A customer of mine, had me approached to install a virtualization solution at his company.
The first goal was portability the second productivity.
I had to find a way (transparent from their employes) to remove their work environment from their hardware.
Productivity is easy … just remove any unnecessary software and keep their desktops as clean as they can be.
“Attention Span” is the big monster.
I found that with no-sound they couldnt listen to youtube or to internet radio stations or mp3 and they had to install a radio at their office.
One radio station, one music for all. That approach was much better than every other solution i could figure out.
Imaging a work space with 15 people, how every one wants to listen to a different music/news, youtube or whatever.
That was noise - and noise is the enemy!
As for portability - we dont want to use this old hardware - was easy enough too.
I’ve built a tinycorelinux image and convert every PC to a thin or thick client.
RDP to their Terminal Server was the only thing i had to ensure is working.
Dnsmasq is the simplest and best solution to do that (PXE).
created /tftpboot/ dir and worked my way through that.
I used fedora cause it is a virtualization box with all the latest versions of software.
I wanted to test fedora and selinux wasnt so bad after all.
Till the latest upgrade!
/tftpboot directory system_u:object_r:tftpdir_t:s0
/tftpboot/.* all files system_u:object_r:tftpdir_t:s0
dnsmasq now needs dnsmasq_t
type=AVC msg=audit(1349450414.500:20456): avc: denied { read } for pid=27175 comm="dnsmasq" name="tftpboot" dev="dm-1" ino=524451 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=unconfined_u:object_r:tftpdir_t:s0 tclass=dir
relabeling is out of question.
The solution is to transfer all the necessaries files to a new directory that
semanage fcontext -l
doesnt marked as something else and chcon the entire directory (recursive) to label to dnsmasq_t all files and dirs.
or to add a new policy rule that accepts dnsmasq_t for /tftpboot directory
or DISABLE selinux cause you’ll never now what else will through to you !
Its unacceptable to make such core changes without have a plan for backwards compatibility or a way to inform your faithful admin that he/shee will have a problem because you have destroyed everything he/she built the last year!.