Petr Lautrbach: > I'd be interested in your setup if it's possible. Sure! But first, thanks for your input! I'll study it further. "Setup" is is a bit vague, I'll try to include what I can think of. Let me know if you think of something I forgot. On the server (mimmi) side, I export /remote/pluto to become the root of the client (pluto). In order to work around the problem described in https://bugzilla.redhat.com/show_bug.cgi?id=1480848 I also export the directory above, /remote. Excerpt from /etc/exports: /remote pluto(rw,sync,no_root_squash,security_label) /remote/pluto pluto(rw,sync,no_root_squash,security_label) /var 172.17.0.0/18(rw,sync,no_root_squash,security_label) /var/lib/TV pluto(rw,sync,security_label) ... On the client, I mount root and /var/lib/TV in /etc/fstab. (Since root is mounted earlier, I guess only the latter really matters.) mimmi:/remote/pluto / nfs defaults,seclabel,vers=4.2 0 0 mimmi:/var/lib/TV /var/lib/TV nfs defaults,seclabel,vers=4.2,comment=systemd.automount 0 0 On the boot line I add some additional parameters, as mentioned previously. The complete line looks like this, taken from /var/lib/tftpboot/pxelinux.cfg/AC110005 on the server. I don't know how much of it actually is needed. label Current kernel vmlinuz-4.12.14-300.fc26.x86_64 append initrd=initramfs-4.12.14-300.fc26.x86_64.img root=nfs4:mimmi:/remote/pluto,seclabel,vers=4.2 rootfstype=nfs4 rootflags=seclabel,vers=4.2 rd.nfs.domain=uddeborg rw acpi_enforce_resources=lax LANG=sv_SE.UTF-8 vconsole.font=latarcyrheb-sun16 vconsole.keymap=sv-latin1 loglevel=8 drm_kms_helper.edid_firmware=VGA-1:edid/Philips-TV.bin It doesn't seem possible to SET the labels over NFS, even when they can be seen. That is something dracut tries to do when building the initramfs. For that reason, I tell dracut to use /tmp instead of the default /var/tmp as /tmp is a local tmpfs file system where labels can be set. From /etc/dracut.conf.d/fs-etiketter.conf: tmpdir="/tmp" That is what I can think of as relevant parts of the setup. It results in a system that comes up with visible SELinux labels on the files. But as I mentioned, most processes run in the kernel_t domain. It is interesting you got it to work. My understanding of dracut and all its modules isn't exactly clear. I'll look closer in what you did and see if I can understand what makes this work, and wny it is different when booting from NFS compared to when booting from a local disk. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
