On Fri, Jul 01, 2016 at 01:13:35AM +0200, Lennart Poettering wrote: > On Thu, 30.06.16 22:27, Petr Lautrbach (plautrba@xxxxxxxxxx) wrote: > > > > SELinux is in Permissive mode during this time. > > > > SELinux policy is loaded in systemd on very beginning so unless it's set > > to be permissive in the config file or on the kernel command line, a > > system is in enforcing mode until something - in this case a generator > > or an service generated by the generator - changes the mode. > > As briefly mentioned in the other mail: the policy is loaded only when > the transition from the initrd to the host takes place. Generators are > run in two cases however: when the systemd instance included in the > initrd initializes, and when the systemd instance on the host image > takes over. A generator included in the initrd hence runs with selinux > still off, a generator on the host runs with selinux on. > > I'd propose to put together a generator that is included in the initrd > (and also exists on the host). When running in from initrd context it > should check the autorelabel boot flag, and somehow ensure that > selinux stays off even after the transition (not sure if selinux has > some concept for that, but it shouldn't be hard to come up with > something). When running from host context it should check the flags > too, and redirect the boot process. Hi, sorry for the joining the thread so late… I don't see what can be done in the initramfs: after all, relabelling can only be done after filesystems are mounted. It seems that instead the choice to start in permissive mode and execute the special relabelling target should be done in very early boot when running from the host fs. Possibly selinux_init_load_policy() should have a special case and start in permissive mode when /.autorelabel is present. This would be the first step. The second step would be a generator which redirects default.target. Zbyszek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx