I also had some issues in the newest selinux-policy installs from the
development tree.
First, I had to remove setools to remove a yum/rpm conflict.
After successfully yum'ing selinux-policy-strict-sources (which also
installed selinux-policy-strict and removed policy and policy-sources),
I rebooted in single user mode, where I did the usual 'fixfiles
relabel'. I then rebooted to multiuser mode, where I determined that
the 'mode' was set to 'disabled' (i.e.,
'getenforce->disabled').
Rooting around uncovered that there was no /etc/selinux/config
installed, nor was /etc/sysconfig/selinux updated with the
'SELINUXTYPE=strict' line. Since the thread on this was confusing to
me, I also added a line 'POLICYTYPE=strict').
I modified /etc/syconfig/selinux copied it to /etc/selinux/config and
rebooted. Still came up with selinux in 'disabled' mode.
Checking /var/log/messages showed 'SELinux disabled at boot'. So, I
rebooted adding 'selinux=1' to the boot line. This time, the boot failed
with 'can't read /etc/fstab' and brought me up in 'filesystem repair'
mode. There I determined that /etc/fstab had no security context
assigned to it (Did it get rewritten during a 'disabled' boot?)
I rebooted without the 'selinux=1' but in single-user mode, where I
adjusted the context of /etc/fstab, /etc/sysconfig/selinux and
/etc/selinux/config. I also changed /etc/sysconfig/selinux to boot up
in permissive mode.
Rebooting with 'selinux=1 single' worked, I reran 'fixfiles relabel'.
Rebooting with 'selinux=1' into permissive/multi-user worked. I changed
/etc/sysconfig/selinux and /etc/selinux/config to 'enforce'. Rebooting
single-user (i.e., with 'selinux=1 single') worked.
Rebooting strict/multi-user (i.e. with 'selinux=1') did not work. It
got jammed setting up X.org log files. Seems that
/var/log/Xorg.0.log.old had no security context so the attempt to move
/var/log/Xorg.0.log 'on top of it' failed. I'm guessing it was a
leftover from a 'disabled' boot.)
I fixed that ('chcon --reference Xorg.0.log Xorg.0.log.old'), fixed
/tmp/gconfd-tbl (same problem), and now it boots up strict/multi-user.
So here's the condensed version;
1. installing selinux-policy-strict-sources (and selinux-policy-strict)
did not setup /etc/selinux/config, nor did it modify
/etc/sysconfig/selinux. (I must admit that I was confused by the
message thread. Did I need to remove /etc/sysconfig/selinux before doing
the 'yum install selinux-policy-strict-sources'? I thought the install
would add the 'SELINUXTYPE=strict' line to an existing file, but I may
have read this wrong.)
2. My system was 'setup' to boot by default into 'disabled' mode. This
caused a lot of problems with unlabeled files, directories, etc.
Accidently forgetting to add 'selinux=1' to the boot line may cause this.
3. I had to 'yum remove setools'. Did this cause my booting or other
problems?
4. I added both 'SELINUXTYPE=' and 'POLICYTYPE=' lines to
/etc/sysconfig/selinux and to /etc/selinux/config. Are both
needed/correct? /sbin/fixfiles seems to want 'SELINUXTYPE'...
5. I manually copied /etc/selinux/conf from /etc/sysconfig/selinux. Does
that provide the correct info/format?
System is up and running in strict/enforcing mode. I will later try to
install selinux-policy-targeted*.
tom