From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u08Ij2uq008318 for ; Fri, 8 Jan 2016 13:45:02 -0500 Subject: Re: Diskless system running SELinux To: Andrew Ruch References: <568EE4E6.6090907@redhat.com> Cc: SELinux ML From: Daniel J Walsh Message-ID: <569003A0.4020605@redhat.com> Date: Fri, 8 Jan 2016 13:44:48 -0500 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 01/07/2016 05:38 PM, Andrew Ruch wrote: > On Thu, Jan 7, 2016 at 3:21 PM, Daniel J Walsh wrote: >> >> On 01/07/2016 04:48 PM, Andrew Ruch wrote: >>> Hello, >>> >>> I'm researching deploying a diskless system that would use PXEBoot and >>> NFS for it's storage. I believe this capability has been proven and >>> have no issues here. The tricky part is this system must also have >>> Mandatory Access Control. I thought RHEL 7.2 was the answer due to >>> it's support of labeled NFS. However, Red Hat just told me that having >>> an SELinux-labeled, remote root partition is unsupported. What wasn't >>> clear was if the problem was in RHEL or something upstream. >>> >>> Does the kernel support a labeled, remote root partition? If so, which >>> distributions support this? >>> >>> >>> Thanks, >>> Andrew Ruch >>> _______________________________________________ >>> Selinux mailing list >>> Selinux@tycho.nsa.gov >>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. >>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. >>> >>> >> I just think no one has ever tried this. If the remote system is setup >> with nfs labeling, theoretically this >> should work. >> >> Not only rhel7 supports labeled networking on the server and client, to >> the best of my knowleged. >> >> Not sure if NetApp or EMC support it yet. > Hmmm... Red Hat Support referred me to an installation guide [1] at > the very bottom of section 2.2. It says that SELinux must be disabled > for diskless clients that use NFS as the root file system. I'm not > trying to use RHEL for Real Time so I'll do some experimenting to see > what I can figure out. > > Thanks, > Andrew > > > [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_for_Real_Time/7/html/Installation_Guide/Installing_Real_Time_Using_Diskless_Boot.html > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. > > Right, because in most cases NFS will not support labels. This probably should be changed to say it is not supported unless you set up labeled networking on client /server (And it actually works.) If you prove that it can work, I can work to get the Support changed.