Enabling the strict policy on Fedora 7
Daniel J Walsh
dwalsh at redhat.com
Fri Aug 3 19:28:39 UTC 2007
Patrick McNeal wrote:
> I'm new to SELinux, and have been banging my head against the wall on
> how to change from the targeted to the strict policy on my Fedora 7
> box. I just figured out how to do it, and thought that it would be a
> good thing to have in the archive so others might more easily find a
> solution.
>
> 1 - Install the strict policy using the package manager. I used
> selinux-policy-strict-2.6.4-29.fc.noarch.
> 2 - Using the SELinux Administration tool, set the "system default
> policy type" to "strict".
> 3 - Set the "system default enforcing mode" to "permissive".
> 4 - Check "Relabel on next reboot".
> 3 - Reboot
>
> If you leave enforcing mode set to the default of "enforcing" you'll
> get this error on reboot:
>
> /sbin/init: error while loading shared libraries: libsepol.so.1:
> failed to map segment from shared object: Permission denied
> Kernel panic - not syncing: Attempted to kill init!
>
> Note, you can also make these changes via the command line by editing
> /etc/selinux/config, setup a relabel by touching /.autorelabel and
> rebooting.
>
> Hope that helps someone.
>
> --Patrick
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You need to boot first in permissive mode to allow relabeling to happen,
then reboot in enforcing mode.
Or just setenforce 1 after the first boot.
At the kernel boot line you can just enter enforcing=0 to boot in
permissive mode.
More information about the fedora-selinux-list
mailing list