Hi, Can SELinux enable Linux boot/operate with read-only rootfs? I'm working on an IoT project and read-only rootfs is a security constraint and SELinux enabled image is unable to properly boot/operate in this environment. Is this SELinux limitation, or we can fix this with proper mount configurations.
ThanksSajjad Ahmed
On Fri, 2018-02-02 at 11:01 +0000, sajjad ahmed wrote:
Hi,
Can SELinux enable Linux boot/operate with read-only rootfs? I'm working on an IoT project and read-only rootfs is a security constraint and SELinux enabled image is unable to properly boot/operate in this environment. Is this SELinux limitation, or we can fix this with proper mount configurations.
It should be possible to make this work. Android for example operates with SELinux and a read-only rootfs, although it has a very different userspace and policy layout. What exactly is the problem you are encountering with SELinux and a read-only rootfs? You should only have a problem if you are trying to make a change to the policy or the rootfs labels at runtime (as opposed to setting them all up at image build and having them remain static at runtime).
Hi Smalley, I think the limitation comes from read-only rootfs to SELinux at boot time, observed that if read/write access is granted for rootfs in etc/fstab for the first boot, system works fine onward (even I revert back that configuration to read-only), so I think this is related to file-system labeling. I don't know modifying policy can help here. ------------ </etc/fstab> ------------ # stock fstab - you probably want to override this with a machine specific one /dev/root / auto ro 1 0proc /proc proc defaults 0 0devpts /dev/pts devpts mode=0620,gid=5 0 0tmpfs /run tmpfs mode=0755,nodev,nosuid,strictatime 0 0 # uncomment this if your device has a SD/MMC/Transflash slot#/dev/mmcblk0p1 /media/card auto defaults,sync,noauto 0 0 PARTUUID=fda0c478-a588-4056-9961-b0d5ba71ef4b /var/volatile ext4 defaults 0 0PARTUUID=9ee8d077-3fdc-455f-80ea-e3d016653f55 swap swap defaults 0 0
On Friday, 2 February 2018, 6:38:22 pm GMT+5, Stephen Smalley sds@tycho.nsa.gov wrote:
On Fri, 2018-02-02 at 11:01 +0000, sajjad ahmed wrote:
Hi,
Can SELinux enable Linux boot/operate with read-only rootfs? I'm working on an IoT project and read-only rootfs is a security constraint and SELinux enabled image is unable to properly boot/operate in this environment. Is this SELinux limitation, or we can fix this with proper mount configurations.
It should be possible to make this work. Android for example operates with SELinux and a read-only rootfs, although it has a very different userspace and policy layout. What exactly is the problem you are encountering with SELinux and a read-only rootfs? You should only have a problem if you are trying to make a change to the policy or the rootfs labels at runtime (as opposed to setting them all up at image build and having them remain static at runtime). _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
On Tue, 2018-02-06 at 13:38 +0000, sajjad ahmed wrote:
Hi Smalley,
I think the limitation comes from read-only rootfs to SELinux at boot time, observed that if read/write access is granted for rootfs in etc/fstab for the first boot, system works fine onward (even I revert back that configuration to read-only), so I think this is related to file-system labeling. I don't know modifying policy can help here.
File system labeling should occur when the filesystem image is built, not on first boot.
------------ </etc/fstab> ------------
# stock fstab - you probably want to override this with a machine specific one
/dev/root / auto ro 1 0 proc /proc proc defaults 0 0 devpts /dev/pts devpts mode=0620,gid=5 0 0 tmpfs /run tmpfs mode=0755,nodev,nosuid,strictatime 0 0
# uncomment this if your device has a SD/MMC/Transflash slot #/dev/mmcblk0p1 /media/card auto defaults,sync,noauto 0 0
PARTUUID=fda0c478-a588-4056-9961-b0d5ba71ef4b /var/volatile ext4 defaults 0 0 PARTUUID=9ee8d077-3fdc-455f-80ea-e3d016653f55 swap swap defaults 0 0
On Friday, 2 February 2018, 6:38:22 pm GMT+5, Stephen Smalley <sds@ty cho.nsa.gov> wrote:
On Fri, 2018-02-02 at 11:01 +0000, sajjad ahmed wrote:
Hi,
Can SELinux enable Linux boot/operate with read-only rootfs? I'm working on an IoT project and read-only rootfs is a security constraint and SELinux enabled image is unable to properly boot/operate in this environment. Is this SELinux limitation, or we can fix this with proper mount configurations.
It should be possible to make this work. Android for example operates with SELinux and a read-only rootfs, although it has a very different userspace and policy layout. What exactly is the problem you are encountering with SELinux and a read-only rootfs? You should only have a problem if you are trying to make a change to the policy or the rootfs labels at runtime (as opposed to setting them all up at image build and having them remain static at runtime). _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
selinux@lists.fedoraproject.org