On 2014-08-13 16:28, Robert Moskowitz wrote:
On 08/13/2014 11:08 AM, Gordan Bobic wrote:
On 2014-08-13 15:57, Robert Moskowitz wrote:
On 08/13/2014 10:35 AM, Gordan Bobic wrote:
On 2014-08-13 15:04, Robert Moskowitz wrote:
On 08/13/2014 09:50 AM, Gordan Bobic wrote:
On 2014-08-13 14:39, Robert Moskowitz wrote:
On 08/12/2014 05:19 PM, Gordan Bobic wrote:
On 08/12/2014 09:56 PM, Robert Moskowitz wrote:
So I go to do my first semanage after installing selinux-policy
and
rebooting then installing policycoreutils-python:
semanage port -a -t ssh_port_t -p tcp nnnn
and get the error:
/usr/sbin/semanage: SELinux policy is not managed or store
cannot be
accessed.
So whatelse is needed?
It could be a number of things. Have you loaded a policy? What
do you get from:
semodule -l
If you touch /.autorelabel and reboot that might fix it.
If you are still getting a problem, this thread has a reasonable
summary of other possible issues:
Have you looked at this page for possible solutions?
http://en.it-usenet.org/thread/16387/2623/
So first I checked that the F19 base I used had working SELinux,
and
it did. Then I rebooted my RSEL and went to this thread and
tried the
first check discussed:
# sestatus
SELinux status: disabled
Well I guess we know were to start! Something important is
probably
NOT installed. When I asked here what to install to get SELinux
and
was told to install selinux-policy which I did. It seems that is
not
enough. Further in the message starting the thread, the
following
modules are listed:
kernel26-selinux-2.6.31
selinux-coreutils-7.6
selinux-pam-1.1.0
refpolicy-2.20091117
selinux-sysvinit-2.86
checkpolicy-2.0.20
libselinux-2.0.89
libsemanage-2.0.42
libsepol-2.0.41
selinux-usr-policycoreutils-2.0.77
sepolgen-1.0.18
Which of these are part of the base tarball? Which do I need to
add?
First things first - do you have a file called:
/etc/selinux/config
and does it contain lines:
SELINUX=enabled
SELINUXTYPE=targeted
# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Secondly, try:
cat /tmp/packages <<EOF
kernel-selinux
selinux-coreutils
selinux-pam
refpolicy
selinux-sysvinit
checkpolicy
libselinux
libsemanage
libsepol
selinux-usr-policycoreutils
sepolgen
EOF
This did not work, it failed with:
cat: /tmp/packages: No such file or directory
So I used my cat magic I learned over on the postfix list:
cat <<EOF>/tmp/packages || exit 1
And that built the temp file.
yum install `cat /tmp/packages`
and see if that installs any thing additional.
Huston, we have a problem:
Setting up Install Process
No package kernel-selinux available.
No package selinux-coreutils available.
No package selinux-pam available.
No package refpolicy available.
No package selinux-sysvinit available.
Package checkpolicy-2.0.22-1.el6.armv5tel already installed and
latest version
Package libselinux-2.0.94-5.el6.armv5tel already installed and
latest version
Package libsemanage-2.0.43-4.2.el6.armv5tel already installed and
latest version
Package libsepol-2.0.41-4.el6.armv5tel already installed and latest
version
No package selinux-usr-policycoreutils available.
No package sepolgen available.
Nothing to do
That's probably because F19 is 7 generations newer than EL6, so the
package names
have changed somewhat. On EL6 I have these:
$ rpm -qa | grep selinux | sort
libselinux-2.0.94-5.3.el6_4.1.x86_64
libselinux-devel-2.0.94-5.3.el6_4.1.x86_64
libselinux-python-2.0.94-5.3.el6_4.1.x86_64
libselinux-utils-2.0.94-5.3.el6_4.1.x86_64
selinux-policy-3.7.19-231.el6_5.1.noarch
selinux-policy-targeted-3.7.19-231.el6_5.1.noarch
So that should be all that's required. The chances are it's a
configuration issue somewhere, but I'm not sure where it might be.
I've not used selinux on ARM because none of the kernels that
ship with any of my devices have selinux built in.
So where do I go ask for help? I don't think the Fedora-arm list is
the place, nor do I think the Centos list is the place to go to.
An SELinux specific mailing list seems appropriate, if there is
such a thing.
And it could just be that this mismatch is the cause for things not
to
start up right.
What mismatch are you referring to? Comparing F19 to EL6 is not
particularly meaningful.
I mean perhaps the call names have changed, and so there is no way to
get the EL6 SELinux working with the F19 kernel. But so much else
works. But SElinux is really embedded in the kernel; or so someone
once told me.
It's plausible. I don't know.
BTW, what do you get from:
# selinuxenabled
# echo $?
?
If it is enabled that should say 0, if it is disabled it should say 1.
1
If it is disabled then it sounds like selinux wasn't initialized.
Does your kernel come with an initrd? If so, that may be worth
investigating.
How do I know?
You'll have to unpack the uboot partition and look what's in it.
I don't know off the top of my head what bootstrapping
process SELinux undergoes during the initial sysinit (something must
check the contents of /etc/selinux/config and act accordingly),
possibly before the rootfs gets mounted rw.
I am thinking of asking this on the centos-arm list, as that will be
work on the F19 kernel...
But it will be related to EL7 userspace not EL6.
Gordan
_______________________________________________
users mailing list
[email protected]
http://lists.redsleeve.org/mailman/listinfo/users
