Enabling SELinux (was Re: How to make SELinux in Fedora work?)

Tom London selinux at comcast.net
Thu May 27 18:07:33 UTC 2004 

I decided to give this a try on a FC2 machine that was installed with 
'everything' but without enabling 'selinux' on the install. It had 
policy-1.11.3-3 (and policy-sources) installed.

Following the attached advice, here's what I did:
   1. Modified /etc/sysconfig/selinux to have 'SELINUX=permissive'
   2. Rebooted single-user and ran 'fixfiles relabel'
   3. Rebooted multi-user

The machine booted up in permissive mode fine, with only a few 'avc' 
messages to examine.

There were a couple of quickly noticed issues:
   1. The 'swapon' command in the boot sequence failed:
        swapon: /dev/hda3: Invalid argument
        (entry from /var/log/messages: May 27 10:15:54 fedora kernel: 
Unable to find swap-space signature)
        I ran 'mkswap /dev/hda3; swapon -a' and all worked:
         May 27 10:17:47 fedora kernel: Adding 1502068k swap on 
/dev/hda3.  Priority:-1 extents:1

   2. Sound no longer worked, but I could find no obvious avc or other 
messages.
       (No sound from gain, xine, ...)
       I ran 'System Settings->Soundcard Detection', clicked OK in the 
popup, but nothing appeared to happen (also, no messages in 
/var/log/messages). 
       BUT, sound started working, at least I can now hear music from 
'xine'.

After fixing the above, I set 'setenforce 1' and all appeared working well.

  I then edited /etc/sysconfig/selinux, changing 'SELINUX=permissive' to 
'SELINUX=enforcing', and rebooted.  Swap now got added correctly, and 
the system came up as expected. Even mozilla, including the added 
plugins worked! (This is quite impressive!!!!!)

Sound didn't work again.  I tried as normal user:
      1.  cd /usr/share/sounds
           aplay warning.wav
           Playing WAVE 'warning.wav' : Signed 16 bit Little Endian, 
Rate 44100 Hz, Mono
          But no sound.
      2. play warning.wav
          Got sound!
      3. aplay warning.wav
          Playing WAVE 'warning.wav' : Signed 16 bit Little Endian, Rate 
44100 Hz, Mono
         Got Sound!

I see nothing in /var/log/messages about this...

Anyway, this exercise got me to convert this machine to 
SELinux/enforcing ( :-D )

Any thoughts on what happened to swap?   Something I did?
    tom

------------------------------------------------------------------------

    * /From/: Stephen Smalley <sds epoch ncsc mil>
    * /To/: "Fedora SELinux support list for users & developers."
      <fedora-selinux-list redhat com>
    * /Subject/: Re: How to make SELinux in Fedora work?
    * /Date/: Thu, 27 May 2004 08:16:03 -0400

------------------------------------------------------------------------

On Thu, 2004-05-27 at 02:44, park lee wrote:
> I've downloaded Fedora Core 2 from http://fedora.redhat.com/download/,
> and have installed it successfully.

As noted in the release notes for FC2
(http://fedora.redhat.com/docs/release-notes/), you have to pass
"selinux" to the installer to enable SELinux at install time.
 
> Then , I want to ask how to run SELinux which is integrated into
> Fedora Core? Is there some resources about what to do and how to do ?

If you didn't enable SELinux at install time, then you'll need to
install a policy (yum install policy policy-sources), create or edit
/etc/sysconfig/selinux and set SELINUX=permissive in it, and relabel
your filesystems (via fixfiles relabel).  Once you get your filesystems
labeled and have verified that you can boot without avc denials in your
logs, you can set SELINUX=enforcing in /etc/sysconfig/selinux.

> And  Is there any differences between it and the SELinux from
> http://www.nsa.gov/selinux/code/download5.cfm. As i know ,when we want
> to run the SELinux from
> ttp://www.nsa.gov/selinux/code/download5.cfm.we should first recompile
> the kernel with certain options, then install some applications (such
> as checkpolicy, libselinux) from the SELinux Full Userland Archive to
> the system. Then , if we want to run the SELinux that is integrated
> into Fedora Core, should we do the same steps?

Fedora Core 2 already includes the SELinux code in the kernel and
applications, so you don't have to recompile anything.  You just need to
enable the SELinux support that is already there.

-- 
Stephen Smalley <sds epoch ncsc mil>
National Security Agency

More information about the fedora-selinux-list mailing list