Great, your receipe worked pretty well - (but I'm not quite up at enforcing=1) It is good to make the changes to /etc/security/selinux first. I made mine with the active lines: SELINUX=enforcing SELINUXTYPE=strict POLICYTYPE=strict Then I copied it over to /etc/selinux/config [root@hoho2 user1]# cd /etc/selinux [root@hoho2 selinux]# ls -l total 20 -rw-r--r-- 1 root root 332 May 29 23:47 config drwxr-xr-x 5 root root 4096 May 29 12:05 strict drwxr-xr-x 5 root root 4096 May 29 12:06 targeted [root@hoho2 selinux]# Adding the word 'single' to the grub.conf kernel line was a timesaver, and potentially avoided more problems. I think I was running for awhile with the kernel boot param 'selinux=0' - doing a few yum updates during this time too. Many of the files that were listed in the 'fixfiles relabel' run seemed as though they may have appeared during yum updates when 'selinux=0' or when selinux was disabled (by the /etc/sysconfig/selinux file settings). Boot params override this file. For the next few boots, I ran with 'selinux=1 enforcing=0' Just as a test, I ran 'fixfiles relabel' twice. The second time, there were no diagnostic output lines - leaving me with a good feeling. I booted up again and looked in the /var/log/messages file - no audit messages. Either something is working well, or not at all. --- Then I tried to boot with the boot param 'enforcing=1' In the RedHat nash phase (or maybe just after), I got the message: Enforcing mode requested, but no policy loaded. Halting now. Kernel panic: Attempted to kill init! ----- After a power cycle, I set the boot param back to 'enforcing=0' I remembered seeing a Makefile with the targets: ...,..., reload I believe this Makefile was in /etc/sysconfig/selinux/src/policy, but I noticed that /etc/sysconfig/selinux was now a file - in fact it was the file that I edited a few minutes before. Having seen a policy directory under /etc/syslinux/strict, I went there [root@hoho2 policy]# pwd /etc/selinux/strict/src/policy [root@hoho2 policy]# ls -lt | head total 11708 -rw-r--r-- 1 root root 97 May 29 23:57 reload.out drwxr-xr-x 2 root root 4096 May 29 23:57 tmp drwxr-xr-x 4 root root 4096 May 29 12:06 file_contexts -rw-r--r-- 1 root root 4207890 May 29 12:05 policy.conf drwx------ 2 root root 4096 May 29 12:05 flask drwx------ 3 root root 4096 May 29 12:05 macros drwx------ 2 root root 4096 May 29 12:05 types drwx------ 2 root root 4096 May 29 12:05 appconfig drwx------ 4 root root 4096 May 29 12:05 domains This is after I did a 'make reload 2>&1 | tee reload.out` twice. The first time I got a lot of diagnostic lines, 'inode ...'. The second time I got: [root@hoho2 policy]# cat reload.out /usr/sbin/load_policy /etc/selinux/strict/policy/policy.`cat /selinux/policyvers ` touch tmp/load This looked pretty good, so I tried to go into enforcing mode by doing [root@hoho2 policy]# setenforce 1 Immediately, I got: su[2804]: Error! Unable to set executable context (null). login (pam_unix)[2534]: session closed for user1 INIT: cannot execute "/sbin/mngetty" INIT: cannot execute "/sbin/mngetty" INIT: cannot execute "/sbin/mngetty" ... INIT: Id "1" respawing too fast, disabled for 5 minutes ----- Another power cycle, and I am ready for bed. Hopefully there are some clues in the above for selinux gurus. BobG on Sat, 29 May 2004 17:37:04 -0700, Tom London wrote: >I also had some issues in the newest selinux-policy installs from the >development tree. > >First, I had to remove setools to remove a yum/rpm conflict. > >After successfully yum'ing selinux-policy-strict-sources (which also >installed selinux-policy-strict and removed policy and policy-sources), >I rebooted in single user mode, where I did the usual 'fixfiles >relabel'. I then rebooted to multiuser mode, where I determined that >the 'mode' was set to 'disabled' (i.e., 'getenforce->disabled'). > >Rooting around uncovered that there was no /etc/selinux/config >installed, nor was /etc/sysconfig/selinux updated with the >'SELINUXTYPE=strict' line. Since the thread on this was confusing to >me, I also added a line 'POLICYTYPE=strict'). > >I modified /etc/syconfig/selinux copied it to /etc/selinux/config and >rebooted. Still came up with selinux in 'disabled' mode. > >Checking /var/log/messages showed 'SELinux disabled at boot'. So, I >rebooted adding 'selinux=1' to the boot line. This time, the boot failed >with 'can't read /etc/fstab' and brought me up in 'filesystem repair' >mode. There I determined that /etc/fstab had no security context >assigned to it (Did it get rewritten during a 'disabled' boot?) > >I rebooted without the 'selinux=1' but in single-user mode, where I >adjusted the context of /etc/fstab, /etc/sysconfig/selinux and >/etc/selinux/config. I also changed /etc/sysconfig/selinux to boot up >in permissive mode. > >Rebooting with 'selinux=1 single' worked, I reran 'fixfiles relabel'. > >Rebooting with 'selinux=1' into permissive/multi-user worked. I changed >/etc/sysconfig/selinux and /etc/selinux/config to 'enforce'. Rebooting >single-user (i.e., with 'selinux=1 single') worked. > >Rebooting strict/multi-user (i.e. with 'selinux=1') did not work. It >got jammed setting up X.org log files. Seems that >/var/log/Xorg.0.log.old had no security context so the attempt to move >/var/log/Xorg.0.log 'on top of it' failed. I'm guessing it was a >leftover from a 'disabled' boot.) > >I fixed that ('chcon --reference Xorg.0.log Xorg.0.log.old'), fixed >/tmp/gconfd-tbl (same problem), and now it boots up strict/multi-user. > >So here's the condensed version; >1. installing selinux-policy-strict-sources (and selinux-policy-strict) >did not setup /etc/selinux/config, nor did it modify >/etc/sysconfig/selinux. (I must admit that I was confused by the >message thread. Did I need to remove /etc/sysconfig/selinux before doing >the 'yum install selinux-policy-strict-sources'? I thought the install >would add the 'SELINUXTYPE=strict' line to an existing file, but I may >have read this wrong.) >2. My system was 'setup' to boot by default into 'disabled' mode. This >caused a lot of problems with unlabeled files, directories, etc. >Accidently forgetting to add 'selinux=1' to the boot line may cause this. >3. I had to 'yum remove setools'. Did this cause my booting or other >problems? >4. I added both 'SELINUXTYPE=' and 'POLICYTYPE=' lines to >/etc/sysconfig/selinux and to /etc/selinux/config. Are both >needed/correct? /sbin/fixfiles seems to want 'SELINUXTYPE'... >5. I manually copied /etc/selinux/conf from /etc/sysconfig/selinux. Does >that provide the correct info/format? > >System is up and running in strict/enforcing mode. I will later try to >install selinux-policy-targeted*. > >tom >-- >fedora-selinux-list mailing list >fedora-selinux-list@xxxxxxxxxx >http://www.redhat.com/mailman/listinfo/fedora-selinux-list