selinux not enabled
Jim Cornette
fc-cornette at insight.rr.com
Mon Apr 11 03:43:08 UTC 2005
Richard E Miles wrote:
> On Sun, 10 Apr 2005 15:10:40 +0200
> Julien Le Houérou <julien_lh at yahoo.fr> wrote:
>
>
>>Sjoerd Mullender wrote:
>>
>>
>>>I'm trying to enable SELinux on my FC3 system and I followed the manual
>>>instructions in the FAQ* (I don't want to use
>>>system-config-securitylevel since it overwrites my iptables setup):
>>>/etc/selinux/config contains SELINUX=permissive and SELINUXTYPE=targeted;
>>>I have touched /.autorelabel;
>>>I have rebooted (several times, not all of them related to this issue);
>>>and when the system was rebooting, there was no noticeable delay while
>>>the files were being relabeled and /.autorelabel still exists. Also:
>>># sestatus -v
>>>SELinux status: disabled
>>>
>>>In /var/log/messages and in the dmesg output, I don't see anything about
>>>SELinux being disabled. I do see the following lines (the selinux=1 was
>>>my latest attempt--it didn't change anything):
>>>
>>># dmesg | grep -i selinux
>>>Kernel command line: ro root=LABEL=/ apm=off acpi=on selinux=1
>>>SELinux: Initializing.
>>>SELinux: Starting in permissive mode
>>>selinux_register_security: Registering secondary module capability
>>>SELinux: Registering netfilter hooks
>>>
>>>What am I doing wrong?
>>>
>>>*) http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2825232
>>>
>>>
>>>
>>
>>What if there is no /etc/selinux/ nor /etc/sysconfig/selinux ?? i don't
>>have any of them my system!!
>>
>
>
> Have you installed selinux-policy-targeted and selinux-policy-strict?
> They provide /etc/selinux files.
> /etc/sysconfig/selinux is a symlink to /etc/selinux/config.
>
policycoreutils may not have been pulled into the pool of packages you
installed. I have packages related to policy as on the below output from
rpm. You probably don't need the sources, but policycoreutils is
important. My versions are newer and from development, but the names
minus version should be close.
When you do the touch /.autorelabel your system should have some prompt
telling you that it is relabeling the files and the operation migt take
some time.
I had trouble before with not having policycoreutils pulled in when
upgrading. I believe that the dep problem was straightened out, but not
sure whether it was straightened out for FC3 or for later test versions.
Other than that, you might want to browse through the archives of the
selinux list for detailed post as to what programs are needed and what
files need to contain certain information. /etc/sysconfig/selinux is a
symlink to /etc/selinux/config and is not a file actually.
/etc/sysconfig/selinux -> /etc/selinux/config
I'm not actively running selinux, but this is from info I got when
running selinux.
Jim
It should contain the below:
cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
rpm -qa |grep policy
policycoreutils-1.23.3-2
checkpolicy-1.22-1
selinux-policy-targeted-1.23.9-1
selinux-policy-targeted-sources-1.23.9-1
selinux-policy-strict-sources-1.23.9-1
selinux-policy-strict-1.23.9-1
--
Johnson's law:
Systems resemble the organizations that create them.
More information about the fedora-list
mailing list