I also had some issues in the newest selinux-policy installs from the development tree.
First, I had to remove setools to remove a yum/rpm conflict.
After successfully yum'ing selinux-policy-strict-sources (which also installed selinux-policy-strict and removed policy and policy-sources), I rebooted in single user mode, where I did the usual 'fixfiles relabel'. I then rebooted to multiuser mode, where I determined that the 'mode' was set to 'disabled' (i.e., 'getenforce->disabled').
Rooting around uncovered that there was no /etc/selinux/config installed, nor was /etc/sysconfig/selinux updated with the 'SELINUXTYPE=strict' line. Since the thread on this was confusing to me, I also added a line 'POLICYTYPE=strict').
I modified /etc/syconfig/selinux copied it to /etc/selinux/config and rebooted. Still came up with selinux in 'disabled' mode.
Checking /var/log/messages showed 'SELinux disabled at boot'. So, I rebooted adding 'selinux=1' to the boot line. This time, the boot failed with 'can't read /etc/fstab' and brought me up in 'filesystem repair' mode. There I determined that /etc/fstab had no security context assigned to it (Did it get rewritten during a 'disabled' boot?)
I rebooted without the 'selinux=1' but in single-user mode, where I adjusted the context of /etc/fstab, /etc/sysconfig/selinux and /etc/selinux/config. I also changed /etc/sysconfig/selinux to boot up in permissive mode.
Rebooting with 'selinux=1 single' worked, I reran 'fixfiles relabel'.
Rebooting with 'selinux=1' into permissive/multi-user worked. I changed /etc/sysconfig/selinux and /etc/selinux/config to 'enforce'. Rebooting single-user (i.e., with 'selinux=1 single') worked.
Rebooting strict/multi-user (i.e. with 'selinux=1') did not work. It got jammed setting up X.org log files. Seems that /var/log/Xorg.0.log.old had no security context so the attempt to move /var/log/Xorg.0.log 'on top of it' failed. I'm guessing it was a leftover from a 'disabled' boot.)
I fixed that ('chcon --reference Xorg.0.log Xorg.0.log.old'), fixed /tmp/gconfd-tbl (same problem), and now it boots up strict/multi-user.
So here's the condensed version; 1. installing selinux-policy-strict-sources (and selinux-policy-strict) did not setup /etc/selinux/config, nor did it modify /etc/sysconfig/selinux. (I must admit that I was confused by the message thread. Did I need to remove /etc/sysconfig/selinux before doing the 'yum install selinux-policy-strict-sources'? I thought the install would add the 'SELINUXTYPE=strict' line to an existing file, but I may have read this wrong.) 2. My system was 'setup' to boot by default into 'disabled' mode. This caused a lot of problems with unlabeled files, directories, etc. Accidently forgetting to add 'selinux=1' to the boot line may cause this. 3. I had to 'yum remove setools'. Did this cause my booting or other problems? 4. I added both 'SELINUXTYPE=' and 'POLICYTYPE=' lines to /etc/sysconfig/selinux and to /etc/selinux/config. Are both needed/correct? /sbin/fixfiles seems to want 'SELINUXTYPE'... 5. I manually copied /etc/selinux/conf from /etc/sysconfig/selinux. Does that provide the correct info/format?
System is up and running in strict/enforcing mode. I will later try to install selinux-policy-targeted*.
tom
Great, your receipe worked pretty well - (but I'm not quite up at enforcing=1)
It is good to make the changes to /etc/security/selinux first.
I made mine with the active lines:
SELINUX=enforcing SELINUXTYPE=strict POLICYTYPE=strict
Then I copied it over to /etc/selinux/config
[root@hoho2 user1]# cd /etc/selinux [root@hoho2 selinux]# ls -l total 20 -rw-r--r-- 1 root root 332 May 29 23:47 config drwxr-xr-x 5 root root 4096 May 29 12:05 strict drwxr-xr-x 5 root root 4096 May 29 12:06 targeted [root@hoho2 selinux]#
Adding the word 'single' to the grub.conf kernel line was a timesaver, and potentially avoided more problems.
I think I was running for awhile with the kernel boot param 'selinux=0' - doing a few yum updates during this time too. Many of the files that were listed in the 'fixfiles relabel' run seemed as though they may have appeared during yum updates when 'selinux=0' or when selinux was disabled (by the /etc/sysconfig/selinux file settings). Boot params override this file.
For the next few boots, I ran with 'selinux=1 enforcing=0'
Just as a test, I ran 'fixfiles relabel' twice. The second time, there were no diagnostic output lines - leaving me with a good feeling.
I booted up again and looked in the /var/log/messages file - no audit messages. Either something is working well, or not at all.
---
Then I tried to boot with the boot param 'enforcing=1'
In the RedHat nash phase (or maybe just after), I got the message:
Enforcing mode requested, but no policy loaded. Halting now. Kernel panic: Attempted to kill init!
-----
After a power cycle, I set the boot param back to 'enforcing=0'
I remembered seeing a Makefile with the targets: ...,..., reload
I believe this Makefile was in /etc/sysconfig/selinux/src/policy, but I noticed that /etc/sysconfig/selinux was now a file - in fact it was the file that I edited a few minutes before.
Having seen a policy directory under /etc/syslinux/strict, I went there
[root@hoho2 policy]# pwd /etc/selinux/strict/src/policy
[root@hoho2 policy]# ls -lt | head total 11708 -rw-r--r-- 1 root root 97 May 29 23:57 reload.out drwxr-xr-x 2 root root 4096 May 29 23:57 tmp drwxr-xr-x 4 root root 4096 May 29 12:06 file_contexts -rw-r--r-- 1 root root 4207890 May 29 12:05 policy.conf drwx------ 2 root root 4096 May 29 12:05 flask drwx------ 3 root root 4096 May 29 12:05 macros drwx------ 2 root root 4096 May 29 12:05 types drwx------ 2 root root 4096 May 29 12:05 appconfig drwx------ 4 root root 4096 May 29 12:05 domains
This is after I did a 'make reload 2>&1 | tee reload.out` twice. The first time I got a lot of diagnostic lines, 'inode ...'. The second time I got:
[root@hoho2 policy]# cat reload.out /usr/sbin/load_policy /etc/selinux/strict/policy/policy.`cat /selinux/policyvers ` touch tmp/load
This looked pretty good, so I tried to go into enforcing mode by doing
[root@hoho2 policy]# setenforce 1
Immediately, I got:
su[2804]: Error! Unable to set executable context (null). login (pam_unix)[2534]: session closed for user1
INIT: cannot execute "/sbin/mngetty" INIT: cannot execute "/sbin/mngetty" INIT: cannot execute "/sbin/mngetty" ... INIT: Id "1" respawing too fast, disabled for 5 minutes
-----
Another power cycle, and I am ready for bed.
Hopefully there are some clues in the above for selinux gurus.
BobG
on Sat, 29 May 2004 17:37:04 -0700, Tom London wrote:
I also had some issues in the newest selinux-policy installs from the development tree.
First, I had to remove setools to remove a yum/rpm conflict.
After successfully yum'ing selinux-policy-strict-sources (which also installed selinux-policy-strict and removed policy and policy-sources), I rebooted in single user mode, where I did the usual 'fixfiles relabel'. I then rebooted to multiuser mode, where I determined that the 'mode' was set to 'disabled' (i.e., 'getenforce->disabled').
Rooting around uncovered that there was no /etc/selinux/config installed, nor was /etc/sysconfig/selinux updated with the 'SELINUXTYPE=strict' line. Since the thread on this was confusing to me, I also added a line 'POLICYTYPE=strict').
I modified /etc/syconfig/selinux copied it to /etc/selinux/config and rebooted. Still came up with selinux in 'disabled' mode.
Checking /var/log/messages showed 'SELinux disabled at boot'. So, I rebooted adding 'selinux=1' to the boot line. This time, the boot failed with 'can't read /etc/fstab' and brought me up in 'filesystem repair' mode. There I determined that /etc/fstab had no security context assigned to it (Did it get rewritten during a 'disabled' boot?)
I rebooted without the 'selinux=1' but in single-user mode, where I adjusted the context of /etc/fstab, /etc/sysconfig/selinux and /etc/selinux/config. I also changed /etc/sysconfig/selinux to boot up in permissive mode.
Rebooting with 'selinux=1 single' worked, I reran 'fixfiles relabel'.
Rebooting with 'selinux=1' into permissive/multi-user worked. I changed /etc/sysconfig/selinux and /etc/selinux/config to 'enforce'. Rebooting single-user (i.e., with 'selinux=1 single') worked.
Rebooting strict/multi-user (i.e. with 'selinux=1') did not work. It got jammed setting up X.org log files. Seems that /var/log/Xorg.0.log.old had no security context so the attempt to move /var/log/Xorg.0.log 'on top of it' failed. I'm guessing it was a leftover from a 'disabled' boot.)
I fixed that ('chcon --reference Xorg.0.log Xorg.0.log.old'), fixed /tmp/gconfd-tbl (same problem), and now it boots up strict/multi-user.
So here's the condensed version;
- installing selinux-policy-strict-sources (and selinux-policy-strict)
did not setup /etc/selinux/config, nor did it modify /etc/sysconfig/selinux. (I must admit that I was confused by the message thread. Did I need to remove /etc/sysconfig/selinux before doing the 'yum install selinux-policy-strict-sources'? I thought the install would add the 'SELINUXTYPE=strict' line to an existing file, but I may have read this wrong.) 2. My system was 'setup' to boot by default into 'disabled' mode. This caused a lot of problems with unlabeled files, directories, etc. Accidently forgetting to add 'selinux=1' to the boot line may cause this. 3. I had to 'yum remove setools'. Did this cause my booting or other problems? 4. I added both 'SELINUXTYPE=' and 'POLICYTYPE=' lines to /etc/sysconfig/selinux and to /etc/selinux/config. Are both needed/correct? /sbin/fixfiles seems to want 'SELINUXTYPE'... 5. I manually copied /etc/selinux/conf from /etc/sysconfig/selinux. Does that provide the correct info/format?
System is up and running in strict/enforcing mode. I will later try to install selinux-policy-targeted*.
tom
fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Sat, 2004-05-29 at 20:37, Tom London wrote:
So here's the condensed version;
- installing selinux-policy-strict-sources (and selinux-policy-strict)
did not setup /etc/selinux/config, nor did it modify /etc/sysconfig/selinux. (I must admit that I was confused by the message thread. Did I need to remove /etc/sysconfig/selinux before doing the 'yum install selinux-policy-strict-sources'? I thought the install would add the 'SELINUXTYPE=strict' line to an existing file, but I may have read this wrong.)
I don't think that Dan has set up the spec file to do this yet in %post. So you have to manually create /etc/selinux/config at present. /etc/sysconfig/selinux is obsolete with the newer libselinux and SysVinit. /usr/bin/selinuxconfig will show what libselinux thinks are the active policy paths.
- My system was 'setup' to boot by default into 'disabled' mode. This
caused a lot of problems with unlabeled files, directories, etc.
I think that this will eventually be covered by changing the spec file to create /etc/selinux/config if it does not already exist. Dan?
- I had to 'yum remove setools'. Did this cause my booting or other
problems?
No, I don't think it created any of the problems you experienced. But setools will need to be updated to use the new libselinux functions, and rebuilt.
- I added both 'SELINUXTYPE=' and 'POLICYTYPE=' lines to
/etc/sysconfig/selinux and to /etc/selinux/config. Are both needed/correct? /sbin/fixfiles seems to want 'SELINUXTYPE'...
SELINUXTYPE is correct. There was a bug in the spec file that was using POLICYTYPE; that should be changed if it hasn't already.
- I manually copied /etc/selinux/conf from /etc/sysconfig/selinux. Does
that provide the correct info/format?
Yes, except that you need to add a SELINUXTYPE=strict (or targeted) to it, and it is named /etc/selinux/config.
You also need to relabel after updating the policy to get /etc/selinux into the right types. Odds of successfully making this transition in enforcing mode are slim, I suspect.
selinux@lists.fedoraproject.org