Bug 122794
| Summary: | SELinux FAQ - process to install SELinux on FC2 | ||
|---|---|---|---|
| Product: | [Retired] Fedora Documentation | Reporter: | Richard Hally <rhallyx> |
| Component: | selinux-faq | Assignee: | Karsten Wade <kwade> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Tammy Fox <tammy.c.fox> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | devel | CC: | barryn, bobgus, christopher.albert |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/ | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2004-08-03 18:45:18 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 118757 | ||
I wonder if there is a configuration problem with the policy files.
In the /etc/security/selinux/src/policy/Makefile (mine at least),
there is no mention of policy.17 as an output file, but I do have a
policy.17 file in that directory and in the /etc/security/selinux
directories (see below).
Where are all of these things dropping from, and what is the source
used in generating policy.15, policy.16, policy.17.
Also, what is the meaning of 'load' when applied to a policy file. And
how can one determine what policy file is 'active'?
[root@hoho2 policy]# more /home/user1/policy.bug
[root@hoho2 policy]# pwd
/etc/security/selinux/src/policy
[root@hoho2 policy]# grep 15 Makefile
$(CHECKPOLICY) -c 15 -o $(INSTALLDIR)/policy.15 policy.conf
[root@hoho2 policy]# grep 16 Makefile
$(CHECKPOLICY) -c 16 -o $(INSTALLDIR)/policy.16 policy.conf
[root@hoho2 policy]# grep 17 Makefile
[root@hoho2 policy]# ls -l ../..
total 21752
-rw-r--r-- 1 root root 86912 May 5 23:30 file_contexts
-rw-r--r-- 1 root root 7369029 May 5 23:30 policy.15
-rw-r--r-- 1 root root 7370766 May 5 23:30 policy.16
-rw-r--r-- 1 root root 7371078 May 5 23:29 policy.17
drwx------ 3 root root 4096 Apr 28 21:04 src
[root@hoho2 policy]# ls -l ../../policy.17
-rw-r--r-- 1 root root 7371078 May 5 23:29 ../../policy.17
[root@hoho2 policy]# ls -l policy.17
-rw------- 1 root root 7346892 Apr 28 21:04 policy.17
These are not the same files, both size and date differ.
[root@hoho2 policy]# file policy.17
policy.17: SE Linux policy v17 6 symbols 7 ocons
[root@hoho2 policy]#
That is pretty nifty. Maybe having some sort of 'source stamp' would
be a useful addition somewhere, not necessarily in the file text
though. (But maybe)
[root@hoho2 policy]# checkpolicy -h
checkpolicy: invalid option -- h
usage: checkpolicy [-b] [-d] [-c policyvers (15-17)] [-o
output_file] [input_file]
[root@hoho2 policy]# checkpolicy -b policy.17
checkpolicy: loading policy configuration from policy.17
security: 5 users, 7 roles, 1244 types, 1 bools
security: 30 classes, 301755 rules
checkpolicy: policy configuration loaded
[root@hoho2 policy]#
Loaded? What does that mean? Have I accidently changed my whole
security configuration?
No indication of what policy.conf or other files were used to make up
this (binary) file.
Update - as soon as I grab final FC2 ISOs, I'm going to make this one of my installation tests, which will give me a chance to test these steps from scratch. I'll likely generate a package needs list from the diff between the two installs (w/ and w/o SELinux). *** Bug 125148 has been marked as a duplicate of this bug. *** The below steps were added to the FC2 version of the SELinux FAQ, currently archived at: http://people.redhat.com/kwade/fedora-docs/fc2/selinux-faq-en/index.html#id2854406 ## begin FAQ entry Q:. How do I install SELinux on a running Fedora Core 2 that didn't have SELinux installed through Anaconda? A:. Since SELinux is now part of the kernel, installation is straightforward. You are enabling systems already in place. 1. Install a policy with yum install policy policy-sources. 2. Create or edit /etc/sysconfig/selinux and set SELINUX=permissive in it. 3. Relabel your file system with fixfiles relabel. This will take at least several minutes, as each file on the system is checked and labeled for the newly installed policy. 4. Reboot your system. Check /var/log/messages for avc: denied messages. Resolve any issues while still in permissive mode, and once you can boot without avc denials, set SELINUX=enforcing in /etc/sysconfig/selinux. |
Description of change/FAQ addition. If a change, include the original text first, then the changed text: Here is a question that may be worthwhile to have in the FAQ: --------------------------------------------------------------- Q: I have installed Fedora Core 2 without SELinux, what are the steps to start using SELinux? A: 1. Install the policy<version>.rpm , policy-sources<version>.rpm policycoreutils<version>rpm and (list other needed packages here.) 2. change the /etc/sysconfig/selinux file to have SELINUX=permissive (if you had selinux=0 on the kernel line in grub, take it off) 3. reboot (so that the LSM and SELinux modules will be loaded). 4. cd /etc/security/selinux/src/policy make load (to make sure the policy and file_contexts were built correctly) make relabel (this will take a while, it accesses every file on the system) 5. reboot (2nd time, to restart all programs with the correct contexts) -------------------------------------------------------------------- This needs to be checked. If this is not correct, please give the correct steps. HTH Richard Hally Version-Release of FAQ (found on http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/ln-legalnotice.html): for example selinux-faq-1.1 (2004-05-05-T16:20-0800) selinux-faq-1.1-2 (2004-05-09-T16:20-0800)