You are not logged in.
- Topics: Active | Unanswered
#1 2009-10-01 04:55:10
- Yaro
- Member
- Registered: 2009-04-03
- Posts: 154
Can't figure out SELinux.
I am trying to get SELinux to work. I was pointed to the Gentoo SELinux
Handbook, allegedly a very definitive document on how to work with SELinux. I am
in the HOWTO section and I can't do any of this stuff without turning up an
error.
For example, the VERY FIRST STEP, it tells me to run the following command:
semodule -B
I do so. Instead of working, SELinux demonstrates its typical hatred of all
humanity with the following output:
semodule: SELinux policy is not managed or store cannot be accessed.
So my question, is there ANY way to make this security framework designed by
technical sadists in the NSA a lot easier to use or am I out of luck?
Anyone have any clue how to actually use SELinux? Or do I have to buy a big,
long book on this needlessly and overly complex security framework?
Offline
#2 2009-10-01 06:20:00
- deej
- Member
- Registered: 2008-02-08
- Posts: 395
Re: Can't figure out SELinux.
You could check the Fedora forums... they've have SElinux working on Fedora
for a while now.
Deej
Offline
#3 2009-10-01 07:08:27
- fukawi2
- Ex-Administratorino
- From: .vic.au
- Registered: 2007-09-28
- Posts: 6,224
- Website
Re: Can't figure out SELinux.
I agree that it's a sadistic and painful peice of kit -- that's why I always disable it.
But never the less, the standard Arch kernel doesn't include SELinux AFAIK:
fukawi2 ~ $ zgrep SELINUX /proc/config.gz
# CONFIG_SECURITY_SELINUX is not setHave you compiled your own kernel?
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
#4 2010-04-22 16:01:33
- partner55083777
- Member
- Registered: 2010-02-02
- Posts: 10
Re: Can't figure out SELinux.
Sorry to dig up this old thread, but I was having this same problem and I found a solution to this.
You have to have a modular SELinux policy to be able to use semanage. So, if you are following the wiki article about SELinux (http://wiki.archlinux.org/index.php/SELinux), you have to change the file /etc/selinux/refpolicy/src/policy/build.conf to have the option
MONOLITHIC = nAlso, you have to make sure to run semanage as root.
One problem I am having is that when I boot up, a lot of things in /dev/ are labeled as lib_t. For instance, /dev/null is system_u:object_r:lib_t, instead of system_u:object_r:null_device_t.
So, when I boot up,
# ls -laZ /dev/null
crw-rw-rw-. 1 root root system_u:object_r:lib_t 1, 3 Apr 22 08:02 /dev/nullBut,
# semanage fcontext -l | grep null
/dev/full character device system_u:object_r:null_device_t
/dev/null character device system_u:object_r:null_device_tSo this is fixed if I run `restorecon -r /`. Does restorecon have to be run after every bootup?
Last edited by partner55083777 (2010-04-22 16:11:01)
Offline