On 01/07/2016 05:38 PM, Andrew Ruch wrote: > On Thu, Jan 7, 2016 at 3:21 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: >> >> On 01/07/2016 04:48 PM, Andrew Ruch wrote: >>> Hello, >>> >>> I'm researching deploying a diskless system that would use PXEBoot and >>> NFS for it's storage. I believe this capability has been proven and >>> have no issues here. The tricky part is this system must also have >>> Mandatory Access Control. I thought RHEL 7.2 was the answer due to >>> it's support of labeled NFS. However, Red Hat just told me that having >>> an SELinux-labeled, remote root partition is unsupported. What wasn't >>> clear was if the problem was in RHEL or something upstream. >>> >>> Does the kernel support a labeled, remote root partition? If so, which >>> distributions support this? >>> >>> >>> Thanks, >>> Andrew Ruch >>> _______________________________________________ >>> Selinux mailing list >>> Selinux@xxxxxxxxxxxxx >>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. >>> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. >>> >>> >> I just think no one has ever tried this. If the remote system is setup >> with nfs labeling, theoretically this >> should work. >> >> Not only rhel7 supports labeled networking on the server and client, to >> the best of my knowleged. >> >> Not sure if NetApp or EMC support it yet. > Hmmm... Red Hat Support referred me to an installation guide [1] at > the very bottom of section 2.2. It says that SELinux must be disabled > for diskless clients that use NFS as the root file system. I'm not > trying to use RHEL for Real Time so I'll do some experimenting to see > what I can figure out. > > Thanks, > Andrew > > > [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_for_Real_Time/7/html/Installation_Guide/Installing_Real_Time_Using_Diskless_Boot.html > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > > Right, because in most cases NFS will not support labels. This probably should be changed to say it is not supported unless you set up labeled networking on client /server (And it actually works.) If you prove that it can work, I can work to get the Support changed. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
