On Fri, Oct 23, 2020 at 12:02 PM Ian M <merinian@xxxxxxxxx> wrote: > > Hello, > > I hope this is the right list for this question: > > I've got an embedded system that uses its initramfs as its root filesystem as well. At boot, after the selinux policy loads, everything on the rootfs is incorrectly labeled as system_u:object_r:root_t. I have temporarily worked around this by adding a restorecon on the rootfs at boot, but since the rootfs is a ramdisk the changes do not survive a system reboot. > > I may be incorrect, but my understanding (assumption?) is that the labels would be applied when the policy is loaded at boot. So I cannot understand why the labels are always incorrect. > Filesystem labels are not applied when the policy is labeled. On filesystems that support xattrs, a fs_use_xattr rule is used to tell SELinux to use the label stored in the security.selinux xattrs, but the filesystem will still have to be labeled initially. If the fs does not support xattrs and every file can be labeled the same, then a genfscon rule can be used. I am not sure of your exact case, but you can find more information in the SELinux Notebook - See https://github.com/SELinuxProject/selinux-notebook Jim > > Thanks, > > Ian
