SELinux is not enabled
I installed SELINUX on ubuntu using the command:
sudo apt-get install selinux
config file in /etc/selinux
contain following information
SELINUX=permissive
SELINUXTYPE=default
SETLOCALDEFS=0
But i am not able to set selinux, when I check using sestatus -v command
it gives output
SELINUX is disabled
How should I enable my SELINUX?
When I use command seinfo
. it gives following output
ERROR: policydb version 26 does not match my version range 15-24
ERROR: Unable to open policy /etc/selinux/default/policy/policy.26.
ERROR: Input/output error
check-selinux-installation command gives following output
../proc/1 kernel..
SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled
FSCKFIX is not enabled - not serious, but could prevent system from booting...
udev will create nodes not labeled correctly
Please help
selinux
add a comment |
I installed SELINUX on ubuntu using the command:
sudo apt-get install selinux
config file in /etc/selinux
contain following information
SELINUX=permissive
SELINUXTYPE=default
SETLOCALDEFS=0
But i am not able to set selinux, when I check using sestatus -v command
it gives output
SELINUX is disabled
How should I enable my SELINUX?
When I use command seinfo
. it gives following output
ERROR: policydb version 26 does not match my version range 15-24
ERROR: Unable to open policy /etc/selinux/default/policy/policy.26.
ERROR: Input/output error
check-selinux-installation command gives following output
../proc/1 kernel..
SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled
FSCKFIX is not enabled - not serious, but could prevent system from booting...
udev will create nodes not labeled correctly
Please help
selinux
check-selinux-installation command gives following output ../proc/1 kernel.. SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly
– user282924
May 18 '14 at 19:44
Have you rebooted the machine after installing SELinux ?
– cioby23
May 18 '14 at 19:56
May be this problem possible because in Debian Jessie there not exist a selinux-policy-default?
– kinunt
Jul 5 '17 at 16:20
add a comment |
I installed SELINUX on ubuntu using the command:
sudo apt-get install selinux
config file in /etc/selinux
contain following information
SELINUX=permissive
SELINUXTYPE=default
SETLOCALDEFS=0
But i am not able to set selinux, when I check using sestatus -v command
it gives output
SELINUX is disabled
How should I enable my SELINUX?
When I use command seinfo
. it gives following output
ERROR: policydb version 26 does not match my version range 15-24
ERROR: Unable to open policy /etc/selinux/default/policy/policy.26.
ERROR: Input/output error
check-selinux-installation command gives following output
../proc/1 kernel..
SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled
FSCKFIX is not enabled - not serious, but could prevent system from booting...
udev will create nodes not labeled correctly
Please help
selinux
I installed SELINUX on ubuntu using the command:
sudo apt-get install selinux
config file in /etc/selinux
contain following information
SELINUX=permissive
SELINUXTYPE=default
SETLOCALDEFS=0
But i am not able to set selinux, when I check using sestatus -v command
it gives output
SELINUX is disabled
How should I enable my SELINUX?
When I use command seinfo
. it gives following output
ERROR: policydb version 26 does not match my version range 15-24
ERROR: Unable to open policy /etc/selinux/default/policy/policy.26.
ERROR: Input/output error
check-selinux-installation command gives following output
../proc/1 kernel..
SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled
FSCKFIX is not enabled - not serious, but could prevent system from booting...
udev will create nodes not labeled correctly
Please help
selinux
selinux
edited May 18 '14 at 19:45
user282924
asked May 18 '14 at 19:41
user282924user282924
21114
21114
check-selinux-installation command gives following output ../proc/1 kernel.. SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly
– user282924
May 18 '14 at 19:44
Have you rebooted the machine after installing SELinux ?
– cioby23
May 18 '14 at 19:56
May be this problem possible because in Debian Jessie there not exist a selinux-policy-default?
– kinunt
Jul 5 '17 at 16:20
add a comment |
check-selinux-installation command gives following output ../proc/1 kernel.. SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly
– user282924
May 18 '14 at 19:44
Have you rebooted the machine after installing SELinux ?
– cioby23
May 18 '14 at 19:56
May be this problem possible because in Debian Jessie there not exist a selinux-policy-default?
– kinunt
Jul 5 '17 at 16:20
check-selinux-installation command gives following output ../proc/1 kernel.. SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly
– user282924
May 18 '14 at 19:44
check-selinux-installation command gives following output ../proc/1 kernel.. SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly
– user282924
May 18 '14 at 19:44
Have you rebooted the machine after installing SELinux ?
– cioby23
May 18 '14 at 19:56
Have you rebooted the machine after installing SELinux ?
– cioby23
May 18 '14 at 19:56
May be this problem possible because in Debian Jessie there not exist a selinux-policy-default?
– kinunt
Jul 5 '17 at 16:20
May be this problem possible because in Debian Jessie there not exist a selinux-policy-default?
– kinunt
Jul 5 '17 at 16:20
add a comment |
2 Answers
2
active
oldest
votes
This error might be because you are running AppArmor along with SELinux. AppArmor is installed by default in Ubuntu. You can't use 2 LSM (Linux security modules) at the same time. You need to remove AppArmor if you wish yo use SELinux
See an aswer here: Is it a bad idea to run SELinux and AppArmor at the same time?
Thanks after I unstalled apparmor I was able to enable selinux and reboot my system. But now probelm, I downloaded the code from ref policy code from below site. oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy And after I built policy code (as mentioned on site). I changed my config file to as below : SELINUX=enforcing SELINUXTYPE=refpolicy Again I was not able to reboot my system.Please help
– user282924
May 26 '14 at 11:01
check-selinux-installation gives following error getfilecon: getfilecon(/proc/1) failed SELinux is not enabled. Could not read the domain of PID 1. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly
– user282924
May 26 '14 at 18:49
Check sestatus if it returns enabled then it's working fine. Also enter the command grep FSC /etc/default/rcS If it returns #FSCKFIX=no then use gedit or any other editing tool to edit the rcS file uncomment the line and set it to yes (like this FSCKFIX=yes) then save and exit gedit. After editing the file re-enter the command grep FSC /etc/default/rcS should return FSCKFIX=yes if the command check-selinux-installation returns just /etc/pam.d/login is not SELinux enabled then it's fine and the above return is a false positive.
– cioby23
May 27 '14 at 6:34
FSCKFIX probelm is fixed. now when I run check-selinux-installation command. It gives following error. .. /proc/1 kernel... The init process (PID 1) is running in an incorrect domain. I am not able to enable SELINUX(I installed 3.9 kernel also). Please help.
– user282924
Jun 8 '14 at 10:34
There is one more probelm that /selinux folder is empty. How can I get it contents back as without it i can get my system booted once I enable SELINUX. Please help
– user282924
Jun 15 '14 at 19:13
add a comment |
An absurdly old question, but it helped me track my problem down partially, so I'm adding another response.
Not only do you need to remove AppArmor like cioby23 says, but there are some extra steps received from the upstream Debian that aren't well documented at all. Here are the commands to convert a standard Ubuntu system (16.04.6 for me) to use SELinux in Permissive mode using the standard provided packages:
# make sure you have the most up-to-date info
apt-get update
apt-get dist-upgrade
#disable and remove apparmor
/etc/init.d/apparmor stop
apt-get remove apparmor
#install SELinux
apt-get install selinux
# install the missing dependency
apt-get install auditd
# install the activate tool required to make it work
apt-get install selinux-basics
#missing manual step to actually make SELinux work (part of selinux-basics)
selinux-activate
# need to restart for it to take effect
shutdown now
Personally I discovered that the selinux-activate
has to be run manually from a discussion on the upstream Debian (https://unix.stackexchange.com/questions/136988/whats-missing-with-my-selinux-installation).
It solved the exact problem of the wrong context on PID 1, which also presents as a getfilecon
error.
EDIT1: Update language to avoid confusion on policy naming.
EDIT2: Split up the commands with better descriptions for each
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f468821%2fselinux-is-not-enabled%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
This error might be because you are running AppArmor along with SELinux. AppArmor is installed by default in Ubuntu. You can't use 2 LSM (Linux security modules) at the same time. You need to remove AppArmor if you wish yo use SELinux
See an aswer here: Is it a bad idea to run SELinux and AppArmor at the same time?
Thanks after I unstalled apparmor I was able to enable selinux and reboot my system. But now probelm, I downloaded the code from ref policy code from below site. oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy And after I built policy code (as mentioned on site). I changed my config file to as below : SELINUX=enforcing SELINUXTYPE=refpolicy Again I was not able to reboot my system.Please help
– user282924
May 26 '14 at 11:01
check-selinux-installation gives following error getfilecon: getfilecon(/proc/1) failed SELinux is not enabled. Could not read the domain of PID 1. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly
– user282924
May 26 '14 at 18:49
Check sestatus if it returns enabled then it's working fine. Also enter the command grep FSC /etc/default/rcS If it returns #FSCKFIX=no then use gedit or any other editing tool to edit the rcS file uncomment the line and set it to yes (like this FSCKFIX=yes) then save and exit gedit. After editing the file re-enter the command grep FSC /etc/default/rcS should return FSCKFIX=yes if the command check-selinux-installation returns just /etc/pam.d/login is not SELinux enabled then it's fine and the above return is a false positive.
– cioby23
May 27 '14 at 6:34
FSCKFIX probelm is fixed. now when I run check-selinux-installation command. It gives following error. .. /proc/1 kernel... The init process (PID 1) is running in an incorrect domain. I am not able to enable SELINUX(I installed 3.9 kernel also). Please help.
– user282924
Jun 8 '14 at 10:34
There is one more probelm that /selinux folder is empty. How can I get it contents back as without it i can get my system booted once I enable SELINUX. Please help
– user282924
Jun 15 '14 at 19:13
add a comment |
This error might be because you are running AppArmor along with SELinux. AppArmor is installed by default in Ubuntu. You can't use 2 LSM (Linux security modules) at the same time. You need to remove AppArmor if you wish yo use SELinux
See an aswer here: Is it a bad idea to run SELinux and AppArmor at the same time?
Thanks after I unstalled apparmor I was able to enable selinux and reboot my system. But now probelm, I downloaded the code from ref policy code from below site. oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy And after I built policy code (as mentioned on site). I changed my config file to as below : SELINUX=enforcing SELINUXTYPE=refpolicy Again I was not able to reboot my system.Please help
– user282924
May 26 '14 at 11:01
check-selinux-installation gives following error getfilecon: getfilecon(/proc/1) failed SELinux is not enabled. Could not read the domain of PID 1. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly
– user282924
May 26 '14 at 18:49
Check sestatus if it returns enabled then it's working fine. Also enter the command grep FSC /etc/default/rcS If it returns #FSCKFIX=no then use gedit or any other editing tool to edit the rcS file uncomment the line and set it to yes (like this FSCKFIX=yes) then save and exit gedit. After editing the file re-enter the command grep FSC /etc/default/rcS should return FSCKFIX=yes if the command check-selinux-installation returns just /etc/pam.d/login is not SELinux enabled then it's fine and the above return is a false positive.
– cioby23
May 27 '14 at 6:34
FSCKFIX probelm is fixed. now when I run check-selinux-installation command. It gives following error. .. /proc/1 kernel... The init process (PID 1) is running in an incorrect domain. I am not able to enable SELINUX(I installed 3.9 kernel also). Please help.
– user282924
Jun 8 '14 at 10:34
There is one more probelm that /selinux folder is empty. How can I get it contents back as without it i can get my system booted once I enable SELINUX. Please help
– user282924
Jun 15 '14 at 19:13
add a comment |
This error might be because you are running AppArmor along with SELinux. AppArmor is installed by default in Ubuntu. You can't use 2 LSM (Linux security modules) at the same time. You need to remove AppArmor if you wish yo use SELinux
See an aswer here: Is it a bad idea to run SELinux and AppArmor at the same time?
This error might be because you are running AppArmor along with SELinux. AppArmor is installed by default in Ubuntu. You can't use 2 LSM (Linux security modules) at the same time. You need to remove AppArmor if you wish yo use SELinux
See an aswer here: Is it a bad idea to run SELinux and AppArmor at the same time?
edited Apr 13 '17 at 12:23
Community♦
1
1
answered May 18 '14 at 20:02
cioby23cioby23
2,155912
2,155912
Thanks after I unstalled apparmor I was able to enable selinux and reboot my system. But now probelm, I downloaded the code from ref policy code from below site. oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy And after I built policy code (as mentioned on site). I changed my config file to as below : SELINUX=enforcing SELINUXTYPE=refpolicy Again I was not able to reboot my system.Please help
– user282924
May 26 '14 at 11:01
check-selinux-installation gives following error getfilecon: getfilecon(/proc/1) failed SELinux is not enabled. Could not read the domain of PID 1. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly
– user282924
May 26 '14 at 18:49
Check sestatus if it returns enabled then it's working fine. Also enter the command grep FSC /etc/default/rcS If it returns #FSCKFIX=no then use gedit or any other editing tool to edit the rcS file uncomment the line and set it to yes (like this FSCKFIX=yes) then save and exit gedit. After editing the file re-enter the command grep FSC /etc/default/rcS should return FSCKFIX=yes if the command check-selinux-installation returns just /etc/pam.d/login is not SELinux enabled then it's fine and the above return is a false positive.
– cioby23
May 27 '14 at 6:34
FSCKFIX probelm is fixed. now when I run check-selinux-installation command. It gives following error. .. /proc/1 kernel... The init process (PID 1) is running in an incorrect domain. I am not able to enable SELINUX(I installed 3.9 kernel also). Please help.
– user282924
Jun 8 '14 at 10:34
There is one more probelm that /selinux folder is empty. How can I get it contents back as without it i can get my system booted once I enable SELINUX. Please help
– user282924
Jun 15 '14 at 19:13
add a comment |
Thanks after I unstalled apparmor I was able to enable selinux and reboot my system. But now probelm, I downloaded the code from ref policy code from below site. oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy And after I built policy code (as mentioned on site). I changed my config file to as below : SELINUX=enforcing SELINUXTYPE=refpolicy Again I was not able to reboot my system.Please help
– user282924
May 26 '14 at 11:01
check-selinux-installation gives following error getfilecon: getfilecon(/proc/1) failed SELinux is not enabled. Could not read the domain of PID 1. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly
– user282924
May 26 '14 at 18:49
Check sestatus if it returns enabled then it's working fine. Also enter the command grep FSC /etc/default/rcS If it returns #FSCKFIX=no then use gedit or any other editing tool to edit the rcS file uncomment the line and set it to yes (like this FSCKFIX=yes) then save and exit gedit. After editing the file re-enter the command grep FSC /etc/default/rcS should return FSCKFIX=yes if the command check-selinux-installation returns just /etc/pam.d/login is not SELinux enabled then it's fine and the above return is a false positive.
– cioby23
May 27 '14 at 6:34
FSCKFIX probelm is fixed. now when I run check-selinux-installation command. It gives following error. .. /proc/1 kernel... The init process (PID 1) is running in an incorrect domain. I am not able to enable SELINUX(I installed 3.9 kernel also). Please help.
– user282924
Jun 8 '14 at 10:34
There is one more probelm that /selinux folder is empty. How can I get it contents back as without it i can get my system booted once I enable SELINUX. Please help
– user282924
Jun 15 '14 at 19:13
Thanks after I unstalled apparmor I was able to enable selinux and reboot my system. But now probelm, I downloaded the code from ref policy code from below site. oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy And after I built policy code (as mentioned on site). I changed my config file to as below : SELINUX=enforcing SELINUXTYPE=refpolicy Again I was not able to reboot my system.Please help
– user282924
May 26 '14 at 11:01
Thanks after I unstalled apparmor I was able to enable selinux and reboot my system. But now probelm, I downloaded the code from ref policy code from below site. oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy And after I built policy code (as mentioned on site). I changed my config file to as below : SELINUX=enforcing SELINUXTYPE=refpolicy Again I was not able to reboot my system.Please help
– user282924
May 26 '14 at 11:01
check-selinux-installation gives following error getfilecon: getfilecon(/proc/1) failed SELinux is not enabled. Could not read the domain of PID 1. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly
– user282924
May 26 '14 at 18:49
check-selinux-installation gives following error getfilecon: getfilecon(/proc/1) failed SELinux is not enabled. Could not read the domain of PID 1. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly
– user282924
May 26 '14 at 18:49
Check sestatus if it returns enabled then it's working fine. Also enter the command grep FSC /etc/default/rcS If it returns #FSCKFIX=no then use gedit or any other editing tool to edit the rcS file uncomment the line and set it to yes (like this FSCKFIX=yes) then save and exit gedit. After editing the file re-enter the command grep FSC /etc/default/rcS should return FSCKFIX=yes if the command check-selinux-installation returns just /etc/pam.d/login is not SELinux enabled then it's fine and the above return is a false positive.
– cioby23
May 27 '14 at 6:34
Check sestatus if it returns enabled then it's working fine. Also enter the command grep FSC /etc/default/rcS If it returns #FSCKFIX=no then use gedit or any other editing tool to edit the rcS file uncomment the line and set it to yes (like this FSCKFIX=yes) then save and exit gedit. After editing the file re-enter the command grep FSC /etc/default/rcS should return FSCKFIX=yes if the command check-selinux-installation returns just /etc/pam.d/login is not SELinux enabled then it's fine and the above return is a false positive.
– cioby23
May 27 '14 at 6:34
FSCKFIX probelm is fixed. now when I run check-selinux-installation command. It gives following error. .. /proc/1 kernel... The init process (PID 1) is running in an incorrect domain. I am not able to enable SELINUX(I installed 3.9 kernel also). Please help.
– user282924
Jun 8 '14 at 10:34
FSCKFIX probelm is fixed. now when I run check-selinux-installation command. It gives following error. .. /proc/1 kernel... The init process (PID 1) is running in an incorrect domain. I am not able to enable SELINUX(I installed 3.9 kernel also). Please help.
– user282924
Jun 8 '14 at 10:34
There is one more probelm that /selinux folder is empty. How can I get it contents back as without it i can get my system booted once I enable SELINUX. Please help
– user282924
Jun 15 '14 at 19:13
There is one more probelm that /selinux folder is empty. How can I get it contents back as without it i can get my system booted once I enable SELINUX. Please help
– user282924
Jun 15 '14 at 19:13
add a comment |
An absurdly old question, but it helped me track my problem down partially, so I'm adding another response.
Not only do you need to remove AppArmor like cioby23 says, but there are some extra steps received from the upstream Debian that aren't well documented at all. Here are the commands to convert a standard Ubuntu system (16.04.6 for me) to use SELinux in Permissive mode using the standard provided packages:
# make sure you have the most up-to-date info
apt-get update
apt-get dist-upgrade
#disable and remove apparmor
/etc/init.d/apparmor stop
apt-get remove apparmor
#install SELinux
apt-get install selinux
# install the missing dependency
apt-get install auditd
# install the activate tool required to make it work
apt-get install selinux-basics
#missing manual step to actually make SELinux work (part of selinux-basics)
selinux-activate
# need to restart for it to take effect
shutdown now
Personally I discovered that the selinux-activate
has to be run manually from a discussion on the upstream Debian (https://unix.stackexchange.com/questions/136988/whats-missing-with-my-selinux-installation).
It solved the exact problem of the wrong context on PID 1, which also presents as a getfilecon
error.
EDIT1: Update language to avoid confusion on policy naming.
EDIT2: Split up the commands with better descriptions for each
add a comment |
An absurdly old question, but it helped me track my problem down partially, so I'm adding another response.
Not only do you need to remove AppArmor like cioby23 says, but there are some extra steps received from the upstream Debian that aren't well documented at all. Here are the commands to convert a standard Ubuntu system (16.04.6 for me) to use SELinux in Permissive mode using the standard provided packages:
# make sure you have the most up-to-date info
apt-get update
apt-get dist-upgrade
#disable and remove apparmor
/etc/init.d/apparmor stop
apt-get remove apparmor
#install SELinux
apt-get install selinux
# install the missing dependency
apt-get install auditd
# install the activate tool required to make it work
apt-get install selinux-basics
#missing manual step to actually make SELinux work (part of selinux-basics)
selinux-activate
# need to restart for it to take effect
shutdown now
Personally I discovered that the selinux-activate
has to be run manually from a discussion on the upstream Debian (https://unix.stackexchange.com/questions/136988/whats-missing-with-my-selinux-installation).
It solved the exact problem of the wrong context on PID 1, which also presents as a getfilecon
error.
EDIT1: Update language to avoid confusion on policy naming.
EDIT2: Split up the commands with better descriptions for each
add a comment |
An absurdly old question, but it helped me track my problem down partially, so I'm adding another response.
Not only do you need to remove AppArmor like cioby23 says, but there are some extra steps received from the upstream Debian that aren't well documented at all. Here are the commands to convert a standard Ubuntu system (16.04.6 for me) to use SELinux in Permissive mode using the standard provided packages:
# make sure you have the most up-to-date info
apt-get update
apt-get dist-upgrade
#disable and remove apparmor
/etc/init.d/apparmor stop
apt-get remove apparmor
#install SELinux
apt-get install selinux
# install the missing dependency
apt-get install auditd
# install the activate tool required to make it work
apt-get install selinux-basics
#missing manual step to actually make SELinux work (part of selinux-basics)
selinux-activate
# need to restart for it to take effect
shutdown now
Personally I discovered that the selinux-activate
has to be run manually from a discussion on the upstream Debian (https://unix.stackexchange.com/questions/136988/whats-missing-with-my-selinux-installation).
It solved the exact problem of the wrong context on PID 1, which also presents as a getfilecon
error.
EDIT1: Update language to avoid confusion on policy naming.
EDIT2: Split up the commands with better descriptions for each
An absurdly old question, but it helped me track my problem down partially, so I'm adding another response.
Not only do you need to remove AppArmor like cioby23 says, but there are some extra steps received from the upstream Debian that aren't well documented at all. Here are the commands to convert a standard Ubuntu system (16.04.6 for me) to use SELinux in Permissive mode using the standard provided packages:
# make sure you have the most up-to-date info
apt-get update
apt-get dist-upgrade
#disable and remove apparmor
/etc/init.d/apparmor stop
apt-get remove apparmor
#install SELinux
apt-get install selinux
# install the missing dependency
apt-get install auditd
# install the activate tool required to make it work
apt-get install selinux-basics
#missing manual step to actually make SELinux work (part of selinux-basics)
selinux-activate
# need to restart for it to take effect
shutdown now
Personally I discovered that the selinux-activate
has to be run manually from a discussion on the upstream Debian (https://unix.stackexchange.com/questions/136988/whats-missing-with-my-selinux-installation).
It solved the exact problem of the wrong context on PID 1, which also presents as a getfilecon
error.
EDIT1: Update language to avoid confusion on policy naming.
EDIT2: Split up the commands with better descriptions for each
edited 3 hours ago
answered 4 hours ago
mtalexanmtalexan
1516
1516
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f468821%2fselinux-is-not-enabled%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
check-selinux-installation command gives following output ../proc/1 kernel.. SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly
– user282924
May 18 '14 at 19:44
Have you rebooted the machine after installing SELinux ?
– cioby23
May 18 '14 at 19:56
May be this problem possible because in Debian Jessie there not exist a selinux-policy-default?
– kinunt
Jul 5 '17 at 16:20