Installing the new policy

[Tom London]

I also had some issues in the newest selinux-policy installs from the 
development tree.

First, I had to remove setools to remove a yum/rpm conflict.

After successfully yum'ing selinux-policy-strict-sources (which also 
installed selinux-policy-strict and removed policy and policy-sources), 
I rebooted in single user mode, where I did the usual 'fixfiles 
relabel'.  I then rebooted to multiuser mode, where I determined that 
the 'mode' was set to 'disabled' (i.e., 'getenforce->disabled').

Rooting around uncovered that there was no /etc/selinux/config 
installed, nor was /etc/sysconfig/selinux updated with the 
'SELINUXTYPE=strict' line.  Since the thread on this was confusing to 
me, I also added a line 'POLICYTYPE=strict').

I modified /etc/syconfig/selinux copied it to /etc/selinux/config and 
rebooted.  Still came up with selinux in 'disabled' mode.

Checking /var/log/messages showed 'SELinux disabled at boot'.  So, I 
rebooted adding 'selinux=1' to the boot line. This time, the boot failed 
with 'can't read /etc/fstab' and brought me up in 'filesystem repair' 
mode.  There I determined that /etc/fstab had no security context 
assigned to it (Did it get rewritten during a 'disabled' boot?)

I rebooted without the 'selinux=1' but in single-user mode, where I 
adjusted the context of /etc/fstab, /etc/sysconfig/selinux and 
/etc/selinux/config.  I also changed /etc/sysconfig/selinux to boot up 
in permissive mode.

Rebooting with 'selinux=1 single' worked,  I reran 'fixfiles relabel'.

Rebooting with 'selinux=1' into permissive/multi-user worked.  I changed 
/etc/sysconfig/selinux and /etc/selinux/config to 'enforce'.  Rebooting 
single-user (i.e., with 'selinux=1 single') worked.

Rebooting strict/multi-user (i.e. with 'selinux=1') did not work.  It 
got jammed setting up X.org log files.  Seems that 
/var/log/Xorg.0.log.old had no security context so the attempt to move 
/var/log/Xorg.0.log 'on top of it' failed.  I'm guessing it was a 
leftover from a 'disabled' boot.)

I fixed that ('chcon --reference Xorg.0.log Xorg.0.log.old'), fixed 
/tmp/gconfd-tbl (same problem), and now it boots up strict/multi-user.

So here's the condensed version;
1. installing selinux-policy-strict-sources (and selinux-policy-strict) 
did not setup /etc/selinux/config, nor did it modify 
/etc/sysconfig/selinux.  (I must admit that I was confused by the 
message thread. Did I need to remove /etc/sysconfig/selinux before doing 
the 'yum install selinux-policy-strict-sources'?  I thought the install 
would add the 'SELINUXTYPE=strict' line to an existing file, but I may 
have read this wrong.)
2. My system was 'setup' to boot by default into 'disabled' mode. This 
caused a lot of problems with unlabeled files, directories, etc. 
Accidently forgetting to add 'selinux=1' to the boot line may cause this.
3. I had to 'yum remove setools'. Did this cause my booting or other 
problems?
4. I added both 'SELINUXTYPE=' and 'POLICYTYPE=' lines to 
/etc/sysconfig/selinux and to /etc/selinux/config.  Are both 
needed/correct?  /sbin/fixfiles seems to want 'SELINUXTYPE'...
5. I manually copied /etc/selinux/conf from /etc/sysconfig/selinux. Does 
that provide the correct info/format?

System is up and running in strict/enforcing mode.  I will later try to 
install selinux-policy-targeted*.

tom