Created attachment 503096 [details] Screenshot I have installed and configured Gentoo Linux with Selinux enforcing mode. All the context correctly relabled. But it is impossible to boot with enforcing mode because initramfs selinux not aware. It creates /dev , /run. When new root mounted and run "switch_root" selinux policy loaded and prevents openrc/init to work with /run and /dev, because the fyleystems have wrong contexts. From screeshot you can see denials for files /dev/console, /dev/ptmx, /run/utmp After that system impossible to boot.
which initramfs do you use? genkernel works fine for me. it looks like you have a wrong label on /run or /dev. does your initramfs mount /run for you? do you have /run in your fstab with the rootcontext= option?
>which initramfs do you use? genkernel-next >does your initramfs mount /run for you? YES. I tried to run OS with "debug" kernel parameter which right before switch_root give me shell. I can see mounted /newroot/dev and /newroot/run. >do you have /run in your fstab with the rootcontext= option? No, because I get error if such mountpoint exists in fstab: remount /run or /dev with change security context is not allowed on mounted FS.
(In reply to Alexander Miroshnichenko from comment #2) > >which initramfs do you use? > genkernel-next ah right, yeah genkernel-next doesnt work right with selinux. can you switch to regular genkernel? iirc genkernel-next is aiming to go away eventually so should be no harm in switching anyway.
Hi, I can not migrate to genkernel, because it does not support LVM THIN and uses old LVM version source package. I have wrote the patch which unmount /run before switch_root if SELinux enabled. Put the patch to /etc/portage/patches/sys-kernel/genkernel-next/ and re-emerge the genkernel-next. It works for me.
Created attachment 504570 [details, diff] Genkernel-next unmount /run if selinux enabled patch
I just tried out dracut again and added a fix to openrc itself, can you try this instead: in /lib/rc/sh/init.sh around line 86, the checkpath's already exist, add the restorecon line: [ -x /sbin/restorecon ] && /sbin/restorecon -rFv /run checkpath -d $RC_SVCDIR checkpath -d -m 0775 -o root:uucp /run/lock If it works for you i'll add it to openrc for the next version
>If it works for you i'll add it to openrc for the next version It helps me with genkernel-next and dracut. But I add /dev/console too for restorecon target to see boot process. So, resulted string is: [ -x /sbin/restorecon ] && /sbin/restorecon -rFv /dev/console /run Thak you!
(In reply to Alexander Miroshnichenko from comment #7) > >If it works for you i'll add it to openrc for the next version > > It helps me with genkernel-next and dracut. But I add /dev/console too for > restorecon target to see boot process. huh. dracut appears to work for me without restorecon'ing /dev/console. any chance you can post the avcs? what exactly happens without it? init_t and initrc_t both have rw perms on the plain device_t, so should work even if its not restorecon'd that early. and the later devfs openrc init script does relabel all of /dev. it happens pretty early (obviously not as early as init.sh tho).
Created attachment 515342 [details] Boot process with /dev/console wrong permissions
Created attachment 515344 [details] Boot process with /dev/console correct permissions (context)
I have added two screenshots: 1. [ -x /sbin/restorecon ] && /sbin/restorecon -rFv /run 2. [ -x /sbin/restorecon ] && /sbin/restorecon -rFv /dev/console /run
As you can see there nothing displayed until entering runlevel 3 if /dev/console have wrong permissions. # eselect rc show sysinit Status of init scripts in runlevel "sysinit" devfs [started] dmesg [started] kmod-static-nodes [started] opentmpfiles-dev [stopped] sysfs [started] udev [started] udev-trigger [started]
(In reply to Alexander Miroshnichenko from comment #12) > As you can see there nothing displayed until entering runlevel 3 if > /dev/console have wrong permissions. haha i may have actually just never noticed that. but those screenshots make it pretty clear. I'll add /dev/console too :)
Actually i think restorecon console should be better off in /lib/rc/sh/init-early.sh since that script runs first and has parts that echo to console to set font and stuff, the restorecon -F /dev/console should probably go before anything there
These are in OpenRC-0.35 now https://github.com/OpenRC/openrc/commit/5bb6f9aa318a6d0507971b74d88c3fd2803bae4b https://github.com/OpenRC/openrc/commit/1ab8541a6ccb9d72c6faeaf2d616fc49f6cdfaf6
