With the upcoming udev version not supporting separate
locations unless you boot with an initramfs, we are
to document how to
create an initramfs to boot with. After all, systems with a separate
/usr are not that uncommon.
As I've blogged about
getting an initramfs to work well with SELinux has not been an easy
drift. In effect, I'm going to push out the FAQ (the Gentoo
already has it) that the user will need to boot in permissive mode, and
have an init script in the boot runlevel that will reset the contexts of
/dev and then switch to enforcing mode. And those that want to make
sure SELinux stays on can then also enable the
secure_mode_policyload SELinux boolean so that you cannot go back to
permissive mode (without rebooting).
For those interested, this is the init script I use on my guest systems (which are for development purposes, so they do not toggle the SELinux boolean):
#!/sbin/runscript # Copyright (c) 2007-2009 Roy Marples # Released under the 2-clause BSD license.
description="Switch into SELinux enforcing mode"
ebegin "Restoring file contexts in /dev"
restorecon -R /dev
ebegin "Switching to enforcing mode"
I call it
selinux_enforce for a lack of imagination (and to make it
more clear, because if I'd name it "wookie" I'll be scratching my head
in a few weeks trying to figure out why I did that in the first place).
With that enabled, I cannot provide a "denial-free" boot-up anymore
(you'll see many denials from the
init_t domain, amongst others, which
are best not hidden). That is to say, until I take some time to patch
the initramfs to handle SELinux.
Oh, btw, this is for both dracut-generated as well as genkernel-generated initramfs's. At least the technologies are consistent there.