On Friday, January 29, 2016 17:37:15 Joe Wulf wrote: > What filesystem is applied to your disk and its various partitions?For this > to work, that FS has to be one that supports SELinux labeling > (seclabel).You are right---if what you are using doesn't support that, you > are dead in the water (currently).What options do you have to change to an > SELinux-compliant FS? The disk partitions are all ext4. cat /proc/config.gz | gunzip - | grep CONFIG_EXT4 yeilds: CONFIG_EXT4_FS=y CONFIG_EXT4_FS_USE_FOR_EXT2=y CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_EXT4_FS_SECURITY=y as root, cat /proc/self/mounts | grep ext4 yeids: /dev/root / ext4 rw,relatime,data=ordered 0 0 /dev/sda5 /home ext4 rw,relatime,data=ordered 0 0 /dev/sda6 /var ext4 rw,relatime,data=ordered 0 0 /dev/sda1 /boot ext4 rw,relatime,data=ordered 0 0 Thanks Thomas Downing. > > From: Thomas Downing <tdowning@xxxxxxxxxx> > To: selinux@xxxxxxxxxxxxx > Sent: Friday, January 29, 2016 12:25 PM > Subject: Newbie question on fixfiles > > Hi, > > I need to get SELinux running on an appliance we are building, not based on > a distro that already supports SELinux. > > I've got all the userspace stuff built, (including setools3) without any > warnings or errors. I followed instructions for installing and loading > refpolicy, no warnings or errors. (Except the python tools, which all > import selinux.py, which does not seem to be included in the source tree.) > > I'm booting with kernel options "security=selinux selinux=1", and dmesg > shows SELinux initializing, and no errors or warnings. > > sestatus output: > > SELinux status: enabled > SELinuxfs mount: /sys/fs/selinux > SELinux root directory: /etc/selinux > Loaded policy name: refpolicy > Current mode: permissive > Mode from config file: permissive > Policy MLS status: disabled > Policy deny_unknown status: denied > Max kernel policy version: 30 > > Problem is: fixfiles does not actually label anything, and the underlying > reason is that none of the mounted disk filesystems (all ext4) have option > 'seclabel'. > > Any pointers? > > Also, given the absence of the seclabel option, I question if the kernel > part of SELinux is in fact really happy...and if it isn't, I'm dead in the > water anyway. > > Thanks much, > > Thomas Downing _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
