-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/04/2011 06:32 PM, Kay Sievers wrote:
On Mon, Apr 4, 2011 at 23:39, Michal Schmidt mschm...@redhat.com wrote:
On Mon, 4 Apr 2011 22:51:55 +0200 Kay Sievers wrote:
We really need something here that is not tied to the / inode, because
we want
On Tue, 05.04.11 08:42, Daniel J Walsh (dwa...@redhat.com) wrote:
systemd should check if the mount flag includes seclabel field.
before labeling.
If a file system does not support labeling or does is mounted with a
context mount option, the file system will not show the label seclabel.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/05/2011 08:59 AM, Lennart Poettering wrote:
On Tue, 05.04.11 08:42, Daniel J Walsh (dwa...@redhat.com) wrote:
systemd should check if the mount flag includes seclabel field.
before labeling.
If a file system does not support labeling or
sön 2011-04-03 klockan 21:39 +0200 skrev Michal Schmidt:
If on the other hand / stays read-only for the whole duration of
working with SELinux disabled, then no contexts will be harmed and
relabeling will not be necessary.
If / is ro but /var is rw then a relabel is still useful, right?
And
2011/4/4 Michal Schmidt mschm...@redhat.com:
On Mon, 04 Apr 2011 20:59:58 +0200 Alexander Boström wrote:
If on the other hand / stays read-only for the whole duration of
working with SELinux disabled, then no contexts will be harmed and
relabeling will not be necessary.
If / is ro but
On Mon, 4 Apr 2011 22:51:55 +0200 Kay Sievers wrote:
We really need something here that is not tied to the / inode, because
we want to support r/o / or / on tmpfs with only the subdirs mounted
from disk. xattrs of / just have the same issues as /.-files, it's
just a different storage format
Using ConditionSELinux a unit can depend on the SELinux state:
disabled, permissive, enforcing
A bool argument is also accepted:
no = disabled
yes = permissive | enforcing
I'd like to use this feature for a unit that creates /.autorelabel if
SELinux is disabled, to ensure a relabel is done
]] Michal Schmidt
Hi,
| We should really stop having flag files like this outside
| of well-defined directories which exist for that purpose.
|
| /.autorelabel is not new. Fedora's /etc/rc.sysinit has been doing
| this since May 2005. I am only trying to prevent the loss of this
| feature.
On Sun, 03.04.11 21:39, Michal Schmidt (mschm...@redhat.com) wrote:
We should really stop having flag files like this outside
of well-defined directories which exist for that purpose.
/.autorelabel is not new. Fedora's /etc/rc.sysinit has been doing
this since May 2005. I am only trying