I found some threads in these forums about enabling SELinux on Raspbian, but only a few mentions about SELinux on Pidora (and no explanations about whether it really worked or not). So, my question is, does SELinux work on Pidora 18? I'm new to SELinux so I followed this document in order to set it up:
https://docs.fedoraproject.org/en-US/Fe ... Linux.html
However, after verifying that the necessary packages are installed and setting SELINUX=permissive in /etc/selinux/config, I reboot and nothing has changed. It does not appear to have relabeled my file system and getenforce still returns "Disabled." I don't see any mention of SELinux in /var/log/messages.
Re: SELinux on Pidora 18?
Hi,
I can tell you, it works.
Just enable selinux:
edit /etc/sysconfig/selinux
and change selinux=disabled to selinux=enforcing for hardening or selinux=permissive just for logging.
BUT:
- Your system will relabel your filesystem on the next reboot. This could take same time. Mine took about 45 Minutes. But usually, you just do it once. But if you ever disable and re-enable, it will do it again.
- Your system COULD be flooded with logging messages about avc-messages in /var/log/messages. Make sure, you have enough "Disk"-Space for your logging and think well about logrotating and keeping back your logs.
Cheers,
Roger
I can tell you, it works.
Just enable selinux:
edit /etc/sysconfig/selinux
and change selinux=disabled to selinux=enforcing for hardening or selinux=permissive just for logging.
BUT:
- Your system will relabel your filesystem on the next reboot. This could take same time. Mine took about 45 Minutes. But usually, you just do it once. But if you ever disable and re-enable, it will do it again.
- Your system COULD be flooded with logging messages about avc-messages in /var/log/messages. Make sure, you have enough "Disk"-Space for your logging and think well about logrotating and keeping back your logs.
Cheers,
Roger
Re: SELinux on Pidora 18?
oh, sorry, i think i did not read your post clearly.
What packages for selinux do you have installed? Is a policy there (called somewhat like selinux-policy-targeted).
Ruggerio
What packages for selinux do you have installed? Is a policy there (called somewhat like selinux-policy-targeted).
Ruggerio
Re: SELinux on Pidora 18?
Sorry for the long delay in my reply. After some frustration with Pidora, I switched to Raspbian for a while. However, I had even more problems with that distribution (most of them stemming from SD card incompatibility). Anyway, I'm back on Pidora and having the same problems with SELinux.
I checked the installed packages and found the following:
# rpm -qa | grep selinux
libselinux-python-2.1.12-7.fc18.1302272320kf.armv6hl
selinux-policy-devel-3.11.1-76.fc18.1302151755kf.noarch
selinux-policy-doc-3.11.1-76.fc18.1302151755kf.noarch
selinux-policy-targeted-3.11.1-76.fc18.1302151755kf.noarch
selinux-policy-3.11.1-76.fc18.1302151755kf.noarch
libselinux-2.1.12-7.fc18.1302272320kf.armv6hl
libselinux-utils-2.1.12-7.fc18.1302272320kf.armv6hl
# rpm -qa | grep policycoreutils
policycoreutils-2.1.13-56.fc18.armv6hl
policycoreutils-python-2.1.13-56.fc18.armv6hl
policycoreutils-devel-2.1.13-56.fc18.armv6hl
# rpm -qa | grep setroubleshoot
setroubleshoot-plugins-3.0.47-1.fc18.noarch
setroubleshoot-3.1.18-1.fc18.1302272212kf.armv6hl
setroubleshoot-server-3.1.18-1.fc18.1302272212kf.armv6hl
Still, when I set selinux to permissive/targeted in /etc/selinux/config and reboot, it does not label my file system, there are no messages to be found in /var/log/messages, and getenforce still returns 'Disabled'.
Is there something else that needs to be done aside from what's outlined in this article?
https://docs.fedoraproject.org/en-US/Fe ... Linux.html
EDIT: I also found several sources that suggested making a file named /.autorelabel before rebooting. I tried this but it didn't change the outcome.
I checked the installed packages and found the following:
# rpm -qa | grep selinux
libselinux-python-2.1.12-7.fc18.1302272320kf.armv6hl
selinux-policy-devel-3.11.1-76.fc18.1302151755kf.noarch
selinux-policy-doc-3.11.1-76.fc18.1302151755kf.noarch
selinux-policy-targeted-3.11.1-76.fc18.1302151755kf.noarch
selinux-policy-3.11.1-76.fc18.1302151755kf.noarch
libselinux-2.1.12-7.fc18.1302272320kf.armv6hl
libselinux-utils-2.1.12-7.fc18.1302272320kf.armv6hl
# rpm -qa | grep policycoreutils
policycoreutils-2.1.13-56.fc18.armv6hl
policycoreutils-python-2.1.13-56.fc18.armv6hl
policycoreutils-devel-2.1.13-56.fc18.armv6hl
# rpm -qa | grep setroubleshoot
setroubleshoot-plugins-3.0.47-1.fc18.noarch
setroubleshoot-3.1.18-1.fc18.1302272212kf.armv6hl
setroubleshoot-server-3.1.18-1.fc18.1302272212kf.armv6hl
Still, when I set selinux to permissive/targeted in /etc/selinux/config and reboot, it does not label my file system, there are no messages to be found in /var/log/messages, and getenforce still returns 'Disabled'.
Is there something else that needs to be done aside from what's outlined in this article?
https://docs.fedoraproject.org/en-US/Fe ... Linux.html
EDIT: I also found several sources that suggested making a file named /.autorelabel before rebooting. I tried this but it didn't change the outcome.
Re: SELinux on Pidora 18?
go in shell, as you've written you can 'touch / .autorelabel' which relabels your filesystem on reboot. or you can try as root 'fixfiles relabel' - perhaps your selinux doesn't know your policy.
What is the content of your /etc/selinux/config? Do you eventually have you selinux disabled at boot-time? Check this in your grub.cfg, if you have entries about selinux=0, you could delete this. Another point is not known by me, where you could suppress selinux...
usually, if getenforce shows disabled, this has no concern about policies and labels. it just shows, your selinux isn't working.
What is the content of your /etc/selinux/config? Do you eventually have you selinux disabled at boot-time? Check this in your grub.cfg, if you have entries about selinux=0, you could delete this. Another point is not known by me, where you could suppress selinux...
usually, if getenforce shows disabled, this has no concern about policies and labels. it just shows, your selinux isn't working.
Re: SELinux on Pidora 18?
The output from 'fixfiles relabel' is:
The content of /etc/selinux/config is:
I didn't think that the Raspberry Pi had a grub.cfg file. Does it? I ran 'find / -name grub.cfg' and it returned nothing.
Code: Select all
fixfiles: No suitable file systems found
secon: SELinux is not enabled
cat: /initial_contexts/unlabeled: No such file or directoryCode: Select all
SELINUX=disabled
SELINUXTYPE=targeted
Re: SELinux on Pidora 18?
Nah, the nearest equivalent is /boot/cmdline.txtspamdan wrote:I didn't think that the Raspberry Pi had a grub.cfg file. Does it? I ran 'find / -name grub.cfg' and it returned nothing.
Re: SELinux on Pidora 18?
The problem relies in your /etc/selinux/config
Change
Selinux=disabled
to
Selinux=permissive
or
Selinux=enforcing
Difference: permissive cries warnings, enforcing blocks. For the beginning, you won't have blocks
so start with enforcing. Its not just enough to set the policy, you must also set the selinux-mode.
...i've never became warm with selinux on the pi...
Change
Selinux=disabled
to
Selinux=permissive
or
Selinux=enforcing
Difference: permissive cries warnings, enforcing blocks. For the beginning, you won't have blocks
so start with enforcing. Its not just enough to set the policy, you must also set the selinux-mode....i've never became warm with selinux on the pi...
Re: SELinux on Pidora 18?
Roger,
I appreciate that you're trying to help, especially because nobody else has offered advice yet. However, I don't know what to make of your advice. In your first post, you claim "I can tell you, it works." which makes it sound like you've gotten it to work on the Raspberry Pi. But now you're saying "i've never became warm with selinux on the pi" which makes it sound like you haven't. Also, I have stated several times that I have set "SELINUX=permissive" in my /etc/selinux/config. But you keep telling me to do that. I don't mean to be rude, but I'm looking for someone who has experience configuring SELinux on Pidora 18. I'm also looking for new advice - not the same things that I have already tried. Thank you for trying, though.
-Dan
I appreciate that you're trying to help, especially because nobody else has offered advice yet. However, I don't know what to make of your advice. In your first post, you claim "I can tell you, it works." which makes it sound like you've gotten it to work on the Raspberry Pi. But now you're saying "i've never became warm with selinux on the pi" which makes it sound like you haven't. Also, I have stated several times that I have set "SELINUX=permissive" in my /etc/selinux/config. But you keep telling me to do that. I don't mean to be rude, but I'm looking for someone who has experience configuring SELinux on Pidora 18. I'm also looking for new advice - not the same things that I have already tried. Thank you for trying, though.
-Dan
Re: SELinux on Pidora 18?
Hi Dan,
2 things again to say:
- yes, i had it working
- and no, i didn't get warm, as the cost for logs and cputime are too high in my opinion. Even if you relabel your filesystem on boot, you will be near 45 minutes offline.
you tell, you have selinux=permissive, but in your post from the 21st of august, you copy/paste the contents of your /etc/selinux/config:
SELINUX=disabledSELINUXTYPE=targeted
so, what is now the truth, i han also be, that you changed it somewhere else than in above file? It will definitively not work if you have SELINUX=disabled in your /etc/selinux/config.
so, what is now the content of your /etc/selinux/config ? Did you change it back from permissive to disabled?
And check in /etc/sysconfig for the existence of a file/symlink called selinux. This is linked to /etc/selinux/config. There shouldn't be 2 different files.
you aren't rude, it's just your opinion.
2 things again to say:
- yes, i had it working
- and no, i didn't get warm, as the cost for logs and cputime are too high in my opinion. Even if you relabel your filesystem on boot, you will be near 45 minutes offline.
you tell, you have selinux=permissive, but in your post from the 21st of august, you copy/paste the contents of your /etc/selinux/config:
SELINUX=disabledSELINUXTYPE=targeted
so, what is now the truth, i han also be, that you changed it somewhere else than in above file? It will definitively not work if you have SELINUX=disabled in your /etc/selinux/config.
so, what is now the content of your /etc/selinux/config ? Did you change it back from permissive to disabled?
And check in /etc/sysconfig for the existence of a file/symlink called selinux. This is linked to /etc/selinux/config. There shouldn't be 2 different files.
you aren't rude, it's just your opinion.