On Sun, 10 Apr 2005 15:10:40 +0200 Julien Le Houérou <julien_lh@xxxxxxxx> wrote:
Sjoerd Mullender wrote:
I'm trying to enable SELinux on my FC3 system and I followed the manual instructions in the FAQ* (I don't want to use system-config-securitylevel since it overwrites my iptables setup): /etc/selinux/config contains SELINUX=permissive and SELINUXTYPE=targeted; I have touched /.autorelabel; I have rebooted (several times, not all of them related to this issue); and when the system was rebooting, there was no noticeable delay while the files were being relabeled and /.autorelabel still exists. Also: # sestatus -v SELinux status: disabled
In /var/log/messages and in the dmesg output, I don't see anything about SELinux being disabled. I do see the following lines (the selinux=1 was my latest attempt--it didn't change anything):
# dmesg | grep -i selinux Kernel command line: ro root=LABEL=/ apm=off acpi=on selinux=1 SELinux: Initializing. SELinux: Starting in permissive mode selinux_register_security: Registering secondary module capability SELinux: Registering netfilter hooks
What am I doing wrong?
*) http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2825232
What if there is no /etc/selinux/ nor /etc/sysconfig/selinux ?? i don't have any of them my system!!
Have you installed selinux-policy-targeted and selinux-policy-strict? They provide /etc/selinux files. /etc/sysconfig/selinux is a symlink to /etc/selinux/config.
policycoreutils may not have been pulled into the pool of packages you installed. I have packages related to policy as on the below output from rpm. You probably don't need the sources, but policycoreutils is important. My versions are newer and from development, but the names minus version should be close.
When you do the touch /.autorelabel your system should have some prompt telling you that it is relabeling the files and the operation migt take some time.
I had trouble before with not having policycoreutils pulled in when upgrading. I believe that the dep problem was straightened out, but not sure whether it was straightened out for FC3 or for later test versions.
Other than that, you might want to browse through the archives of the selinux list for detailed post as to what programs are needed and what files need to contain certain information. /etc/sysconfig/selinux is a symlink to /etc/selinux/config and is not a file actually. /etc/sysconfig/selinux -> /etc/selinux/config
I'm not actively running selinux, but this is from info I got when running selinux.
Jim
It should contain the below:
cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=enforcing # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted
rpm -qa |grep policy policycoreutils-1.23.3-2 checkpolicy-1.22-1 selinux-policy-targeted-1.23.9-1 selinux-policy-targeted-sources-1.23.9-1 selinux-policy-strict-sources-1.23.9-1 selinux-policy-strict-1.23.9-1
-- Johnson's law: Systems resemble the organizations that create them.
