On Tue, 2012-01-03 at 22:47 +0000, Sven Vermeulen wrote: > On Sun, Jan 01, 2012 at 03:21:47PM -0500, Olivier Crête wrote: > > > I use a separate /usr with LVM on all my systems. My root partition uses > > > RAID1. And I never had the need for an initramfs of any kind. Also, there > > > are some major hurdles to take when it comes to getting an initramfs > > > working > > > with SELinux. Most initramfs implementations I saw are not SELinux aware, > > > so > > > all changes they make to the system either result in failures when they > > > try, > > > or failures when the root-switch occurs. > > > > dracut fully supports SELinux (it's used in Fedora which has this > > SELinux horror on by default). > > Yes... but no. > > Fedora uses SELinux but using a policy where most domains run unconfined > (meaning they're allowed to do almost anything) and mostly the > network-facing services are confined. > > I just got dracut working on a SELinux system here (took me a few hours to > compile a SELinux domain for dracut, because the application doesn't work > with the standard privileges of an administrator) and it boots up (up to > and including "dracut: Switching root") until SELinux is activated. > > From that point onwards, it's dead since its using wrong labels and wrong > context. > > It is SELinux-aware (it mounts the selinuxfs and such) but I think I'll need > to edit the /usr/lib/dracut/* stuff to get it to boot up properly on a > SELinux system that doesn't use unconfined domains... > > I'll try to get it working the next few days. Once (or when) it does, I'll > submit the necessary patches to wherever is necessary.
My understanding is that the dracut maintainer recently removed SELinux support and moved it into systemd. So patches that go in the other directions aren't likely to go very far. My understanding is also that it is now systemd doing all the SELinux magic (relabelling, etc), if you don't want to use systemd, you should at least look at the relevant code [1] [2] in systemd and do that in your own init system. And if you have any questions, just ask Lennart, he's actually surprisingly helpful. [1] http://cgit.freedesktop.org/systemd/tree/src/selinux-setup.c [2] http://cgit.freedesktop.org/systemd/tree/src/mount-setup.c#n386 -- Olivier Crête tes...@gentoo.org Gentoo Developer
signature.asc
Description: This is a digitally signed message part
