Vit Ry wrote on Thu, Dec 17, 2015 at 02:34:37PM +0300: > And, do you have "dracut nfs module' installed inside? Not quite sure how to check, but it looks like there are nfs-related scripts installed: xz -d -c images/pxeboot/initrd.img | cpio -t 2>&1 | grep nfs usr/sbin/mount.nfs usr/sbin/mount.nfs4 usr/sbin/nfsroot usr/lib/dracut/hooks/cmdline/90-parse-nfsroot.sh usr/lib/dracut/hooks/pre-udev/99-nfs-start-rpc.sh usr/lib/dracut/hooks/cleanup/99-nfsroot-cleanup.sh usr/lib/modules/3.10.0-229.11.1.ocean1.el7.centos.x86_64/kernel/fs/nfs usr/lib/modules/3.10.0-229.11.1.ocean1.el7.centos.x86_64/kernel/fs/nfs/blocklayout usr/lib/modules/3.10.0-229.11.1.ocean1.el7.centos.x86_64/kernel/fs/nfs/blocklayout/blocklayoutdriver.ko usr/lib/modules/3.10.0-229.11.1.ocean1.el7.centos.x86_64/kernel/fs/nfs/filelayout usr/lib/modules/3.10.0-229.11.1.ocean1.el7.centos.x86_64/kernel/fs/nfs/filelayout/nfs_layout_nfsv41_files.ko usr/lib/modules/3.10.0-229.11.1.ocean1.el7.centos.x86_64/kernel/fs/nfs/nfs.ko usr/lib/modules/3.10.0-229.11.1.ocean1.el7.centos.x86_64/kernel/fs/nfs/nfsv3.ko usr/lib/modules/3.10.0-229.11.1.ocean1.el7.centos.x86_64/kernel/fs/nfs/nfsv4.ko usr/lib/modules/3.10.0-229.11.1.ocean1.el7.centos.x86_64/kernel/fs/nfs/objlayout usr/lib/modules/3.10.0-229.11.1.ocean1.el7.centos.x86_64/kernel/fs/nfs/objlayout/objlayoutdriver.ko usr/lib/modules/3.10.0-229.11.1.ocean1.el7.centos.x86_64/kernel/fs/nfs_common usr/lib/modules/3.10.0-229.11.1.ocean1.el7.centos.x86_64/kernel/fs/nfs_common/nfs_acl.ko usr/lib/modules/3.10.0-229.11.1.ocean1.el7.centos.x86_64/kernel/fs/nfsd usr/lib/modules/3.10.0-229.11.1.ocean1.el7.centos.x86_64/kernel/fs/nfsd/nfsd.ko usr/lib/python2.7/site-packages/pykickstart/commands/nfs.py usr/lib/nfs-lib.sh usr/lib64/libnfsidmap usr/lib64/libnfsidmap/nsswitch.so usr/lib64/libnfsidmap/static.so usr/lib64/libnfsidmap/umich_ldap.so usr/lib64/libnfsidmap.so.0.3.0 usr/lib64/libnfsidmap.so.0 etc/modprobe.d/nfs.conf var/lib/nfs var/lib/nfs/rpc_pipefs var/lib/nfs/statd var/lib/nfs/statd/sm Also, as said previously, the common rpc users are present in etc/passwd in both the initrd and the LiveOS .img base system: rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin Is there anything specific I could check? I'm just runing lorax with a few repos and no specific options/template for the moment. (will be wanting to purge a few modules and add extra packages ultimately, but not removing nfs) >From a selinux point of view, anyone running it as permissive can check if there is any AVC related to a run in /var/log/audit/audit.log (Obviously isn't anything for me or I wouldn't have asked) This file lists both what does get blocked in enforcing and what would get blocked in permissive, so anyone on the list using permissive can check they could actually switch to enforcing and not break things. It will list things like ADD_USER, ADD_GROUP, FS_RELABEL, etc but as long as there is no "AVC" it should be considered fine. I really think the change should be fine for most people suceptible to upgrade to a new version from now, I just don't like tools to tell me XYZ won't work so I won't even try when it does work... I can understand the community does not want to try to debug problems related to selinux so feel free to replace it with a big warning or require an extra switch for the user to say they're sure they want to run anyway, but this should not (in my opinion) require modifying the code as a user. -- Dominique Martinet _______________________________________________ Anaconda-devel-list mailing list Anaconda-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/anaconda-devel-list
