Proposed F19 Feature: Dracut HostOnly
Harald Hoyer
harald.hoyer at gmail.com
Fri Feb 1 10:34:40 UTC 2013
Am 29.01.2013 19:28, schrieb Daniel J Walsh:
> On 01/29/2013 11:20 AM, John Reiser wrote:
>>>>> A generic fallback image should be installed by anaconda on
>>>>> installation/update and never ever be removed.
>
>>> Also, fallback has interesting security properties…
>
>
>> "Rescue mode" forces a SELinux relabel at the next boot, and relabel can
>> take a very long time.
>
>> How does "fallback mode" handle this, particularly if there have been
>> updates to SELinux policy after the fallback was created?
>
> The reason for this is we do not know what files were created on the system
> while SELinux was disabled (Policy Not Loaded). If you know you did not
> created files on the system you could remove the /.autorelabel file and boot
> without a relabel.
>
The "rescue" initramfs carries just more kernel drivers to cope with different
HW and will also have more debug tools, if you really really screwed up your
real root. Nothing security fancy here, besides that you might want to passwort
protect this entry, either via grub or via including /etc/passwd with a rescue
root password in the initramfs.
More information about the devel
mailing list