[rhelv6-list] rhelv6-list Digest, Vol 20, Issue 6
manoj kumar
manoj.2222 at gmail.com
Thu Jun 14 17:57:36 UTC 2012
If u want to make selinux enforcing than change the file
/etc/selinux/config as shown below and system need to restart to make it
effective. Restart make take 30 minutes or so.
cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=*enforcing*
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
On Wed, Jun 13, 2012 at 6:59 PM, <rhelv6-list-request at redhat.com> wrote:
> Send rhelv6-list mailing list submissions to
> rhelv6-list at redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/rhelv6-list
> or, via email, send a message with subject or body 'help' to
> rhelv6-list-request at redhat.com
>
> You can reach the person managing the list at
> rhelv6-list-owner at redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of rhelv6-list digest..."
>
>
> Today's Topics:
>
> 1. Unable to activate SELinux (Simon Reber)
> 2. Re: Unable to activate SELinux (Stephen Smalley)
> 3. Re: Unable to activate SELinux (Tris Hoar)
> 4. Re: Unable to activate SELinux (Simon Reber)
> 5. Re: Unable to activate SELinux (Gabriel S. Craciun)
> 6. Re: Unable to activate SELinux (Stephen Smalley)
> 7. Re: Unable to activate SELinux (Simon Reber)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 13 Jun 2012 14:05:35 +0200
> From: "Simon Reber" <S.Reber at lcsys.ch>
> To: <rhelv6-list at redhat.com>
> Subject: [rhelv6-list] Unable to activate SELinux
> Message-ID:
> <1209832B38DC214CB373A59426B91DFE010D6BA7 at chbsex01.lcsys.ch>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi all,
>
> I'm having trouble to active SELinux on our RHEL 6 Linux system.
> We have some sort of special installation framework (cobbler and puppet)
> and initially disabled SELinux (which is fine)
>
> [output from Kickstart]
> ...
> selinux --disabled
> ...
> %packages --excludedocs --nobase
> kernel
> yum
> openssh-server
> openssh-clients
> audit
> logrotate
> tmpwatch
> vixie-cron
> crontabs
> ksh
> ntp
> perl
> bind-utils
> sudo
> which
> sendmail
> wget
> redhat-lsb
> rsync
> authconfig
> lsof
> unzip
> sharutils
> logwatch
> libacl
> nfs-utils
> lcsetup
> -firstboot
> -tftp-server
> -system-config-soundcard
> -libselinux-python
> -selinux-policy
> -libselinux-utils
> -selinux-policy-targeted
> ...
>
> But for some high Security Risk systems, it's required to turn it on
> anyway.
> So I followed the guidance on:
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Securi
> ty-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enab
> ling_and_Disabling_SELinux.html to enable SELinux again on these systems
>
> Unfortunately does the system not initiate SELinux correctly nor do I
> see any hint where the problem is:
>
> tgl90a-8401 root:/etc/init $ sestatus
> SELinux status: disabled
> tgl90a-8401 root:/etc/init $ cat /etc/selinux/config
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> # enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> # disabled - No SELinux policy is loaded.
> SELINUX=permissive
> # SELINUXTYPE= can take one of these two values:
> # targeted - Targeted processes are protected,
> # mls - Multi Level Security protection.
> SELINUXTYPE=targeted
>
>
> The only thing I can see is:
> tgl90a-8401 root:/etc/init $ cat /var/log/messages
> Jun 13 13:41:30 tgl90a-8401 kernel: SELinux: Initializing.
>
>
> Does anybody know if I need additional packages on the system or any
> special setting set?
> If tried "permissive" mode with /.autorelable - which didn't
> work either
> I also installed @Base Group to ensure nothing is missing - but
> still the same result
>
> I've tried it with the same setup on RHEL 5 which perfectly worked - but
> not on RHEL 6!
> So I'm really looking forward to get some hints/tips
>
> Thanks and all the best,
> Si
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 13 Jun 2012 08:23:34 -0400
> From: Stephen Smalley <sds at tycho.nsa.gov>
> To: rhelv6-list at redhat.com
> Subject: Re: [rhelv6-list] Unable to activate SELinux
> Message-ID: <1339590214.13501.1.camel at moss-pluto.epoch.ncsc.mil>
> Content-Type: text/plain; charset="UTF-8"
>
> On Wed, 2012-06-13 at 14:05 +0200, Simon Reber wrote:
>> -libselinux-python
>> -selinux-policy
>> -libselinux-utils
>> -selinux-policy-targeted
>> ...
>
> Did you install selinux-policy-targeted and the other packages above
> that were originally excluded from your install?
>
> --
> Stephen Smalley
> National Security Agency
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 13 Jun 2012 13:36:03 +0100
> From: Tris Hoar <trishoar at bgfl.org>
> To: rhelv6-list at redhat.com
> Subject: Re: [rhelv6-list] Unable to activate SELinux
> Message-ID: <4FD88933.5000403 at bgfl.org>
> Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
>
> On 13/06/2012 13:05, Simon Reber wrote:
>> Hi all,
>>
>> I'm having trouble to active SELinux on our RHEL 6 Linux system.
>> We have some sort of special installation framework (cobbler and puppet)
>> and initially disabled SELinux (which is fine)
>>
>> [output from Kickstart]
>> ...
>> selinux --disabled
>> ...
>> %packages --excludedocs --nobase
>> kernel
>> yum
>> openssh-server
>> openssh-clients
>> audit
>> logrotate
>> tmpwatch
>> vixie-cron
>> crontabs
>> ksh
>> ntp
>> perl
>> bind-utils
>> sudo
>> which
>> sendmail
>> wget
>> redhat-lsb
>> rsync
>> authconfig
>> lsof
>> unzip
>> sharutils
>> logwatch
>> libacl
>> nfs-utils
>> lcsetup
>> -firstboot
>> -tftp-server
>> -system-config-soundcard
>> -libselinux-python
>> -selinux-policy
>> -libselinux-utils
>> -selinux-policy-targeted
>> ...
>>
>> But for some high Security Risk systems, it's required to turn it on
>> anyway.
>> So I followed the guidance on:
>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Securi
>> ty-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enab
>> ling_and_Disabling_SELinux.html to enable SELinux again on these systems
>>
>> Unfortunately does the system not initiate SELinux correctly nor do I
>> see any hint where the problem is:
>>
>> tgl90a-8401 root:/etc/init $ sestatus
>> SELinux status: disabled
>> tgl90a-8401 root:/etc/init $ cat /etc/selinux/config
>> # This file controls the state of SELinux on the system.
>> # SELINUX= can take one of these three values:
>> # enforcing - SELinux security policy is enforced.
>> # permissive - SELinux prints warnings instead of enforcing.
>> # disabled - No SELinux policy is loaded.
>> SELINUX=permissive
>> # SELINUXTYPE= can take one of these two values:
>> # targeted - Targeted processes are protected,
>> # mls - Multi Level Security protection.
>> SELINUXTYPE=targeted
>>
>>
>> The only thing I can see is:
>> tgl90a-8401 root:/etc/init $ cat /var/log/messages
>> Jun 13 13:41:30 tgl90a-8401 kernel: SELinux: Initializing.
>>
>>
>> Does anybody know if I need additional packages on the system or any
>> special setting set?
>> If tried "permissive" mode with /.autorelable - which didn't
>> work either
>> I also installed @Base Group to ensure nothing is missing - but
>> still the same result
>>
>> I've tried it with the same setup on RHEL 5 which perfectly worked - but
>> not on RHEL 6!
>> So I'm really looking forward to get some hints/tips
>>
>> Thanks and all the best,
>> Si
>>
>>
>
> Are you sure you are installing the packages needed for SE?
>
> @Base does not include any SE packages. I think you will want
> selinux-policy and selinux-policy-targeted as this gives the default SE
> policy for the system.
>
> Regards,
>
> Tris
>
>
>
> *************************************************************
> This email and any files transmitted with it are confidential
> and intended solely for the use of the individual or entity
> to whom they are addressed. If you have received this email
> in error please notify postmaster at bgfl.org
>
> The views expressed within this email are those of the
> individual, and not necessarily those of the organisation
> *************************************************************
>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 13 Jun 2012 14:56:04 +0200
> From: "Simon Reber" <S.Reber at lcsys.ch>
> To: "Red Hat Enterprise Linux 6 (Santiago) discussion mailing-list"
> <rhelv6-list at redhat.com>
> Subject: Re: [rhelv6-list] Unable to activate SELinux
> Message-ID:
> <1209832B38DC214CB373A59426B91DFE010D6BA9 at chbsex01.lcsys.ch>
> Content-Type: text/plain; charset="us-ascii"
>
>> On Wed, 2012-06-13 at 14:05 +0200, Simon Reber wrote:
>> > -libselinux-python
>> > -selinux-policy
>> > -libselinux-utils
>> > -selinux-policy-targeted
>> > ...
>>
>> Did you install selinux-policy-targeted and the other packages above
>> that were originally excluded from your install?
> Yes, both packages have been installed:
>
> tgl90a-8401 root:/etc/init $ rpm -qa | grep selinux-policy
> selinux-policy-targeted-3.7.19-126.el6_2.10.noarch
> selinux-policy-3.7.19-126.el6_2.10.noarch
>
> Like I said, I strictly followed the instruction on
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Securi
> ty-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enab
> ling_and_Disabling_SELinux.html
> -> In section 5.4.1.1 the packages are stated and all of them
> have been installed
>
> tgl90a-8401 root:/etc/init $ rpm -qa | grep sel
> libselinux-2.0.94-5.2.el6.x86_64
> libselinux-ruby-2.0.94-5.2.el6.x86_64
> libselinux-python-2.0.94-5.2.el6.x86_64
> selinux-policy-targeted-3.7.19-126.el6_2.10.noarch
> libselinux-utils-2.0.94-5.2.el6.x86_64
> selinux-policy-3.7.19-126.el6_2.10.noarch
>
> tgl90a-8401 root:/etc/init $ rpm -qa | grep set
> setserial-2.17-25.el6.x86_64
> setools-libs-python-3.3.7-4.el6.x86_64
> setuptool-1.19.9-3.el6.x86_64
> setools-libs-3.3.7-4.el6.x86_64
> setroubleshoot-plugins-3.0.16-1.el6.noarch
> setroubleshoot-3.0.38-2.1.el6.x86_64
> setroubleshoot-server-3.0.38-2.1.el6.x86_64
>
> Thanks and all the best,
> Simon Reber
>
>
>
> ------------------------------
>
> Message: 5
> Date: Wed, 13 Jun 2012 13:16:34 +0000
> From: "Gabriel S. Craciun" <gcraciun at transfond.ro>
> To: "Red Hat Enterprise Linux 6 (Santiago) discussion mailing-list"
> <rhelv6-list at redhat.com>
> Subject: Re: [rhelv6-list] Unable to activate SELinux
> Message-ID:
> <18ACE6C30FF1454D93B4C039FB62EA7627DE79FD at SPO-MAIL.stfd.ro>
> Content-Type: text/plain; charset="us-ascii"
>
> Did you check /etc/sysconfig/selinux ????
>
> -----Original Message-----
> From: rhelv6-list-bounces at redhat.com [mailto:
rhelv6-list-bounces at redhat.com] On Behalf Of Simon Reber
> Sent: Wednesday, June 13, 2012 3:56 PM
> To: Red Hat Enterprise Linux 6 (Santiago) discussion mailing-list
> Subject: Re: [rhelv6-list] Unable to activate SELinux
>
>> On Wed, 2012-06-13 at 14:05 +0200, Simon Reber wrote:
>> > -libselinux-python
>> > -selinux-policy
>> > -libselinux-utils
>> > -selinux-policy-targeted
>> > ...
>>
>> Did you install selinux-policy-targeted and the other packages above
>> that were originally excluded from your install?
> Yes, both packages have been installed:
>
> tgl90a-8401 root:/etc/init $ rpm -qa | grep selinux-policy
selinux-policy-targeted-3.7.19-126.el6_2.10.noarch
> selinux-policy-3.7.19-126.el6_2.10.noarch
>
> Like I said, I strictly followed the instruction on
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Securi
> ty-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enab
> ling_and_Disabling_SELinux.html
> -> In section 5.4.1.1 the packages are stated and all of them have
been installed
>
> tgl90a-8401 root:/etc/init $ rpm -qa | grep sel
> libselinux-2.0.94-5.2.el6.x86_64
> libselinux-ruby-2.0.94-5.2.el6.x86_64
> libselinux-python-2.0.94-5.2.el6.x86_64
> selinux-policy-targeted-3.7.19-126.el6_2.10.noarch
> libselinux-utils-2.0.94-5.2.el6.x86_64
> selinux-policy-3.7.19-126.el6_2.10.noarch
>
> tgl90a-8401 root:/etc/init $ rpm -qa | grep set
> setserial-2.17-25.el6.x86_64
> setools-libs-python-3.3.7-4.el6.x86_64
> setuptool-1.19.9-3.el6.x86_64
> setools-libs-3.3.7-4.el6.x86_64
> setroubleshoot-plugins-3.0.16-1.el6.noarch
> setroubleshoot-3.0.38-2.1.el6.x86_64
> setroubleshoot-server-3.0.38-2.1.el6.x86_64
>
> Thanks and all the best,
> Simon Reber
>
> _______________________________________________
> rhelv6-list mailing list
> rhelv6-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhelv6-list
> -------------------------------- NOTICE OF CONFIDENTIALITY This E-mail
message and its attachments (if any) are intended solely for the use of the
addressees hereof. In addition, this message and the attachments (if any)
may contain information that is confidential, privileged and exempt from
disclosure under applicable law. If you are not the intended recipient of
this message, you are prohibited from reading, disclosing, reproducing,
distributing, disseminating or otherwise using this transmission. Delivery
of this message to any person other than the intended recipient is not
intended to waive any right or privilege. If you have received this message
in error, please promptly notify the sender by reply E-mail and immediately
delete this message from your system.
>
>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 13 Jun 2012 09:20:17 -0400
> From: Stephen Smalley <sds at tycho.nsa.gov>
> To: "Red Hat Enterprise Linux 6 (Santiago) discussion mailing-list"
> <rhelv6-list at redhat.com>
> Subject: Re: [rhelv6-list] Unable to activate SELinux
> Message-ID: <1339593617.13501.6.camel at moss-pluto.epoch.ncsc.mil>
> Content-Type: text/plain; charset="UTF-8"
>
> On Wed, 2012-06-13 at 14:56 +0200, Simon Reber wrote:
>> Yes, both packages have been installed:
>>
>> tgl90a-8401 root:/etc/init $ rpm -qa | grep selinux-policy
>> selinux-policy-targeted-3.7.19-126.el6_2.10.noarch
>> selinux-policy-3.7.19-126.el6_2.10.noarch
>
> What happens if you try to manually load the policy now?
> load_policy -i
>
> --
> Stephen Smalley
> National Security Agency
>
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 13 Jun 2012 15:29:07 +0200
> From: "Simon Reber" <S.Reber at lcsys.ch>
> To: "Red Hat Enterprise Linux 6 (Santiago) discussion mailing-list"
> <rhelv6-list at redhat.com>
> Subject: Re: [rhelv6-list] Unable to activate SELinux
> Message-ID:
> <1209832B38DC214CB373A59426B91DFE010D6BAB at chbsex01.lcsys.ch>
> Content-Type: text/plain; charset="us-ascii"
>
>> Did you check /etc/sysconfig/selinux ????
> File is there and from my point of view correctly configured:
>
> tgl90a-8401 root:/etc/init $ ls -al /etc/sysconfig/selinux
> lrwxrwxrwx 1 root root 17 Jun 13 12:58 /etc/sysconfig/selinux ->
> ../selinux/config
> tgl90a-8401 root:/etc/init $ cat /etc/sysconfig/selinux
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> # enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> # disabled - No SELinux policy is loaded.
> SELINUX=permissive
> # SELINUXTYPE= can take one of these two values:
> # targeted - Targeted processes are protected,
> # mls - Multi Level Security protection.
> SELINUXTYPE=targeted
>
>
> Cheers,
> Si
>
>
>
> ------------------------------
>
> _______________________________________________
> rhelv6-list mailing list
> rhelv6-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rhelv6-list
>
>
> End of rhelv6-list Digest, Vol 20, Issue 6
> ******************************************
--
MANOJ KUMAR
SUBROTO PARK
NEW DELHI
Mob No 09911130165
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhelv6-list/attachments/20120614/362d5cae/attachment.htm>
More information about the rhelv6-list
mailing list