SElinux and FC6

Aleksandar Milivojevic alex at milivojevic.org
Tue Dec 26 19:52:59 UTC 2006 

Vidiot wrote:
>> It's probably an upgrade bug in FC6 installer.
> 
> :-(
> 
>> First thing I would check is if there's anything in /etc/selinux that
>> got created with extension .rpmnew (check timestamps to make sure
>> .rpmnew files are newer than config files, there's probability some of
>> them were from FC2 updates).  Probably most important will be policy.18
>> and file_contexts files.  If there is, just move them into place (for
>> example mv policy.18 policy.18.orig followed by mv policy.18.rpmnew
>> policy.18).
> 
> None of the files you mention exist.

My bad, on FC6 it's policy.21 (policy.18 is from older versions, for
example the version used in RHEL4)

They should exist in subdirectories of /etc/selinux.  The exact location
depends on type of policy you installed and/or want to use.  For example
policy.21 should be /etc/selinux/targeted/policy/policy.21 if you are
using targeted policy.  There's several different SELinux policies you
can install and use on the system (such as targeted or strict).  Most
commonly the targeted policy is used.  Each policy would go into its own
directory tree under /etc/selinux.  For example, targeted policy would
go into /etc/selinux/targeted, while strict policy would go under
/etc/selinux/strict.

If you can't find policy.21 file at all, check that you have
selinux-policy and selinux-policy-targeted RPM packages installed
(assuming targeted policy is the one you want to use).  If you don't
have them, than install them as you would normally do (for example using
yum).  If you have them, but you don't have policy.21 file, reinstall
those RPMs (download them, and install them manually using rpm -Uhv
--allfiles --oldpackage --replacefiles).

Also, check that you have policycoreutils RPM.  If you don't have it,
install it.  Commands such as restorecon and chcon, which are essential
utilities for SELinux are port of that package.

> BTW, when I bring up the firewall GUI and select the SElinux tab, it shows
> disabled and everything is grey'd out, i.e., can't enable it.

It could be it's grayed out because you are missing selinux-policy
and/or selinux-policy-targeted RPMs on the system.

BTW, what is this FC6 box used for?  If it's just an laptop or desktop
system that has no services running on it (such as HTTP daemon for
example), there's little use for SELinux on it.  Especially if you are
using targeted policy (default).  Targeted SELinux policy "targets" and
restricts only specific services.  Everything else is more or less
unrestricted.  That's why targeted policy is named targeted.  So if
system is not running anything that targeted policy restricts, there's
little point in having SELinux enabled on the system.

More information about the redhat-list mailing list