On Tue, Oct 24, 2017 at 06:36:38PM +0200, Göran Uddeborg wrote: > Hello, > > Could anyone advice on how to make SELinux run on a diskless client > with NFS root? > > It is a Fedora 26 system. I'm mounting with NFS flags to enable > SELinux labels. > > ... root=nfs4:mimmi:/remote/pluto,seclabel,vers=4.2 rootfstype=nfs4 > rootflags=seclabel,vers=4.2 ... > > (I guess I'm duplicating things here. Google have found different > suggestions in different places. I've added all of them for now.) > > Listing directories after the system comes up shows all labels as > expected. For example > > [goeran@pluto ~]$ ls -lZ /usr/lib/systemd/systemd > -rwxr-xr-x. 1 root root system_u:object_r:init_exec_t:s0 1183248 27 jun 23.49 /usr/lib/systemd/systemd > > But the processes don't wind up in the correct domains. Process 1 > remains in kernel_t. A lot of other processes too, but I guess the > underlying reason is process 1. > > [goeran@pluto ~]$ ps -Zp 1 > LABEL PID TTY TIME CMD > system_u:system_r:kernel_t:s0 1 ? 00:00:24 systemd > > The only exception is when I login via SSH. Those processes wind up > in the unconfined_t domain. SSHD seems to still do the right thing, > and from there it appears to work. E.g. if I start a dbus-daemon in > the SSH session, it runs in unconfined_dbusd_t. > > I run this system in permissive mode, so things do work. But I > naturally do get a lot of AVCs. Of course, I would prefer to make > SELinux enforced if possible. > > Anyone has any tips? I'd be interested in your setup if it's possible. I was able to boot only to a system with nfs_t labels everywhere. It seems to be a result of how and when dracut mounts /sysroot. At that moment, SELinux policy is not loaded yet and a filesystem is mounted without 'seclabel' and it doesn't remount it after the policy is loaded. As a workaround, I appended rd.break to kernel and run the following steps in dracut shell - which could be probably transformed to a dracut module: switch_root:/# umount /sysroot/var/lib/nfs/rpc_pipefs switch_root:/# chroot /sysroot load_policy -i switch_root:/# umount /sysroot/sys/fs/selinux switch_root:/# umount /sysroot/sys switch_root:/# umount /sysroot/ switch_root:/# mount -v -o v4.2 192.168.170.1:/export/root/rawhide /sysroot switch_root:/# mount | grep sysroot 192.168.170.1:/export/root/rawhide on /sysroot type nfs4 (rw,relatime,seclabel,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.170.161,local_lock=none,addr=192.168.170.1) switch_root:/# exit And after the system finished boot, everything looks correct. # ps axZ | grep systemd system_u:system_r:init_t:s0 1 ? Ss 0:01 /usr/lib/systemd/systemd --switched-root --system --deserialize 25 system_u:system_r:syslogd_t:s0 670 ? Ss 0:00 /usr/lib/systemd/systemd-journald system_u:system_r:udev_t:s0-s0:c0.c1023 699 ? Ss 0:00 /usr/lib/systemd/systemd-udevd system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 789 ? Ssl 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only system_u:system_r:systemd_logind_t:s0 1046 ? Ss 0:00 /usr/lib/systemd/systemd-logind unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1087 ? Ss 0:00 /usr/lib/systemd/systemd --user --log-level=debug Petr _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
