On Sa, 04.07.20 12:49, Chris Murphy (lists(a)colorremedies.com) wrote:
Why do the security folks want POSIX and SELinux labels on the
contents of /boot? I've never really gotten a straight answer on this,
but I know it's considered important and a sticking point for why some
folks do not want the kernel and initramfs and bootloader
configuration files on FAT. And can it be mitigated some other way?
Maybe not persistently mounting /boot and /boot/efi or mounting them
on-demand elsewhere only when they need to be modified?
You can assign an SELinux label onto a whole file system at mount time
via the context= mount option and related ones. Hence the question is
why it is supposedly so essential to be able to label the initrd
differently than the kernel itself...
Note that systemd can automatically mount the ESP and XBOOTLDR
partition for you if you let it. If done so it will set it up via
automounts, so that the file systems are:
1) automatically fsck'ed on first mount
2) only mounted when actually accessed
3) very quickly after the last access unmounted again
This should provide the best data integrity guarantees on those file
systems as the file system is almost always unmounted, and thus in a
clean state, and automatically fixed in the unlikely case that the
system was turned off right at the moment the fs was accessed.
Note that this mechanism is independent of the boot loader spec, or
sd-boot or anything like that. It's automatically used if /boot or
/efi are not listed in /etc/fstab and if partitions of the right type
are found in the partition table.
(Note that this automatism doesn't support /boot/efi/, first of al
because it's weird, but mostly because in order to establish the
second automount point we'd have to activate the first one, which
defeats the whole excercise of having file systems that are never
mounted, except if they are accessed)
Hence, a couple of changes independent of the sd-boot/grub/boot loader spec
situation would make a lot of sense for Fedora:
1) Use the XBOOTLDR uuid for /boot
2) Mount ESP to /efi instead of /boot/efi (you can keep a symlink in
/boot/efi/ if you like)
3) Drop generation of ESP and /boot entries in /etc/fstab in the
installer, and let the automatic logic do its thing.
You know using a journalling file system on /boot means means you
drastically complicate things if you want to implement boot counting,
because then you need a writable fs, and then things become complex
because you need a ful fs implementation in grub.
Do the btrfs upstream folks commit to support an alternative writable
btrfs implementation in grub? I doubt so?
That aims to make it possible to support a snapshot/rollback regime.
There needs to be a way to pair the states of /boot and / so that the
kernel we're using to boot a rollback, has modules available on the
rolledback /usr. That does not need to be done with Btrfs, even
though
You are just reimplementing OSTree/Atomic/FedoraCoreOS with that...
Lennart
--
Lennart Poettering, Berlin