Well, I guess I must have misunderstood the development-option. The way I thought it to work was that it provides the kernel-parameter enforcing=... but that I can still set SELinux to run in permissive mode through /etc/selinux/config So that's not the case, right? Just recompiled the kernel with CONFIG_SECURITY_SELINUX_DEVELOP set and now it seems to work. Thanks a lot! On Wednesday 20 May 2009 22:59:13 Stephen Smalley wrote: > On Wed, 2009-05-20 at 22:57 +0800, Dennis Wronka wrote: > > Okay, here we go: > > > > I unmounted /selinux and then got this: > > load_policy: Can't load policy: Invalid argument > > > > I attached my kernel-config and the two traces (trace1 for the "Device or > > resource busy"-error, trace2 for the "Invalid argument"-error). > > Ahem. Your kernel config has these SELinux options: > CONFIG_SECURITY_SELINUX=y > # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set > # CONFIG_SECURITY_SELINUX_DISABLE is not set > # CONFIG_SECURITY_SELINUX_DEVELOP is not set > CONFIG_SECURITY_SELINUX_AVC_STATS=y > CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 > # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set > > Note that your kernel config does not support: > 1) The selinux= kernel boot parameter > (CONFIG_SECURITY_SELINUX_BOOTPARAM), > 2) The ability to disable SELinux from /sbin/init based on > SELINUX=disabled in /etc/selinux/config > (CONFIG_SECURITY_SELINUX_DISABLE), > 3) Permissive mode (CONFIG_SECURITY_SELINUX_DEVELOP) > > Is that what you intended? IOW, you cannot boot permissive, and the > load policy logic is failing when it tries to switch to permissive mode > (write to /selinux/enforce).
Attachment:
signature.asc
Description: This is a digitally signed message part.
