On Tue, Oct 24, 2017 at 06:36:38PM +0200, Göran Uddeborg wrote:
Hello,
Could anyone advice on how to make SELinux run on a diskless client with NFS root?
It is a Fedora 26 system. I'm mounting with NFS flags to enable SELinux labels.
... root=nfs4:mimmi:/remote/pluto,seclabel,vers=4.2 rootfstype=nfs4 rootflags=seclabel,vers=4.2 ...
(I guess I'm duplicating things here. Google have found different suggestions in different places. I've added all of them for now.)
Listing directories after the system comes up shows all labels as expected. For example
[goeran@pluto ~]$ ls -lZ /usr/lib/systemd/systemd -rwxr-xr-x. 1 root root system_u:object_r:init_exec_t:s0 1183248 27 jun 23.49 /usr/lib/systemd/systemd
But the processes don't wind up in the correct domains. Process 1 remains in kernel_t. A lot of other processes too, but I guess the underlying reason is process 1.
[goeran@pluto ~]$ ps -Zp 1 LABEL PID TTY TIME CMD system_u:system_r:kernel_t:s0 1 ? 00:00:24 systemd
The only exception is when I login via SSH. Those processes wind up in the unconfined_t domain. SSHD seems to still do the right thing, and from there it appears to work. E.g. if I start a dbus-daemon in the SSH session, it runs in unconfined_dbusd_t.
I run this system in permissive mode, so things do work. But I naturally do get a lot of AVCs. Of course, I would prefer to make SELinux enforced if possible.
Anyone has any tips?
I'd be interested in your setup if it's possible.
I was able to boot only to a system with nfs_t labels everywhere. It seems to be a result of how and when dracut mounts /sysroot. At that moment, SELinux policy is not loaded yet and a filesystem is mounted without 'seclabel' and it doesn't remount it after the policy is loaded.
As a workaround, I appended rd.break to kernel and run the following steps in dracut shell - which could be probably transformed to a dracut module:
switch_root:/# umount /sysroot/var/lib/nfs/rpc_pipefs switch_root:/# chroot /sysroot load_policy -i switch_root:/# umount /sysroot/sys/fs/selinux switch_root:/# umount /sysroot/sys switch_root:/# umount /sysroot/ switch_root:/# mount -v -o v4.2 192.168.170.1:/export/root/rawhide /sysroot switch_root:/# mount | grep sysroot 192.168.170.1:/export/root/rawhide on /sysroot type nfs4 (rw,relatime,seclabel,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.170.161,local_lock=none,addr=192.168.170.1) switch_root:/# exit
And after the system finished boot, everything looks correct.
# ps axZ | grep systemd system_u:system_r:init_t:s0 1 ? Ss 0:01 /usr/lib/systemd/systemd --switched-root --system --deserialize 25 system_u:system_r:syslogd_t:s0 670 ? Ss 0:00 /usr/lib/systemd/systemd-journald system_u:system_r:udev_t:s0-s0:c0.c1023 699 ? Ss 0:00 /usr/lib/systemd/systemd-udevd system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 789 ? Ssl 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only system_u:system_r:systemd_logind_t:s0 1046 ? Ss 0:00 /usr/lib/systemd/systemd-logind unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1087 ? Ss 0:00 /usr/lib/systemd/systemd --user --log-level=debug
Petr