First, I had to remove setools to remove a yum/rpm conflict.
After successfully yum'ing selinux-policy-strict-sources (which also installed selinux-policy-strict and removed policy and policy-sources), I rebooted in single user mode, where I did the usual 'fixfiles relabel'. I then rebooted to multiuser mode, where I determined that the 'mode' was set to 'disabled' (i.e., 'getenforce->disabled').
Rooting around uncovered that there was no /etc/selinux/config installed, nor was /etc/sysconfig/selinux updated with the 'SELINUXTYPE=strict' line. Since the thread on this was confusing to me, I also added a line 'POLICYTYPE=strict').
I modified /etc/syconfig/selinux copied it to /etc/selinux/config and rebooted. Still came up with selinux in 'disabled' mode.
Checking /var/log/messages showed 'SELinux disabled at boot'. So, I rebooted adding 'selinux=1' to the boot line. This time, the boot failed with 'can't read /etc/fstab' and brought me up in 'filesystem repair' mode. There I determined that /etc/fstab had no security context assigned to it (Did it get rewritten during a 'disabled' boot?)
I rebooted without the 'selinux=1' but in single-user mode, where I adjusted the context of /etc/fstab, /etc/sysconfig/selinux and /etc/selinux/config. I also changed /etc/sysconfig/selinux to boot up in permissive mode.
Rebooting with 'selinux=1 single' worked, I reran 'fixfiles relabel'.
Rebooting with 'selinux=1' into permissive/multi-user worked. I changed /etc/sysconfig/selinux and /etc/selinux/config to 'enforce'. Rebooting single-user (i.e., with 'selinux=1 single') worked.
Rebooting strict/multi-user (i.e. with 'selinux=1') did not work. It got jammed setting up X.org log files. Seems that /var/log/Xorg.0.log.old had no security context so the attempt to move /var/log/Xorg.0.log 'on top of it' failed. I'm guessing it was a leftover from a 'disabled' boot.)
I fixed that ('chcon --reference Xorg.0.log Xorg.0.log.old'), fixed /tmp/gconfd-tbl (same problem), and now it boots up strict/multi-user.
So here's the condensed version;
1. installing selinux-policy-strict-sources (and selinux-policy-strict) did not setup /etc/selinux/config, nor did it modify /etc/sysconfig/selinux. (I must admit that I was confused by the message thread. Did I need to remove /etc/sysconfig/selinux before doing the 'yum install selinux-policy-strict-sources'? I thought the install would add the 'SELINUXTYPE=strict' line to an existing file, but I may have read this wrong.)
2. My system was 'setup' to boot by default into 'disabled' mode. This caused a lot of problems with unlabeled files, directories, etc. Accidently forgetting to add 'selinux=1' to the boot line may cause this.
3. I had to 'yum remove setools'. Did this cause my booting or other problems?
4. I added both 'SELINUXTYPE=' and 'POLICYTYPE=' lines to /etc/sysconfig/selinux and to /etc/selinux/config. Are both needed/correct? /sbin/fixfiles seems to want 'SELINUXTYPE'...
5. I manually copied /etc/selinux/conf from /etc/sysconfig/selinux. Does that provide the correct info/format?
System is up and running in strict/enforcing mode. I will later try to install selinux-policy-targeted*.
tom
