Re: Fixing /.autorelabel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jul 01, 2016 at 01:13:35AM +0200, Lennart Poettering wrote:
> On Thu, 30.06.16 22:27, Petr Lautrbach (plautrba@xxxxxxxxxx) wrote:
> 
> > > SELinux is in Permissive mode during this time.
> > 
> > SELinux policy is loaded in systemd on very beginning so unless it's set
> > to be permissive in the config file or on the kernel command line, a
> > system is in enforcing mode until something - in this case a generator
> > or an service generated by the generator - changes the mode.
> 
> As briefly mentioned in the other mail: the policy is loaded only when
> the transition from the initrd to the host takes place. Generators are
> run in two cases however: when the systemd instance included in the
> initrd initializes, and when the systemd instance on the host image
> takes over. A generator included in the initrd hence runs with selinux
> still off, a generator on the host runs with selinux on.
> 
> I'd propose to put together a generator that is included in the initrd
> (and also exists on the host). When running in from initrd context it
> should check the autorelabel boot flag, and somehow ensure that
> selinux stays off even after the transition (not sure if selinux has
> some concept for that, but it shouldn't be hard to come up with
> something). When running from host context it should check the flags
> too, and redirect the boot process.

Hi,

sorry for the joining the thread so late…

I don't see what can be done in the initramfs: after all, relabelling
can only be done after filesystems are mounted. It seems that instead
the choice to start in permissive mode and execute the special
relabelling target should be done in very early boot when running from
the host fs.

Possibly selinux_init_load_policy() should have a special case and
start in permissive mode when /.autorelabel is present. This would be
the first step. The second step would be a generator which redirects
default.target.

Zbyszek
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux