On Thu, 30.06.16 22:27, Petr Lautrbach (plautrba@xxxxxxxxxx) wrote: > > SELinux is in Permissive mode during this time. > > SELinux policy is loaded in systemd on very beginning so unless it's set > to be permissive in the config file or on the kernel command line, a > system is in enforcing mode until something - in this case a generator > or an service generated by the generator - changes the mode. As briefly mentioned in the other mail: the policy is loaded only when the transition from the initrd to the host takes place. Generators are run in two cases however: when the systemd instance included in the initrd initializes, and when the systemd instance on the host image takes over. A generator included in the initrd hence runs with selinux still off, a generator on the host runs with selinux on. I'd propose to put together a generator that is included in the initrd (and also exists on the host). When running in from initrd context it should check the autorelabel boot flag, and somehow ensure that selinux stays off even after the transition (not sure if selinux has some concept for that, but it shouldn't be hard to come up with something). When running from host context it should check the flags too, and redirect the boot process. Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
