-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/04/2011 06:32 PM, Kay Sievers wrote: > On Mon, Apr 4, 2011 at 23:39, Michal Schmidt <mschm...@redhat.com> wrote: >> On Mon, 4 Apr 2011 22:51:55 +0200 Kay Sievers wrote: >>> We really need something here that is not tied to the / inode, because >>> we want to support r/o / or / on tmpfs with only the subdirs mounted >>> from disk. xattrs of / just have the same issues as /.-files, it's >>> just a different storage format regarding that problem. >> >> The key is it would a _per-filesystem_ flag meaning "this fs is tainted >> for use with SELinux and needs relabeling". >> The xattr containing the value of the flag would be attached to the >> relative / of every mounted filesystem. >> >> filesystems mounted ro don't matter, because they cannot get their >> file contexts changed and therefore do not need to be marked tainted. >> >> mount itself should write the xattr when it mounts the filesystem >> read-write and SELinux is disabled. >> >> Bill Nottingham noted on IRC that relabeling would then be done by >> systemd in the same pass that handles fsck. > > Yeah, sounds good if that works. > > The setup we might want to support in the future is that the couple of > needed / directories are populated by btrfs subvolumes. Something like > such a flag on the root of the individual subvolume that gets mounted > might work just fine. > > Kay > _______________________________________________ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/systemd-devel systemd should check if the mount flag includes seclabel field. before labeling. If a file system does not support labeling or does is mounted with a context mount option, the file system will not show the label seclabel.
grep seclabel /proc/self/mountinfo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2bDkMACgkQrlYvE4MpobN9zQCfWIFyN/v867REStweuQjjFNbi 7ZUAoK8w6DDOz3+B9VYvYENDi6g4MOY0 =jz/r -----END PGP SIGNATURE----- _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
