (ie run > setfiles/restorecon to label the filesystem). The point is that > your filesystem is currently not labeled according to the reference > policy. > > > > > d) The setup is being evaluated for tempfs ( INITRAMFS-as -TEMPFS + > > SELINUX ) w.r.t output of mount command : > > ~ # mount > > rootfs on / type rootfs (rw,seclabel,size=253620k,nr_inodes=63405) > > sysfs on /sys type sysfs (rw,seclabel,relatime) > > selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime) > > nodev on /dev type devtmpfs > > (rw,seclabel,relatime,size=253620k,nr_inodes=63405,mode=755) > > none on /proc type proc (rw,relatime) > > none on /dev/shm type tmpfs (rw,seclabel,relatime) > > none on /dev/pts type devpts (rw,seclabel,relatime,mode=600,ptmxmode=000) > > none on /sys/kernel/debug type debugfs (rw,seclabel,relatime) > > none on /mnth type hugetlbfs (rw,seclabel,relatime) > > cgroup on /sys/fs/cgroup type tmpfs (rw,seclabel,relatime,mode=755) > > cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,relatime,cpuset) > > cgroup on /sys/fs/cgroup/cpu type cgroup (rw,relatime,cpu) > > cgroup on /sys/fs/cgroup/cpuacct type cgroup (rw,relatime,cpuacct) > > cgroup on /sys/fs/cgroup/blkio type cgroup (rw,relatime,blkio) > > cgroup on /sys/fs/cgroup/memory type cgroup (rw,relatime,memory) > > cgroup on /sys/fs/cgroup/devices type cgroup (rw,relatime,devices) > > cgroup on /sys/fs/cgroup/freezer type cgroup (rw,relatime,freezer) > > cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,relatime,net_cls) > > cgroup on /sys/fs/cgroup/net_prio type cgroup (rw,relatime,net_prio) > > cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,relatime,hugetlb) > > cgroup on /sys/fs/cgroup/pids type cgroup (rw,relatime,pids) > > cgroup on /sys/fs/cgroup/debug type cgroup (rw,relatime,debug) > > cgroups on /sys/fs/cgroup/unified type cgroup2 (rw,relatime) > > > > > > Thanks , > > Ashish > > -- > gpg --locate-keys dominick.grift@xxxxxxxxxxx > Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 > Dominick Grift
