| 1 |
Hi, |
| 2 |
|
| 3 |
maybe I can help you. I hit a similar problem a while ago. |
| 4 |
I presume that you use a tmpfs for /run. If that's the case you may need |
| 5 |
to relabel /dev/utmp (not inside the tmpfs but on the disk itself - use |
| 6 |
bindmount and the instructions for relabeling /lib from the handbook or |
| 7 |
unmount run). |
| 8 |
|
| 9 |
Another hint from me: don't use dracut if you plan to boot in enforcing. |
| 10 |
I never could get it working (if you need an initramfs build a minimal |
| 11 |
one for yourself). |
| 12 |
|
| 13 |
|
| 14 |
-Hinnerk |
| 15 |
|
| 16 |
On Wed, Mar 06, 2013 at 12:15:38PM +0100, Krzysztof Nowicki wrote: |
| 17 |
> Hi, |
| 18 |
> |
| 19 |
> I'm trying to migrate a machine to SELinux. I was able to run all the steps related to the kernel, packages and filesystem. The system boots fine in permissive mode but I'm getting a lot of AVC denials related to /run. The obvious suspect would the lack of proper labelling so I checked the fstab and verified that the /run filesystem is present with the correct rootcontext option. To my surprise however the /run filesystem is still mounted without the rootcontext option. |
| 20 |
> |
| 21 |
> I've spent some time tracking this down and eventually found out that the issue is related to the Dracut initramfs. The init script mounts /run from there. Obviously the the mount options are hard-coded and rootcontext is not among them. |
| 22 |
> |
| 23 |
> So I tried to edit the Dracut's init script (/usr/lib64/dracut/modules.d/99base/init.sh) to append the rootcontext option to the mount /run line, but surprisingly it was completely ignored. |
| 24 |
> |
| 25 |
> Did anybody hit a similar problem? |
| 26 |
> |
| 27 |
> Regards |
| 28 |
> Chris |
| 29 |
> |
| 30 |
> |
Archives