Hello,
Could anyone advice on how to make SELinux run on a diskless client
with NFS root?
It is a Fedora 26 system. I'm mounting with NFS flags to enable
SELinux labels.
... root=nfs4:mimmi:/remote/pluto,seclabel,vers=4.2 rootfstype=nfs4
rootflags=seclabel,vers=4.2 ...
(I guess I'm duplicating things here. Google have found different
suggestions in different places. I've added all of them for now.)
Listing directories after the system comes up shows all labels as
expected. For example
[goeran@pluto ~]$ ls -lZ /usr/lib/systemd/systemd
-rwxr-xr-x. 1 root root system_u:object_r:init_exec_t:s0 1183248 27 jun 23.49 /usr/lib/systemd/systemd
But the processes don't wind up in the correct domains. Process 1
remains in kernel_t. A lot of other processes too, but I guess the
underlying reason is process 1.
[goeran@pluto ~]$ ps -Zp 1
LABEL PID TTY TIME CMD
system_u:system_r:kernel_t:s0 1 ? 00:00:24 systemd
The only exception is when I login via SSH. Those processes wind up
in the unconfined_t domain. SSHD seems to still do the right thing,
and from there it appears to work. E.g. if I start a dbus-daemon in
the SSH session, it runs in unconfined_dbusd_t.
I run this system in permissive mode, so things do work. But I
naturally do get a lot of AVCs. Of course, I would prefer to make
SELinux enforced if possible.
Anyone has any tips?
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
