On Sun, Jan 01, 2012 at 03:21:47PM -0500, Olivier Crête wrote:
> > I use a separate /usr with LVM on all my systems. My root partition uses
> > RAID1. And I never had the need for an initramfs of any kind. Also, there
> > are some major hurdles to take when it comes to getting an initramfs working
> > with SELinux. Most initramfs implementations I saw are not SELinux aware, so
> > all changes they make to the system either result in failures when they try,
> > or failures when the root-switch occurs.
>
> dracut fully supports SELinux (it's used in Fedora which has this
> SELinux horror on by default).
Yes... but no.
Fedora uses SELinux but using a policy where most domains run unconfined
(meaning they're allowed to do almost anything) and mostly the
network-facing services are confined.
I just got dracut working on a SELinux system here (took me a few hours to
compile a SELinux domain for dracut, because the application doesn't work
with the standard privileges of an administrator) and it boots up (up to
and including "dracut: Switching root") until SELinux is activated.
>From that point onwards, it's dead since its using wrong labels and wrong
context.
It is SELinux-aware (it mounts the selinuxfs and such) but I think I'll need
to edit the /usr/lib/dracut/* stuff to get it to boot up properly on a
SELinux system that doesn't use unconfined domains...
I'll try to get it working the next few days. Once (or when) it does, I'll
submit the necessary patches to wherever is necessary.
Wkr,
Sven Vermeulen
