Try grsecurity oh the "high" setting. Grsecurity is, in my experience, far superior to either Novell AppArmor or selinux. Even on the "high" setting I only had to tweak Firefox, Java, and Wine with paxctl -- everything else works exactly as it should. I've used it successfully with loop-aes on Gentoo (which is sort of unversioned, but at least since 2008.0), Fedora (8-11), and Ubuntu (8.04->9.04). Just my .02. -Mike On Fri, Oct 2, 2009 at 7:51 PM, Fred Gazerblezeebe <fgazerblezeebe@xxxxxxxxx> wrote: > My system is up and running with an encrypted root partition and > behaving exactly as it did pre-encryption except that selinux always > comes up disabled at boot. Even passing the 'selinux=1' kernel parameter > is ineffective. Once booted, selinux can be started with 'load_policy > -i', after which it seems to behave normally, so it appears to be > configured correctly, as it was before the root fs was encrypted. > > System info: > intel core2duo cpu > Fedora 11 > 2.6.31-rc5-git5 from kernel.org > loop-AES-3.2g (compiled as module) > aespipe-v2.3e > util-linux-ng-2.15.1 > > build-initrd.sh configuration: > * USEPIVOT=2 > * BOOTDEV=/dev/sda1 > * BOOTTYPE=ext3 > * CRYPTROOT=/dev/sda2 > * ROOTTYPE=ext4 > * CIPHERTYPE=AES128 > * GPGKEYFILE=rootkey.gpg > * SOURCEROOT=/ > * DESTINATIONROOT=/mnt/build > * DESTINATIONPREFIX=boot > * UTF8KEYBMODE=1 > * LOADNATIONALKEYB=1 > * USEGPGKEY=1 > > My reading seems to point to this being an initrd issue as opposed to a > loop-aes issue. However, in my experiments with dracut, TuxOnIce, > building initrds from scratch, etc., I have been unable to get anything > to work that is as small and efficient as the initrds produced by Jari's > build-initrd.sh script, hence my post here. > > So my question is, must I live with this behavior or is it something > that has already been solved? If it has been solved, would someone be so > kind as to point me in the right direction; ideally at an > appropriately-modified build-initrd.sh, but suggestions as to what I > might try next would also be appreciated. > > Thanks. > > FG > > > > > > > - > Linux-crypto: cryptography in and on the Linux system > Archive: http://mail.nl.linux.org/linux-crypto/ > > - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
