Thanks for the pointer to grsecurity, I'll take a look at it. I've been satisfied with selinux, at least from the user's perspective, but I'm always interested in better security. I'm currently trying to build a functional initrd using dracut, next I'll try kexec-tools, that does not suffer from the problem in my original post. My intent is to compare the respective inits with build-init.sh and perhaps identify a solution. FG On Fri, 2009-10-02 at 20:39 -0700, Mike Mohr wrote: > Try grsecurity oh the "high" setting. Grsecurity is, in my > experience, far superior to either Novell AppArmor or selinux. Even > on the "high" setting I only had to tweak Firefox, Java, and Wine with > paxctl -- everything else works exactly as it should. I've used it > successfully with loop-aes on Gentoo (which is sort of unversioned, > but at least since 2008.0), Fedora (8-11), and Ubuntu (8.04->9.04). > > Just my .02. > > -Mike > > On Fri, Oct 2, 2009 at 7:51 PM, Fred Gazerblezeebe > <fgazerblezeebe@xxxxxxxxx> wrote: > > My system is up and running with an encrypted root partition and > > behaving exactly as it did pre-encryption except that selinux always > > comes up disabled at boot. Even passing the 'selinux=1' kernel parameter > > is ineffective. Once booted, selinux can be started with 'load_policy > > -i', after which it seems to behave normally, so it appears to be > > configured correctly, as it was before the root fs was encrypted. > > > > System info: > > intel core2duo cpu > > Fedora 11 > > 2.6.31-rc5-git5 from kernel.org > > loop-AES-3.2g (compiled as module) > > aespipe-v2.3e > > util-linux-ng-2.15.1 > > > > build-initrd.sh configuration: > > * USEPIVOT=2 > > * BOOTDEV=/dev/sda1 > > * BOOTTYPE=ext3 > > * CRYPTROOT=/dev/sda2 > > * ROOTTYPE=ext4 > > * CIPHERTYPE=AES128 > > * GPGKEYFILE=rootkey.gpg > > * SOURCEROOT=/ > > * DESTINATIONROOT=/mnt/build > > * DESTINATIONPREFIX=boot > > * UTF8KEYBMODE=1 > > * LOADNATIONALKEYB=1 > > * USEGPGKEY=1 > > > > My reading seems to point to this being an initrd issue as opposed to a > > loop-aes issue. However, in my experiments with dracut, TuxOnIce, > > building initrds from scratch, etc., I have been unable to get anything > > to work that is as small and efficient as the initrds produced by Jari's > > build-initrd.sh script, hence my post here. > > > > So my question is, must I live with this behavior or is it something > > that has already been solved? If it has been solved, would someone be so > > kind as to point me in the right direction; ideally at an > > appropriately-modified build-initrd.sh, but suggestions as to what I > > might try next would also be appreciated. > > > > Thanks. > > > > FG > > > > > > > > > > > > > > - > > Linux-crypto: cryptography in and on the Linux system > > Archive: http://mail.nl.linux.org/linux-crypto/ > > > > > > - > Linux-crypto: cryptography in and on the Linux system > Archive: http://mail.nl.linux.org/linux-crypto/ > - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
