Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes: > On Mon, Mar 17, 2025 at 1:32 PM Petr Lautrbach <lautrbach@xxxxxxxxxx> wrote: >> >> Cathy Hu <cahu@xxxxxxx> writes: >> >> > On 17.03.25 15:29, Petr Lautrbach wrote: >> >> >> >> You could use `-e <directory>` to exclude read only subdirectories. >> >> >> > >> > Yes that is possible, but also requires a manual change by the user to set >> > this up together with the snapshot (same as telling them to add <<none>>), >> > which we would like to avoid. >> >> Your -relabel.service's are generated and so can be restorecon options >> there. >> >> Fedora uses fixfiles - >> https://github.com/SELinuxProject/selinux/blob/main/policycoreutils/scripts/fixfiles >> - which detects ro filesystems and skip them. > > We already have logic in libselinux/src/selinux_restorecon.c to > exclude filesystems that lack seclabel support; should we augment this > to also exclude read-only filesystems to avoid the need to work around > this in all callers? > https://github.com/SELinuxProject/selinux/blob/main/libselinux/src/selinux_restorecon.c#L238 You're right, I didn't know about that. I think it would make sense to exclude also `ro` mount points. >> >> >> >> > Is there a reason why these r-o subvolumes are not skipped by default? >> > Could they be skipped without a problem and it is just missing the implementation? >> > >> > Thanks :) >> > >> > Kind regards, >> > Cathy >> >
