Brian C. Lane wrote on Wed, Dec 16, 2015 at 09:28:04AM -0800: > I think it's better to leave it and run it in permissive mode. The > results always get labeled properly, the problems you hit while leaving > it enabled is selinux blocking the package installation in the > installroot. Depending on the host version and selinux rules this may > work for you, but not for others. Well, all my systems here (in the cluster I'm rebuilding the image for) have selinux enforced, so I basically either have to maintain a local patch to skip the check or to spawn a VM just for the job - both of which I can do right now, but would rather avoid in the long term. Would it be possible to add a switch like --yes-selinux-is-enforced-do-it-anyway or something ugly to bypass the check then? FWIW selinux policies are rather centralised and updated everywhere so it should be ok for anyone in el7/recent-ish fedora (would need to test el6) that runs root as unconstrained, may be worth checking for id -Z instead even if it's a bit more work? (I'm actually not sure if the preferred way to change which kernel to use in the pxe images is to go through lorax or just to fix the kernel modules in the initrd by hand.. I find lorax "cleaner", but if I have to kludge around it may be easier to go back to scripting around the initrd modification) Thanks, -- Dominique _______________________________________________ Anaconda-devel-list mailing list Anaconda-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/anaconda-devel-list
