RSBAC Grsec Selinux ProPolice and Pax

Ryan.Oliver at pha.com.au Ryan.Oliver at pha.com.au
Mon Jan 19 05:16:14 PST 2004






> sorry to piggyback, but I missed to original post.
>
> Last time I looked, bind mounting didnt allow you to mount one part
> of the filesystem rw somewhere, and the same part ro elsewhere.
> Something to do with sharing superblocks.
>
> I may be wrong or it might have changed.

Separate parts of the filesystem, usually completely separate
partitions.

1: Create partition(s) for rw access.
2: mount partition containing binaries/configuration (/opt) ro.
3: bind mount data directories under rw partition onto ro partition.

Test it out on a cdrom if you want :-)

Idea is to also keep binaries/configuration data on physically
separate partitions to user data.
Keeps backups nice and simple too.

Ideally you'd have a separate data partition for each daemon but sometimes
however you just run out of spare partitions ;-).

[R]




More information about the hlfs-dev mailing list