On Mon, Jan 16, 2012 at 09:46:58AM -0500, Daniel J Walsh wrote: > In RHEL and Fedora, we relabel the parts of /dev that are created in > the initramfs and restart udev so it is a child of init/systemd. When do you relabel them? When I call setfiles before the load_policy, I get an 'Operation not supported' on /dev as if it was a kernel that doesn't support extended attributes on tmpfs (which isn't the case). Trying to call it afterwards doesn't work, since the kernel_t domain doesn't allow relabeling (I think, output is also missing since /dev/console is wrongly labeled). I'm quite close to have support for both putting the policy in the initramfs itself (and call load_policy as one of the first things done on the initramfs environment) and supporting booting in permissive mode and have a switch to enforcing which can't be undone afterwards (goal is to boot in enforcing). The first support option probably allows for such a sane boot but requires the policy to be in the initramfs. The other one allows us to boot properly and I just toggle "setenforce 1" with the secure_mode_policyload boolean enabled afterwards. But both sound hackish - If I could only understand why I can't use setfiles on /dev before calling load_policy... Wkr, Sven Vermeulen -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
