| 1 |
On Tue, 2012-01-03 at 22:47 +0000, Sven Vermeulen wrote: |
| 2 |
> On Sun, Jan 01, 2012 at 03:21:47PM -0500, Olivier Crête wrote: |
| 3 |
> > > I use a separate /usr with LVM on all my systems. My root partition uses |
| 4 |
> > > RAID1. And I never had the need for an initramfs of any kind. Also, there |
| 5 |
> > > are some major hurdles to take when it comes to getting an initramfs working |
| 6 |
> > > with SELinux. Most initramfs implementations I saw are not SELinux aware, so |
| 7 |
> > > all changes they make to the system either result in failures when they try, |
| 8 |
> > > or failures when the root-switch occurs. |
| 9 |
> > |
| 10 |
> > dracut fully supports SELinux (it's used in Fedora which has this |
| 11 |
> > SELinux horror on by default). |
| 12 |
> |
| 13 |
> Yes... but no. |
| 14 |
> |
| 15 |
> Fedora uses SELinux but using a policy where most domains run unconfined |
| 16 |
> (meaning they're allowed to do almost anything) and mostly the |
| 17 |
> network-facing services are confined. |
| 18 |
> |
| 19 |
> I just got dracut working on a SELinux system here (took me a few hours to |
| 20 |
> compile a SELinux domain for dracut, because the application doesn't work |
| 21 |
> with the standard privileges of an administrator) and it boots up (up to |
| 22 |
> and including "dracut: Switching root") until SELinux is activated. |
| 23 |
> |
| 24 |
> From that point onwards, it's dead since its using wrong labels and wrong |
| 25 |
> context. |
| 26 |
> |
| 27 |
> It is SELinux-aware (it mounts the selinuxfs and such) but I think I'll need |
| 28 |
> to edit the /usr/lib/dracut/* stuff to get it to boot up properly on a |
| 29 |
> SELinux system that doesn't use unconfined domains... |
| 30 |
> |
| 31 |
> I'll try to get it working the next few days. Once (or when) it does, I'll |
| 32 |
> submit the necessary patches to wherever is necessary. |
| 33 |
|
| 34 |
My understanding is that the dracut maintainer recently removed SELinux |
| 35 |
support and moved it into systemd. So patches that go in the other |
| 36 |
directions aren't likely to go very far. My understanding is also that |
| 37 |
it is now systemd doing all the SELinux magic (relabelling, etc), if you |
| 38 |
don't want to use systemd, you should at least look at the relevant code |
| 39 |
[1] [2] in systemd and do that in your own init system. And if you have |
| 40 |
any questions, just ask Lennart, he's actually surprisingly helpful. |
| 41 |
|
| 42 |
[1] http://cgit.freedesktop.org/systemd/tree/src/selinux-setup.c |
| 43 |
[2] http://cgit.freedesktop.org/systemd/tree/src/mount-setup.c#n386 |
| 44 |
|
| 45 |
-- |
| 46 |
Olivier Crête |
| 47 |
tester@g.o |
| 48 |
Gentoo Developer |
Archives