| 1 |
On Sun, Jan 01, 2012 at 03:21:47PM -0500, Olivier Crête wrote: |
| 2 |
> > I use a separate /usr with LVM on all my systems. My root partition uses |
| 3 |
> > RAID1. And I never had the need for an initramfs of any kind. Also, there |
| 4 |
> > are some major hurdles to take when it comes to getting an initramfs working |
| 5 |
> > with SELinux. Most initramfs implementations I saw are not SELinux aware, so |
| 6 |
> > all changes they make to the system either result in failures when they try, |
| 7 |
> > or failures when the root-switch occurs. |
| 8 |
> |
| 9 |
> dracut fully supports SELinux (it's used in Fedora which has this |
| 10 |
> SELinux horror on by default). |
| 11 |
|
| 12 |
Yes... but no. |
| 13 |
|
| 14 |
Fedora uses SELinux but using a policy where most domains run unconfined |
| 15 |
(meaning they're allowed to do almost anything) and mostly the |
| 16 |
network-facing services are confined. |
| 17 |
|
| 18 |
I just got dracut working on a SELinux system here (took me a few hours to |
| 19 |
compile a SELinux domain for dracut, because the application doesn't work |
| 20 |
with the standard privileges of an administrator) and it boots up (up to |
| 21 |
and including "dracut: Switching root") until SELinux is activated. |
| 22 |
|
| 23 |
From that point onwards, it's dead since its using wrong labels and wrong |
| 24 |
context. |
| 25 |
|
| 26 |
It is SELinux-aware (it mounts the selinuxfs and such) but I think I'll need |
| 27 |
to edit the /usr/lib/dracut/* stuff to get it to boot up properly on a |
| 28 |
SELinux system that doesn't use unconfined domains... |
| 29 |
|
| 30 |
I'll try to get it working the next few days. Once (or when) it does, I'll |
| 31 |
submit the necessary patches to wherever is necessary. |
| 32 |
|
| 33 |
Wkr, |
| 34 |
Sven Vermeulen |
Archives