1 |
On Sun, Jan 01, 2012 at 03:21:47PM -0500, Olivier Crête wrote: |
2 |
> > I use a separate /usr with LVM on all my systems. My root partition uses |
3 |
> > RAID1. And I never had the need for an initramfs of any kind. Also, there |
4 |
> > are some major hurdles to take when it comes to getting an initramfs working |
5 |
> > with SELinux. Most initramfs implementations I saw are not SELinux aware, so |
6 |
> > all changes they make to the system either result in failures when they try, |
7 |
> > or failures when the root-switch occurs. |
8 |
> |
9 |
> dracut fully supports SELinux (it's used in Fedora which has this |
10 |
> SELinux horror on by default). |
11 |
|
12 |
Yes... but no. |
13 |
|
14 |
Fedora uses SELinux but using a policy where most domains run unconfined |
15 |
(meaning they're allowed to do almost anything) and mostly the |
16 |
network-facing services are confined. |
17 |
|
18 |
I just got dracut working on a SELinux system here (took me a few hours to |
19 |
compile a SELinux domain for dracut, because the application doesn't work |
20 |
with the standard privileges of an administrator) and it boots up (up to |
21 |
and including "dracut: Switching root") until SELinux is activated. |
22 |
|
23 |
From that point onwards, it's dead since its using wrong labels and wrong |
24 |
context. |
25 |
|
26 |
It is SELinux-aware (it mounts the selinuxfs and such) but I think I'll need |
27 |
to edit the /usr/lib/dracut/* stuff to get it to boot up properly on a |
28 |
SELinux system that doesn't use unconfined domains... |
29 |
|
30 |
I'll try to get it working the next few days. Once (or when) it does, I'll |
31 |
submit the necessary patches to wherever is necessary. |
32 |
|
33 |
Wkr, |
34 |
Sven Vermeulen |