From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: Newbie question on fixfiles To: Thomas Downing , selinux@tycho.nsa.gov References: <1464190.SZXTM0cE5o@juss> From: Stephen Smalley Message-ID: <56ABA942.9020701@tycho.nsa.gov> Date: Fri, 29 Jan 2016 13:02:42 -0500 MIME-Version: 1.0 In-Reply-To: <1464190.SZXTM0cE5o@juss> Content-Type: text/plain; charset=windows-1252; format=flowed List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 01/29/2016 12:25 PM, Thomas Downing wrote: > Hi, > > I need to get SELinux running on an appliance we are building, not based on a > distro that already supports SELinux. > > I've got all the userspace stuff built, (including setools3) without any > warnings or errors. I followed instructions for installing and loading > refpolicy, no warnings or errors. (Except the python tools, which all import > selinux.py, which does not seem to be included in the source tree.) > > I'm booting with kernel options "security=selinux selinux=1", and dmesg shows > SELinux initializing, and no errors or warnings. > > sestatus output: > > SELinux status: enabled > SELinuxfs mount: /sys/fs/selinux > SELinux root directory: /etc/selinux > Loaded policy name: refpolicy > Current mode: permissive > Mode from config file: permissive > Policy MLS status: disabled > Policy deny_unknown status: denied > Max kernel policy version: 30 > > Problem is: fixfiles does not actually label anything, and the underlying reason > is that none of the mounted disk filesystems (all ext4) have option 'seclabel'. > > Any pointers? > > Also, given the absence of the seclabel option, I question if the kernel part > of SELinux is in fact really happy...and if it isn't, I'm dead in the water > anyway. This implies that you haven't loaded a policy into the kernel. Normally this is done by init; both sysvinit and systemd should already include the necessary bits but you may have to enable them in your configure.