Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page covers the places where the installer and SELinux collide. When this happens things can get pretty ugly as debugging failures related to SELinux can be difficult. This documentation needs to be kept up to date when changes to our design and implementation are made. This documentation is related to the last two versions of OpenXT's predecessor.

The Old

The method used to deal with SELinux specific stuff in the installer up through the older releases was a bit of a hack. This all stemmed from the belief that labeling the file systems in the installer was "the right thing to do". This mostly stemmed from the desire to make booting even on the first boot as fast as possible.

...

This approach is a bit of a pain as it requires labeling to happen immediately upon mounting specific r/w file systems. This isn't insurmountable though it does make our boot process less general. The relevant mount points and where they're labeled are:

/boot/system This system This is mounted extremely early in the boot process by the initramfs. Relabeling here isn't impossible but it's a pain. The good news is that the SELinux policy isn't loaded yet in the initramfs so we can just include the 'setfiles' utility in the initramfs to relabel /boot/system immediately after it's mounted on firstboot.

/config The config The config partition is mounted next. It could be mounted in two different places. If measured launch hasn't been activated then the xenclient-config-access init script will do the mounting. If measured launch has been configured then the init.root-ro script does the mounting after we get the crypto key from the TPM. In both of these situations the SELinux policy is already in effect so we use the restorecon utility.

/var/loglog /var/corescores /storage Both storage Both /var/log and /var/cores are mounted by the cryptdisks init script. They're not accessed till after the mountall init script is run though, so we do all remaining labeling in there. This is much like the relabeling of /config as we just use the restorecon utility on firstboot.

...