Hello SELinux Devs. Long story short - currently trying to create custom dracut initramfs on fedora 30 to prepare root mount, that requires creating/moving/copying files between filesystems. As a result, with enabled SELinux, system ends up with unlabeled_t edited files. After investigating a bit with rd.break, I found that none of the utilities like "cp -Z" or "ls -Z" or "tar --selinux" working as expected. First of I thought - missing libraries, maybe, so strace/ldd on a working system and inside initramfs to compare, and all required files were there, then rd.break with selinux=0 kernel boot option, and everything working as expected, also, I tried load_policy inside initramfs, which also gives me expected result - correct SELinux labels after file-management inside initramfs. So my question is - what exactly prevents user to view/edit SElinux context, for example with getfattr/setfattr/ls-Z/tar--selinux, between "kernel: SELinux: Initializing" and "load_policy" boot stages? Is it a protection feature, and what I'm trying to achieve is a bad security design - edit labels inside initramfs, or there is some tweak I don't know about. Right now it is reproducible with Fedora-Workstation-Live-x86_64-30-1.2.iso: - rd.break -> ls -Z /sysroot/ == ?? || tar -xpzf --selinux == operation not supported - rd.break selinux=0 -> normal behavior Found previous discussion subjects like: - [PATCH v2 14/15] selinux: allow setxattr on rootfs so initramfs code can set them] - [PATCH v2 15/15] selinux: delay sid population for rootfs till init is complete - overlayfs+selinux error: OPNOTSUPP - SELinux with initramfs - Where does linux kernel call initial policy load - "star -xattr" in SELinux enabled system But some of them are quite outdated, so it would be really helpful to get fresh tips from someone who sees the full picture. Thank you for your time.
