Chapter 21. Setting read-only permissions for the root file system
Sometimes, you need to mount the root file system (/
) with read-only permissions. Example use cases include enhancing security or ensuring data integrity after an unexpected system power-off.
21.1. Files and directories that always retain write permissions
For the system to function properly, some files and directories need to retain write permissions. When the root file system is mounted in read-only mode, these files are mounted in RAM using the tmpfs
temporary file system.
The default set of such files and directories is read from the /etc/rwtab
file. Note that the readonly-root
package is required to have this file present in your system.
dirs /var/cache/man dirs /var/gdm <content truncated> empty /tmp empty /var/cache/foomatic <content truncated> files /etc/adjtime files /etc/ntp.conf <content truncated>
Entries in the /etc/rwtab
file follow this format:
copy-method path
In this syntax:
- Replace copy-method with one of the keywords specifying how the file or directory is copied to tmpfs.
- Replace path with the path to the file or directory.
The /etc/rwtab
file recognizes the following ways in which a file or directory can be copied to tmpfs
:
empty
An empty path is copied to
tmpfs
. For example:empty /tmp
dirs
A directory tree is copied to
tmpfs
, empty. For example:dirs /var/run
files
A file or a directory tree is copied to
tmpfs
intact. For example:files /etc/resolv.conf
The same format applies when adding custom paths to /etc/rwtab.d/
.
21.2. Configuring the root file system to mount with read-only permissions on boot
With this procedure, the root file system is mounted read-only on all following boots.
Procedure
In the
/etc/sysconfig/readonly-root
file, set theREADONLY
option toyes
to mount the file systems as read-only:READONLY=yes
Add the
ro
option in the root entry (/
) in the/etc/fstab
file:/dev/mapper/luks-c376919e... / xfs x-systemd.device-timeout=0,ro 1 1
Enable the
ro
kernel option:# grubby --update-kernel=ALL --args="ro"
Ensure that the
rw
kernel option is disabled:# grubby --update-kernel=ALL --remove-args="rw"
If you need to add files and directories to be mounted with write permissions in the
tmpfs
file system, create a text file in the/etc/rwtab.d/
directory and put the configuration there.For example, to mount the
/etc/example/file
file with write permissions, add this line to the/etc/rwtab.d/example
file:files /etc/example/file
ImportantChanges made to files and directories in
tmpfs
do not persist across boots.- Reboot the system to apply the changes.
Troubleshooting
If you mount the root file system with read-only permissions by mistake, you can remount it with read-and-write permissions again using the following command:
# mount -o remount,rw /