SELinux Relabeling Bypassed
Introduction
This article explains how to resolve an SELinux relabeling issue that occurs when using Warewulf with dracut boot mode. The issue affects Warewulf version 4.5.8 and earlier, as version 4.6.0 includes the resolution.
Problem
In Warewulf version 4.5.8 and earlier, dracut boot mode bypasses Warewulf's wwinit process, which includes automatic SELinux relabeling handled by the 90-SELinux script. By default, dracut starts /usr/sbin/init directly, skipping Warewulf's initialization scripts that manage SELinux configuration.
Resolution
For Warewulf 4.5.8 and earlier versions
To resolve this issue, manually add init=/init to the kernel command line. This forces dracut to execute Warewulf's /init script instead of the default /usr/sbin/init. The /init script properly initializes the system and runs the SELinux relabeling process through the 90-SELinux script.
Steps to configure
Method 1: Using wwctl node set
wwctl node set <nodename> --kernelargs="init=/init"
If you already have existing kernel arguments, you'll need to include them as well:
wwctl node set <nodename> --kernelargs="<existing_args>,init=/init"
Method 2: Using wwctl profile set
wwctl profile set <profilename> --kernelargs="init=/init"
For Warewulf 4.6.0 and later versions
Starting with Warewulf version 4.6.0, the boot templates automatically include the init=/init parameter. This update ensures proper SELinux relabeling and eliminates the need for manual intervention. Developers implemented the fix in the GRUB template (grub.cfg.ww) and the iPXE template (default.ipxe).