This is not a topic of Linux kernel. I would like to introduce one of popular way protecting Policy file for SELinux that used in lots of linux(including embedded linux) system.
systemd is widely user process that is widely used as init process at Linux in these days. systemd loads SELinux data from SELinux root directoy (/etc/selinux by default) if SELinux is enabled, at very early stage. And then services registered are started.
Here is sample mount status.
...(skip)...
overlay on /etc type overlay (rw,relatime,rootcontext=system_u:object_r:etc_t:s0,seclabel,lowerdir=/etc,upperdir=/overlay/etc,workdir=/overlay/.etc-work,x-systemd.automount)
...(skip)...
And you can easily find systemd service doing this mount task.
According to steps of systemd, policy of SELinux is loaded before /etc/ is hidden behind by overlay filesystem. So, original SELinux data can be safely protected from users.
This way is very popular way protecting original data from users. You can apply this trick to various cases for your system.
'Domain > Linux' 카테고리의 다른 글
[Ubuntu/Linux] Python zip library 와 7z 간 교차 사용시 문제 (0) | 2017.03.08 |
---|---|
Run commands with synchronization in shell. (0) | 2016.04.20 |
Linux re-parenting. And child-subreaper. (0) | 2016.04.20 |
[Linux] Environment variable - more (0) | 2015.11.11 |
[Linux/Ext4] Order of file list of the directory in ext4 (1) | 2015.03.09 |