From: Dominick Grift <dominick.grift@defensec.nl>
To: Chris PeBenito <chpebeni@linux.microsoft.com>
Cc: SELinux mailing list <selinux@vger.kernel.org>
Subject: Re: RFC systemd-sysext/confext image context mounts
Date: Tue, 06 Jan 2026 18:01:24 +0100 [thread overview]
Message-ID: <87o6n6iskb.fsf@defensec.nl> (raw)
In-Reply-To: <65a70099-a752-42d5-adfc-5973c21b9710@linux.microsoft.com> (Chris PeBenito's message of "Tue, 6 Jan 2026 11:01:13 -0500")
Chris PeBenito <chpebeni@linux.microsoft.com> writes:
> Systemd provides tools for composing directories like /usr and /opt
> (system extensions, sysext) or /etc (configuration extensions,
> confext). These tools create an overlayfs at the target location,
> with the root filesystem and extensions. While they support raw
> directories, files, and mutable filesystems, my current concern is
> with extending immutable distributions at runtime using additional
> immutable images.
>
> The challenge lies in ensuring proper labeling before deploying an
> image, which is problematic for third-party images lacking labels or
> using incompatible ones. I haven't made any patches yet, as I want to
> consult this group and the systemd developers first. My proposal is:
> for internally labeled filesystems (ext4, etc.), have the tools
> validate the image's root directory label. If validation fails, apply
Sounds fragile as these filesystems by definition have more then just a
root directory.
> a context= mount using the label from the contexts/systemd_contexts
> file in the policy. I'd probably also add options in sysext.conf(.d)
> and confext.conf(.d) to override this behavior, such as for specifying
> an alternate label for the context mount.
>
> What are your thoughts?
I am not opposed per se but feels inconsistent. Consider for
example verity authentication which will also most likely be used in
these types of scenarios: why would one be able to deal with verity but
not with selinux labels?
Also wondering where systemd is going to go with extensions will we get
per-user instances that work together with systemd-mountfsd like we
currently have with systemd-nspawn? If so how will that affect this design.
>
>
> --
> Chris PeBenito
>
--
gpg --auto-key-locate clear,nodefault,wkd --locate-external-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcinimod@defensec.nl
next prev parent reply other threads:[~2026-01-06 17:07 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-06 16:01 RFC systemd-sysext/confext image context mounts Chris PeBenito
2026-01-06 16:20 ` Stephen Smalley
2026-01-06 16:42 ` Chris PeBenito
2026-01-06 17:08 ` Stephen Smalley
2026-01-06 18:58 ` Chris PeBenito
2026-01-06 17:01 ` Dominick Grift [this message]
2026-01-06 18:55 ` Chris PeBenito
2026-01-06 19:37 ` Dominick Grift
2026-01-07 12:28 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o6n6iskb.fsf@defensec.nl \
--to=dominick.grift@defensec.nl \
--cc=chpebeni@linux.microsoft.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.