diff options
author | Bill Nottingham <notting@redhat.com> | 2006-04-20 19:25:48 +0000 |
---|---|---|
committer | Bill Nottingham <notting@redhat.com> | 2006-04-20 19:25:48 +0000 |
commit | a5caeb0d1f15fcc3a674420a0b383bf7a7cfd2ea (patch) | |
tree | fbd2b823afd3eab0731c9a64414949b4ddb1eac4 | |
parent | 41784d55e80fc84310d79386cb2adbb974fe6b26 (diff) | |
download | initscripts-a5caeb0d1f15fcc3a674420a0b383bf7a7cfd2ea.tar initscripts-a5caeb0d1f15fcc3a674420a0b383bf7a7cfd2ea.tar.gz initscripts-a5caeb0d1f15fcc3a674420a0b383bf7a7cfd2ea.tar.bz2 initscripts-a5caeb0d1f15fcc3a674420a0b383bf7a7cfd2ea.tar.xz initscripts-a5caeb0d1f15fcc3a674420a0b383bf7a7cfd2ea.zip |
readonly root support. Does not currently work with SELinux.
-rw-r--r-- | Makefile | 2 | ||||
-rw-r--r-- | initscripts.spec | 3 | ||||
-rwxr-xr-x | rc.d/rc.sysinit | 78 | ||||
-rw-r--r-- | rwtab | 14 |
4 files changed, 87 insertions, 10 deletions
@@ -15,11 +15,13 @@ all: install: mkdir -p $(ROOT)/etc/profile.d $(ROOT)/sbin $(ROOT)/usr/sbin mkdir -p $(ROOT)$(mandir)/man8 + mkdir -p $(ROOT)/etc/rwtab.d $(ROOT)/var/lib/stateless/writable install -m644 inittab adjtime $(ROOT)/etc if uname -m | grep -q s390 ; then \ install -m644 inittab.s390 $(ROOT)/etc/inittab ; \ fi + install -m644 rwtab $(ROOT)/etc install -m755 service setsysfont $(ROOT)/sbin install -m755 lang.csh lang.sh $(ROOT)/etc/profile.d install -m755 sys-unconfig $(ROOT)/usr/sbin diff --git a/initscripts.spec b/initscripts.spec index fa6e602b..506feac1 100644 --- a/initscripts.spec +++ b/initscripts.spec @@ -160,6 +160,8 @@ rm -rf $RPM_BUILD_ROOT %config /etc/sysconfig/network-scripts/ifup-ctc %config /etc/sysconfig/network-scripts/ifup-iucv %endif +/etc/rwtab +%dir /etc/rwtab.d /etc/udev/rules.d/* %config /etc/X11/prefdm %config(noreplace) /etc/inittab @@ -204,6 +206,7 @@ rm -rf $RPM_BUILD_ROOT %config /etc/ppp/ipv6-down %config /etc/initlog.conf %doc sysconfig.txt sysvinitfiles ChangeLog static-routes-ipv6 ipv6-tunnel.howto ipv6-6to4.howto changes.ipv6 +%dir /var/lib/stateless %ghost %attr(0600,root,utmp) /var/log/btmp %ghost %attr(0664,root,utmp) /var/log/wtmp %ghost %attr(0664,root,utmp) /var/run/utmp diff --git a/rc.d/rc.sysinit b/rc.d/rc.sysinit index 5dd74d9d..d805a4cd 100755 --- a/rc.d/rc.sysinit +++ b/rc.d/rc.sysinit @@ -297,15 +297,71 @@ else fsckoptions="-V $fsckoptions" fi +READONLY= if [ -f /etc/sysconfig/readonly-root ]; then - . /etc/sysconfig/readonly-root - - if [ "$READONLY" = "yes" ]; then - # Call rc.readonly to set up magic stuff needed for readonly root - . /etc/rc.readonly - fi + . /etc/sysconfig/readonly-root +fi +if strstr "$cmdline" readonlyroot ; then + READONLY=yes + [ -z "$RW_MOUNT" ] && RW_MOUNT=/var/lib/stateless/writable fi +if [ "$READONLY" = "yes" -a -n "$SELINUX_STATE" ]; then + echo "SELinux is not compatible with read-only root at this time." + echo "Mounting read/write." + READONLY=no +fi + +if [ "$READONLY" = "yes" ]; then + mount_empty() { + if [ -e "$1" ]; then + echo "$1" | cpio -p -vd "$RW_MOUNT" &>/dev/null + mount -n --bind "$RW_MOUNT$1" "$1" + fi + } + + mount_dirs() { + if [ -e "$1" ]; then + mkdir -p "$RW_MOUNT$1" + # fixme: find is bad + find "$1" -type d -print0 | cpio -p -0vd "$RW_MOUNT" &>/dev/null + mount -n --bind "$RW_MOUNT$1" "$1" + fi + } + + mount_files() { + if [ -e "$1" ]; then + cp -a --parents "$1" "$RW_MOUNT" + mount -n --bind "$RW_MOUNT$1" "$1" + fi + } + + if [ -n "$SELINUX_STATE" ]; then + mount -t tmpfs -o fscontext=system_u:object_r:fs_t:s0 none "$RW_MOUNT" + else + mount -t tmpfs none "$RW_MOUNT" + fi + + for file in /etc/rwtab /etc/rwtab.d/* ; do + [ -f $file ] && cat $file | while read type path ; do + case "$type" in + empty) + mount_empty $path + ;; + files) + mount_files $path + ;; + dirs) + mount_dirs $path + ;; + *) + ;; + esac + [ -n "$SELINUX_STATE" ] && restorecon -R "$1" + done + done +fi + if ! [[ " $fsckoptions" =~ " -y" ]]; then fsckoptions="-a $fsckoptions" fi @@ -424,7 +480,7 @@ if [ -x /sbin/quotaon ]; then fi # Check to see if a full relabel is needed -if [ -n "$SELINUX_STATE" ]; then +if [ -n "$SELINUX_STATE" -a "$READONLY" != "yes" ]; then if [ -f /.autorelabel ] || strstr "$cmdline" autorelabel ; then relabel_selinux fi @@ -445,10 +501,12 @@ fi if [ -f "/var/lib/random-seed" ]; then cat /var/lib/random-seed > /dev/urandom else - touch /var/lib/random-seed + [ "$READONLY" != "yes" ] && touch /var/lib/random-seed +fi +if [ "$READONLY" != "yes" ]; then + chmod 600 /var/lib/random-seed + dd if=/dev/urandom of=/var/lib/random-seed count=1 bs=512 2>/dev/null fi -chmod 600 /var/lib/random-seed -dd if=/dev/urandom of=/var/lib/random-seed count=1 bs=512 2>/dev/null # Use the hardware RNG to seed the entropy pool, if available #[ -x /sbin/rngd -a -c /dev/hw_random ] && rngd @@ -0,0 +1,14 @@ +empty /tmp +empty /var/tmp + +dirs /var/gdm +dirs /var/lock +dirs /var/log +dirs /var/run + +files /etc/fstab +files /etc/resolv.conf +files /etc/ntp.conf +empty /var/lib/dhcp + +files /etc/adjtime |