On Sun, 03.07.16 19:19, Zbigniew Jędrzejewski-Szmek (zbyszek@xxxxxxxxx) wrote: > On Fri, Jul 01, 2016 at 01:13:35AM +0200, Lennart Poettering wrote: > > On Thu, 30.06.16 22:27, Petr Lautrbach (plautrba@xxxxxxxxxx) wrote: > > > > > > SELinux is in Permissive mode during this time. > > > > > > SELinux policy is loaded in systemd on very beginning so unless it's set > > > to be permissive in the config file or on the kernel command line, a > > > system is in enforcing mode until something - in this case a generator > > > or an service generated by the generator - changes the mode. > > > > As briefly mentioned in the other mail: the policy is loaded only when > > the transition from the initrd to the host takes place. Generators are > > run in two cases however: when the systemd instance included in the > > initrd initializes, and when the systemd instance on the host image > > takes over. A generator included in the initrd hence runs with selinux > > still off, a generator on the host runs with selinux on. > > > > I'd propose to put together a generator that is included in the initrd > > (and also exists on the host). When running in from initrd context it > > should check the autorelabel boot flag, and somehow ensure that > > selinux stays off even after the transition (not sure if selinux has > > some concept for that, but it shouldn't be hard to come up with > > something). When running from host context it should check the flags > > too, and redirect the boot process. > > Hi, > > sorry for the joining the thread so late… > > I don't see what can be done in the initramfs: after all, relabelling > can only be done after filesystems are mounted. It seems that instead > the choice to start in permissive mode and execute the special > relabelling target should be done in very early boot when running from > the host fs. I didn't propose to do the relabelling in the initrd. I am saying that when the generator runs *from host context* (i.e. not in the initrd) it should redirect the boot for the relabelling... Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx