From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u0THbK6u013329 for ; Fri, 29 Jan 2016 12:37:20 -0500 Date: Fri, 29 Jan 2016 17:37:15 +0000 (UTC) From: Joe Wulf Reply-To: Joe Wulf To: "selinux@tycho.nsa.gov" Message-ID: <2033239564.1859278.1454089035658.JavaMail.yahoo@mail.yahoo.com> In-Reply-To: <1464190.SZXTM0cE5o@juss> References: <1464190.SZXTM0cE5o@juss> Subject: Re: Newbie question on fixfiles MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_1859277_1217555035.1454089035652" List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: ------=_Part_1859277_1217555035.1454089035652 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable What filesystem is applied to your disk and its various partitions?For this= to work, that FS has to be one that supports SELinux labeling (seclabel).Y= ou are right---if what you are using doesn't support that, you are dead in = the water (currently).What options do you have to change to an SELinux-comp= liant FS? =20 From: Thomas Downing To: selinux@tycho.nsa.gov=20 Sent: Friday, January 29, 2016 12:25 PM Subject: Newbie question on fixfiles =20 Hi, I need to get SELinux running on an appliance we are building, not based on= a=20 distro that already supports SELinux. I've got all the userspace stuff built, (including setools3) without any=20 warnings or errors. I followed instructions for installing and loading=20 refpolicy, no warnings or errors.=C2=A0 (Except the python tools, which all= import=20 selinux.py, which does not seem to be included in the source tree.) I'm booting with kernel options "security=3Dselinux selinux=3D1", and dmesg= shows=20 SELinux initializing, and no errors or warnings. sestatus output: SELinux status:=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2= =A0=C2=A0=C2=A0 enabled SELinuxfs mount:=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 /s= ys/fs/selinux SELinux root directory:=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 /etc/selinux Loaded policy name:=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 refpolicy Current mode:=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2= =A0=C2=A0=C2=A0 permissive Mode from config file:=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 permissive Policy MLS status:=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 = disabled Policy deny_unknown status:=C2=A0=C2=A0=C2=A0 denied Max kernel policy version:=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 30 Problem is: fixfiles does not actually label anything, and the underlying r= eason=20 is that none of the mounted disk filesystems (all ext4) have option 'seclab= el'. Any pointers? Also, given the absence of the seclabel option, I question if the kernel pa= rt=20 of SELinux is in fact really happy...and if it isn't, I'm dead in the water= =20 anyway. Thanks much, Thomas Downing _______________________________________________ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. To get help, send an email containing "help" to Selinux-request@tycho.nsa.g= ov. ------=_Part_1859277_1217555035.1454089035652 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
What filesystem is applied to yo= ur disk and its various partitions?
For this to work, that FS has to be one that supports SELinux labeling (se= clabel).
You are right---if what yo= u are using doesn't support that, you are dead in the water (currently).
What options do you have to change to= an SELinux-compliant FS?


From: Thomas Downing <tdowning@bomgar.com= >
To: selinux@tycho= .nsa.gov
Sent: Friday= , January 29, 2016 12:25 PM
Subje= ct: Newbie question on fixfiles

Hi,

I = need to get SELinux running on an appliance we are building, not based on a=
distro that already supports SELinux.

I've got all the userspac= e stuff built, (including setools3) without any
warnings or errors. I f= ollowed instructions for installing and loading
refpolicy, no warnings = or errors.  (Except the python tools, which all import
selinux.py,= which does not seem to be included in the source tree.)

I'm booting= with kernel options "security=3Dselinux selinux=3D1", and dmesg shows
= SELinux initializing, and no errors or warnings.

sestatus output:
SELinux status:           = ;     enabled
SELinuxfs mount:     &n= bsp;      /sys/fs/selinux
SELinux root directory:&nb= sp;       /etc/selinux
Loaded policy name: = ;       refpolicy
Current mode:  &nbs= p;             permissive
M= ode from config file:        permissive
Po= licy MLS status:            di= sabled
Policy deny_unknown status:    denied
Max kerne= l policy version:        30

Problem is= : fixfiles does not actually label anything, and the underlying reason
= is that none of the mounted disk filesystems (all ext4) have option 'seclab= el'.

Any pointers?

Also, given the absence of the seclabel op= tion, I question if the kernel part
of SELinux is in fact really happy.= ..and if it isn't, I'm dead in the water
anyway.

Thanks much,
Thomas Downing

_______________________________________________<= br>Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscri= be, send email to Selinux-leave@tycho.nsa.gov.To get help, send an email containing "help" to = Selinux-request@tycho.nsa.gov.


<= /div> ------=_Part_1859277_1217555035.1454089035652--