On Friday, January 29, 2016 13:47:39 Stephen Smalley wrote: > On 01/29/2016 01:02 PM, Stephen Smalley wrote: > > On 01/29/2016 12:25 PM, Thomas Downing wrote: > >> Hi, > >> > >> I need to get SELinux running on an appliance we are building, not > >> based on a > >> distro that already supports SELinux. > >> > >> I've got all the userspace stuff built, (including setools3) without any > >> warnings or errors. I followed instructions for installing and loading > >> refpolicy, no warnings or errors. (Except the python tools, which all > >> import > >> selinux.py, which does not seem to be included in the source tree.) > >> > >> I'm booting with kernel options "security=selinux selinux=1", and > >> dmesg shows > >> SELinux initializing, and no errors or warnings. > >> > >> sestatus output: > >> > >> SELinux status: enabled > >> SELinuxfs mount: /sys/fs/selinux > >> SELinux root directory: /etc/selinux > >> Loaded policy name: refpolicy > >> Current mode: permissive > >> Mode from config file: permissive > >> Policy MLS status: disabled > >> Policy deny_unknown status: denied > >> Max kernel policy version: 30 > >> > >> Problem is: fixfiles does not actually label anything, and the > >> underlying reason > >> is that none of the mounted disk filesystems (all ext4) have option > >> 'seclabel'. > >> > >> Any pointers? > >> > >> Also, given the absence of the seclabel option, I question if the > >> kernel part > >> of SELinux is in fact really happy...and if it isn't, I'm dead in the > >> water > >> anyway. > > > > This implies that you haven't loaded a policy into the kernel. Normally > > this is done by init; both sysvinit and systemd should already include > > the necessary bits but you may have to enable them in your configure. > > Sorry, I didn't read that carefully enough - your sestatus output would > suggest that you have loaded a policy. > > What's the actual output you got from SELinux during boot? > > What's your kernel version? The only output I see in dmesg is: [ 0.000557] SELinux: Initializing. [ 0.000563] SELinux: Starting in permissive mode [ 0.361186] SELinux: Registering netfilter hooks The kernel stuff is 4.4.0 SMP x86_64 Intel Core i7-4800MQ CPU. If it matters gcc is 5.3.0. Thanks td _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
