On Mon, Mar 17, 2025 at 1:32 PM Petr Lautrbach <lautrbach@xxxxxxxxxx> wrote: > > Cathy Hu <cahu@xxxxxxx> writes: > > > On 17.03.25 15:29, Petr Lautrbach wrote: > >> > >> You could use `-e <directory>` to exclude read only subdirectories. > >> > > > > Yes that is possible, but also requires a manual change by the user to set > > this up together with the snapshot (same as telling them to add <<none>>), > > which we would like to avoid. > > Your -relabel.service's are generated and so can be restorecon options > there. > > Fedora uses fixfiles - > https://github.com/SELinuxProject/selinux/blob/main/policycoreutils/scripts/fixfiles > - which detects ro filesystems and skip them. We already have logic in libselinux/src/selinux_restorecon.c to exclude filesystems that lack seclabel support; should we augment this to also exclude read-only filesystems to avoid the need to work around this in all callers? > > > > > Is there a reason why these r-o subvolumes are not skipped by default? > > Could they be skipped without a problem and it is just missing the implementation? > > > > Thanks :) > > > > Kind regards, > > Cathy > >
