Minor typo in the wiki on selinux. It says to edit:
/etc/syconfig/selinux
That should be:
/etc/sysconfig/selinux
It took about 4 min on the reboot on my Cubieboard2, but of course it depends what you have added since install.
I would like to enforce selinux from the firstboot. Seems I can mount the image and make these 3 changes prior to first boot and the system would come up inititally with selinux enforced?
And looking at the fedora-arm-installer and what we would want in a centos-arm-installer, the Fedora install has to disable selinux. The Centos install would have to enforce selinux. So these edits that are in the wiki would need to be scripted and then, of course the instructions from the Fedora wiki cannot be directly brought over to the Centos wiki as we are doing the reverse of them in this case.
Which brings the question of is the resize method used in the fedora-arm-installer the same as what we would use in the centos install?
Could I specify both of switch selinux to enforce AND resize the partition in the install to take affect on firstboot?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 21/12/15 15:06, Robert Moskowitz wrote:
Minor typo in the wiki on selinux. It says to edit:
/etc/syconfig/selinux
That should be:
/etc/sysconfig/selinux
Updated, thanks
It took about 4 min on the reboot on my Cubieboard2, but of course it depends what you have added since install.
I would like to enforce selinux from the firstboot. Seems I can mount the image and make these 3 changes prior to first boot and the system would come up inititally with selinux enforced?
Yes, and our plan was to enforce that, but due to the long time needed to relabel the filesystem, we preferred to let it in permissive mode, and let the users decide if they wanted to to enforce it or not . To be clear , I'd really want to have it in enforcing in the default install, but that 5 minutes delay would be a "NO GO" for people trying CentOS Userland for the first time (and people not even reading the doc about the reason why, etc ..)
And looking at the fedora-arm-installer and what we would want in a centos-arm-installer, the Fedora install has to disable selinux. The Centos install would have to enforce selinux. So these edits that are in the wiki would need to be scripted and then, of course the instructions from the Fedora wiki cannot be directly brought over to the Centos wiki as we are doing the reverse of them in this case.
Something to think about, but if adding those 5 minutes would still be needed, then I'd say that we'd stick with current policy : permissive and people can switch to enforcing with a complete relabel
Which brings the question of is the resize method used in the fedora-arm-installer the same as what we would use in the centos install?
Could I specify both of switch selinux to enforce AND resize the partition in the install to take affect on firstboot?
- From my initial tests in the past, yes, you can : it will reboot anyway, but I don't remember which one will be done first (have to verify which one is started first : relabeling or autoresize)
PS : I'm in a kind of "offline" mode those two weeks, reason why I'll be slow to react, but hopefully back at full steam soon :-)
- -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab
On 12/23/2015 04:50 AM, Fabian Arrotin wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 21/12/15 15:06, Robert Moskowitz wrote:
Minor typo in the wiki on selinux. It says to edit:
/etc/syconfig/selinux
That should be:
/etc/sysconfig/selinux
Updated, thanks
It took about 4 min on the reboot on my Cubieboard2, but of course it depends what you have added since install.
I would like to enforce selinux from the firstboot. Seems I can mount the image and make these 3 changes prior to first boot and the system would come up inititally with selinux enforced?
Yes, and our plan was to enforce that, but due to the long time needed to relabel the filesystem, we preferred to let it in permissive mode, and let the users decide if they wanted to to enforce it or not . To be clear , I'd really want to have it in enforcing in the default install, but that 5 minutes delay would be a "NO GO" for people trying CentOS Userland for the first time (and people not even reading the doc about the reason why, etc ..)
And looking at the fedora-arm-installer and what we would want in a centos-arm-installer, the Fedora install has to disable selinux. The Centos install would have to enforce selinux. So these edits that are in the wiki would need to be scripted and then, of course the instructions from the Fedora wiki cannot be directly brought over to the Centos wiki as we are doing the reverse of them in this case.
Something to think about, but if adding those 5 minutes would still be needed, then I'd say that we'd stick with current policy : permissive and people can switch to enforcing with a complete relabel
With my suggestion, your image is still in permissive and only if the user selects the 'enforce' option on the command line will it switch at first boot. This will be the user that is more experienced or working in a tough environment from the get go (university computer lab). Come to think of it, an option that disables SSHD might be smart too!
And if this option is selected you can pause the user with a 'do you really want to wait up to 5 min plus a reboot during firstboot'? prompt.
Which brings the question of is the resize method used in the fedora-arm-installer the same as what we would use in the centos install?
Could I specify both of switch selinux to enforce AND resize the partition in the install to take affect on firstboot?
- From my initial tests in the past, yes, you can : it will reboot
anyway, but I don't remember which one will be done first (have to verify which one is started first : relabeling or autoresize)
Yeap that is what it did. And relabeling before autoresize for what it is worth.
PS : I'm in a kind of "offline" mode those two weeks, reason why I'll be slow to react, but hopefully back at full steam soon :-)
Enjoy your holidays/vacation. Mine was the past week.
On 12/23/2015 04:50 AM, Fabian Arrotin wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 21/12/15 15:06, Robert Moskowitz wrote:
Minor typo in the wiki on selinux. It says to edit:
/etc/syconfig/selinux
That should be:
/etc/sysconfig/selinux
Updated, thanks
It took about 4 min on the reboot on my Cubieboard2, but of course it depends what you have added since install.
I would like to enforce selinux from the firstboot. Seems I can mount the image and make these 3 changes prior to first boot and the system would come up inititally with selinux enforced?
Yes, and our plan was to enforce that, but due to the long time needed to relabel the filesystem, we preferred to let it in permissive mode, and let the users decide if they wanted to to enforce it or not . To be clear , I'd really want to have it in enforcing in the default install, but that 5 minutes delay would be a "NO GO" for people trying CentOS Userland for the first time (and people not even reading the doc about the reason why, etc ..)
Right now you are building two, basically duplicate images: Cubietruck and BananaPi. All that is different between them is the uboot.
So one enforcing image takes longer than building two (or more as you add boards like Cubieboard2, Wandboard, etc.)?
Thus, exempt for RPi2, you build one image with selinux enforcing and you have the centos-arm-installer script have the option to switch to permissive.
And looking at the fedora-arm-installer and what we would want in a centos-arm-installer, the Fedora install has to disable selinux. The Centos install would have to enforce selinux. So these edits that are in the wiki would need to be scripted and then, of course the instructions from the Fedora wiki cannot be directly brought over to the Centos wiki as we are doing the reverse of them in this case.
Something to think about, but if adding those 5 minutes would still be needed, then I'd say that we'd stick with current policy : permissive and people can switch to enforcing with a complete relabel
Which brings the question of is the resize method used in the fedora-arm-installer the same as what we would use in the centos install?
Could I specify both of switch selinux to enforce AND resize the partition in the install to take affect on firstboot?
- From my initial tests in the past, yes, you can : it will reboot
anyway, but I don't remember which one will be done first (have to verify which one is started first : relabeling or autoresize)
PS : I'm in a kind of "offline" mode those two weeks, reason why I'll be slow to react, but hopefully back at full steam soon :-)
Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlZ6blYACgkQnVkHo1a+xU40RgCffg1/Z8qqfad59nB0FjRyPAmq OfsAoIJD6CeBTxJBSFsc3KApmmdRxgpp =Aodm -----END PGP SIGNATURE----- _______________________________________________ Arm-dev mailing list Arm-dev@centos.org https://lists.centos.org/mailman/listinfo/arm-dev
-
Fabian Arrotin -
Robert Moskowitz