SELinux is not enabled












4















I installed SELINUX on ubuntu using the command:



sudo apt-get install selinux


config file in /etc/selinux contain following information



SELINUX=permissive

SELINUXTYPE=default

SETLOCALDEFS=0


But i am not able to set selinux, when I check using sestatus -v command
it gives output



SELINUX is disabled


How should I enable my SELINUX?



When I use command seinfo. it gives following output



ERROR: policydb version 26 does not match my version range 15-24
ERROR: Unable to open policy /etc/selinux/default/policy/policy.26.
ERROR: Input/output error


check-selinux-installation command gives following output
../proc/1 kernel..



SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled
FSCKFIX is not enabled - not serious, but could prevent system from booting...
udev will create nodes not labeled correctly



Please help










share|improve this question

























  • check-selinux-installation command gives following output ../proc/1 kernel.. SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly

    – user282924
    May 18 '14 at 19:44













  • Have you rebooted the machine after installing SELinux ?

    – cioby23
    May 18 '14 at 19:56











  • May be this problem possible because in Debian Jessie there not exist a selinux-policy-default?

    – kinunt
    Jul 5 '17 at 16:20
















4















I installed SELINUX on ubuntu using the command:



sudo apt-get install selinux


config file in /etc/selinux contain following information



SELINUX=permissive

SELINUXTYPE=default

SETLOCALDEFS=0


But i am not able to set selinux, when I check using sestatus -v command
it gives output



SELINUX is disabled


How should I enable my SELINUX?



When I use command seinfo. it gives following output



ERROR: policydb version 26 does not match my version range 15-24
ERROR: Unable to open policy /etc/selinux/default/policy/policy.26.
ERROR: Input/output error


check-selinux-installation command gives following output
../proc/1 kernel..



SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled
FSCKFIX is not enabled - not serious, but could prevent system from booting...
udev will create nodes not labeled correctly



Please help










share|improve this question

























  • check-selinux-installation command gives following output ../proc/1 kernel.. SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly

    – user282924
    May 18 '14 at 19:44













  • Have you rebooted the machine after installing SELinux ?

    – cioby23
    May 18 '14 at 19:56











  • May be this problem possible because in Debian Jessie there not exist a selinux-policy-default?

    – kinunt
    Jul 5 '17 at 16:20














4












4








4


1






I installed SELINUX on ubuntu using the command:



sudo apt-get install selinux


config file in /etc/selinux contain following information



SELINUX=permissive

SELINUXTYPE=default

SETLOCALDEFS=0


But i am not able to set selinux, when I check using sestatus -v command
it gives output



SELINUX is disabled


How should I enable my SELINUX?



When I use command seinfo. it gives following output



ERROR: policydb version 26 does not match my version range 15-24
ERROR: Unable to open policy /etc/selinux/default/policy/policy.26.
ERROR: Input/output error


check-selinux-installation command gives following output
../proc/1 kernel..



SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled
FSCKFIX is not enabled - not serious, but could prevent system from booting...
udev will create nodes not labeled correctly



Please help










share|improve this question
















I installed SELINUX on ubuntu using the command:



sudo apt-get install selinux


config file in /etc/selinux contain following information



SELINUX=permissive

SELINUXTYPE=default

SETLOCALDEFS=0


But i am not able to set selinux, when I check using sestatus -v command
it gives output



SELINUX is disabled


How should I enable my SELINUX?



When I use command seinfo. it gives following output



ERROR: policydb version 26 does not match my version range 15-24
ERROR: Unable to open policy /etc/selinux/default/policy/policy.26.
ERROR: Input/output error


check-selinux-installation command gives following output
../proc/1 kernel..



SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled
FSCKFIX is not enabled - not serious, but could prevent system from booting...
udev will create nodes not labeled correctly



Please help







selinux






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited May 18 '14 at 19:45







user282924

















asked May 18 '14 at 19:41









user282924user282924

21114




21114













  • check-selinux-installation command gives following output ../proc/1 kernel.. SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly

    – user282924
    May 18 '14 at 19:44













  • Have you rebooted the machine after installing SELinux ?

    – cioby23
    May 18 '14 at 19:56











  • May be this problem possible because in Debian Jessie there not exist a selinux-policy-default?

    – kinunt
    Jul 5 '17 at 16:20



















  • check-selinux-installation command gives following output ../proc/1 kernel.. SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly

    – user282924
    May 18 '14 at 19:44













  • Have you rebooted the machine after installing SELinux ?

    – cioby23
    May 18 '14 at 19:56











  • May be this problem possible because in Debian Jessie there not exist a selinux-policy-default?

    – kinunt
    Jul 5 '17 at 16:20

















check-selinux-installation command gives following output ../proc/1 kernel.. SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly

– user282924
May 18 '14 at 19:44







check-selinux-installation command gives following output ../proc/1 kernel.. SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly

– user282924
May 18 '14 at 19:44















Have you rebooted the machine after installing SELinux ?

– cioby23
May 18 '14 at 19:56





Have you rebooted the machine after installing SELinux ?

– cioby23
May 18 '14 at 19:56













May be this problem possible because in Debian Jessie there not exist a selinux-policy-default?

– kinunt
Jul 5 '17 at 16:20





May be this problem possible because in Debian Jessie there not exist a selinux-policy-default?

– kinunt
Jul 5 '17 at 16:20










2 Answers
2






active

oldest

votes


















1














This error might be because you are running AppArmor along with SELinux. AppArmor is installed by default in Ubuntu. You can't use 2 LSM (Linux security modules) at the same time. You need to remove AppArmor if you wish yo use SELinux



See an aswer here: Is it a bad idea to run SELinux and AppArmor at the same time?






share|improve this answer


























  • Thanks after I unstalled apparmor I was able to enable selinux and reboot my system. But now probelm, I downloaded the code from ref policy code from below site. oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy And after I built policy code (as mentioned on site). I changed my config file to as below : SELINUX=enforcing SELINUXTYPE=refpolicy Again I was not able to reboot my system.Please help

    – user282924
    May 26 '14 at 11:01













  • check-selinux-installation gives following error getfilecon: getfilecon(/proc/1) failed SELinux is not enabled. Could not read the domain of PID 1. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly

    – user282924
    May 26 '14 at 18:49











  • Check sestatus if it returns enabled then it's working fine. Also enter the command grep FSC /etc/default/rcS If it returns #FSCKFIX=no then use gedit or any other editing tool to edit the rcS file uncomment the line and set it to yes (like this FSCKFIX=yes) then save and exit gedit. After editing the file re-enter the command grep FSC /etc/default/rcS should return FSCKFIX=yes if the command check-selinux-installation returns just /etc/pam.d/login is not SELinux enabled then it's fine and the above return is a false positive.

    – cioby23
    May 27 '14 at 6:34











  • FSCKFIX probelm is fixed. now when I run check-selinux-installation command. It gives following error. .. /proc/1 kernel... The init process (PID 1) is running in an incorrect domain. I am not able to enable SELINUX(I installed 3.9 kernel also). Please help.

    – user282924
    Jun 8 '14 at 10:34













  • There is one more probelm that /selinux folder is empty. How can I get it contents back as without it i can get my system booted once I enable SELINUX. Please help

    – user282924
    Jun 15 '14 at 19:13



















0














An absurdly old question, but it helped me track my problem down partially, so I'm adding another response.



Not only do you need to remove AppArmor like cioby23 says, but there are some extra steps received from the upstream Debian that aren't well documented at all. Here are the commands to convert a standard Ubuntu system (16.04.6 for me) to use SELinux in Permissive mode using the standard provided packages:



# make sure you have the most up-to-date info
apt-get update
apt-get dist-upgrade

#disable and remove apparmor
/etc/init.d/apparmor stop
apt-get remove apparmor

#install SELinux
apt-get install selinux

# install the missing dependency
apt-get install auditd

# install the activate tool required to make it work
apt-get install selinux-basics

#missing manual step to actually make SELinux work (part of selinux-basics)
selinux-activate

# need to restart for it to take effect
shutdown now


Personally I discovered that the selinux-activate has to be run manually from a discussion on the upstream Debian (https://unix.stackexchange.com/questions/136988/whats-missing-with-my-selinux-installation).

It solved the exact problem of the wrong context on PID 1, which also presents as a getfilecon error.



EDIT1: Update language to avoid confusion on policy naming.
EDIT2: Split up the commands with better descriptions for each






share|improve this answer

























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "89"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f468821%2fselinux-is-not-enabled%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    This error might be because you are running AppArmor along with SELinux. AppArmor is installed by default in Ubuntu. You can't use 2 LSM (Linux security modules) at the same time. You need to remove AppArmor if you wish yo use SELinux



    See an aswer here: Is it a bad idea to run SELinux and AppArmor at the same time?






    share|improve this answer


























    • Thanks after I unstalled apparmor I was able to enable selinux and reboot my system. But now probelm, I downloaded the code from ref policy code from below site. oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy And after I built policy code (as mentioned on site). I changed my config file to as below : SELINUX=enforcing SELINUXTYPE=refpolicy Again I was not able to reboot my system.Please help

      – user282924
      May 26 '14 at 11:01













    • check-selinux-installation gives following error getfilecon: getfilecon(/proc/1) failed SELinux is not enabled. Could not read the domain of PID 1. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly

      – user282924
      May 26 '14 at 18:49











    • Check sestatus if it returns enabled then it's working fine. Also enter the command grep FSC /etc/default/rcS If it returns #FSCKFIX=no then use gedit or any other editing tool to edit the rcS file uncomment the line and set it to yes (like this FSCKFIX=yes) then save and exit gedit. After editing the file re-enter the command grep FSC /etc/default/rcS should return FSCKFIX=yes if the command check-selinux-installation returns just /etc/pam.d/login is not SELinux enabled then it's fine and the above return is a false positive.

      – cioby23
      May 27 '14 at 6:34











    • FSCKFIX probelm is fixed. now when I run check-selinux-installation command. It gives following error. .. /proc/1 kernel... The init process (PID 1) is running in an incorrect domain. I am not able to enable SELINUX(I installed 3.9 kernel also). Please help.

      – user282924
      Jun 8 '14 at 10:34













    • There is one more probelm that /selinux folder is empty. How can I get it contents back as without it i can get my system booted once I enable SELINUX. Please help

      – user282924
      Jun 15 '14 at 19:13
















    1














    This error might be because you are running AppArmor along with SELinux. AppArmor is installed by default in Ubuntu. You can't use 2 LSM (Linux security modules) at the same time. You need to remove AppArmor if you wish yo use SELinux



    See an aswer here: Is it a bad idea to run SELinux and AppArmor at the same time?






    share|improve this answer


























    • Thanks after I unstalled apparmor I was able to enable selinux and reboot my system. But now probelm, I downloaded the code from ref policy code from below site. oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy And after I built policy code (as mentioned on site). I changed my config file to as below : SELINUX=enforcing SELINUXTYPE=refpolicy Again I was not able to reboot my system.Please help

      – user282924
      May 26 '14 at 11:01













    • check-selinux-installation gives following error getfilecon: getfilecon(/proc/1) failed SELinux is not enabled. Could not read the domain of PID 1. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly

      – user282924
      May 26 '14 at 18:49











    • Check sestatus if it returns enabled then it's working fine. Also enter the command grep FSC /etc/default/rcS If it returns #FSCKFIX=no then use gedit or any other editing tool to edit the rcS file uncomment the line and set it to yes (like this FSCKFIX=yes) then save and exit gedit. After editing the file re-enter the command grep FSC /etc/default/rcS should return FSCKFIX=yes if the command check-selinux-installation returns just /etc/pam.d/login is not SELinux enabled then it's fine and the above return is a false positive.

      – cioby23
      May 27 '14 at 6:34











    • FSCKFIX probelm is fixed. now when I run check-selinux-installation command. It gives following error. .. /proc/1 kernel... The init process (PID 1) is running in an incorrect domain. I am not able to enable SELINUX(I installed 3.9 kernel also). Please help.

      – user282924
      Jun 8 '14 at 10:34













    • There is one more probelm that /selinux folder is empty. How can I get it contents back as without it i can get my system booted once I enable SELINUX. Please help

      – user282924
      Jun 15 '14 at 19:13














    1












    1








    1







    This error might be because you are running AppArmor along with SELinux. AppArmor is installed by default in Ubuntu. You can't use 2 LSM (Linux security modules) at the same time. You need to remove AppArmor if you wish yo use SELinux



    See an aswer here: Is it a bad idea to run SELinux and AppArmor at the same time?






    share|improve this answer















    This error might be because you are running AppArmor along with SELinux. AppArmor is installed by default in Ubuntu. You can't use 2 LSM (Linux security modules) at the same time. You need to remove AppArmor if you wish yo use SELinux



    See an aswer here: Is it a bad idea to run SELinux and AppArmor at the same time?







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Apr 13 '17 at 12:23









    Community

    1




    1










    answered May 18 '14 at 20:02









    cioby23cioby23

    2,155912




    2,155912













    • Thanks after I unstalled apparmor I was able to enable selinux and reboot my system. But now probelm, I downloaded the code from ref policy code from below site. oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy And after I built policy code (as mentioned on site). I changed my config file to as below : SELINUX=enforcing SELINUXTYPE=refpolicy Again I was not able to reboot my system.Please help

      – user282924
      May 26 '14 at 11:01













    • check-selinux-installation gives following error getfilecon: getfilecon(/proc/1) failed SELinux is not enabled. Could not read the domain of PID 1. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly

      – user282924
      May 26 '14 at 18:49











    • Check sestatus if it returns enabled then it's working fine. Also enter the command grep FSC /etc/default/rcS If it returns #FSCKFIX=no then use gedit or any other editing tool to edit the rcS file uncomment the line and set it to yes (like this FSCKFIX=yes) then save and exit gedit. After editing the file re-enter the command grep FSC /etc/default/rcS should return FSCKFIX=yes if the command check-selinux-installation returns just /etc/pam.d/login is not SELinux enabled then it's fine and the above return is a false positive.

      – cioby23
      May 27 '14 at 6:34











    • FSCKFIX probelm is fixed. now when I run check-selinux-installation command. It gives following error. .. /proc/1 kernel... The init process (PID 1) is running in an incorrect domain. I am not able to enable SELINUX(I installed 3.9 kernel also). Please help.

      – user282924
      Jun 8 '14 at 10:34













    • There is one more probelm that /selinux folder is empty. How can I get it contents back as without it i can get my system booted once I enable SELINUX. Please help

      – user282924
      Jun 15 '14 at 19:13



















    • Thanks after I unstalled apparmor I was able to enable selinux and reboot my system. But now probelm, I downloaded the code from ref policy code from below site. oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy And after I built policy code (as mentioned on site). I changed my config file to as below : SELINUX=enforcing SELINUXTYPE=refpolicy Again I was not able to reboot my system.Please help

      – user282924
      May 26 '14 at 11:01













    • check-selinux-installation gives following error getfilecon: getfilecon(/proc/1) failed SELinux is not enabled. Could not read the domain of PID 1. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly

      – user282924
      May 26 '14 at 18:49











    • Check sestatus if it returns enabled then it's working fine. Also enter the command grep FSC /etc/default/rcS If it returns #FSCKFIX=no then use gedit or any other editing tool to edit the rcS file uncomment the line and set it to yes (like this FSCKFIX=yes) then save and exit gedit. After editing the file re-enter the command grep FSC /etc/default/rcS should return FSCKFIX=yes if the command check-selinux-installation returns just /etc/pam.d/login is not SELinux enabled then it's fine and the above return is a false positive.

      – cioby23
      May 27 '14 at 6:34











    • FSCKFIX probelm is fixed. now when I run check-selinux-installation command. It gives following error. .. /proc/1 kernel... The init process (PID 1) is running in an incorrect domain. I am not able to enable SELINUX(I installed 3.9 kernel also). Please help.

      – user282924
      Jun 8 '14 at 10:34













    • There is one more probelm that /selinux folder is empty. How can I get it contents back as without it i can get my system booted once I enable SELINUX. Please help

      – user282924
      Jun 15 '14 at 19:13

















    Thanks after I unstalled apparmor I was able to enable selinux and reboot my system. But now probelm, I downloaded the code from ref policy code from below site. oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy And after I built policy code (as mentioned on site). I changed my config file to as below : SELINUX=enforcing SELINUXTYPE=refpolicy Again I was not able to reboot my system.Please help

    – user282924
    May 26 '14 at 11:01







    Thanks after I unstalled apparmor I was able to enable selinux and reboot my system. But now probelm, I downloaded the code from ref policy code from below site. oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy And after I built policy code (as mentioned on site). I changed my config file to as below : SELINUX=enforcing SELINUXTYPE=refpolicy Again I was not able to reboot my system.Please help

    – user282924
    May 26 '14 at 11:01















    check-selinux-installation gives following error getfilecon: getfilecon(/proc/1) failed SELinux is not enabled. Could not read the domain of PID 1. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly

    – user282924
    May 26 '14 at 18:49





    check-selinux-installation gives following error getfilecon: getfilecon(/proc/1) failed SELinux is not enabled. Could not read the domain of PID 1. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly

    – user282924
    May 26 '14 at 18:49













    Check sestatus if it returns enabled then it's working fine. Also enter the command grep FSC /etc/default/rcS If it returns #FSCKFIX=no then use gedit or any other editing tool to edit the rcS file uncomment the line and set it to yes (like this FSCKFIX=yes) then save and exit gedit. After editing the file re-enter the command grep FSC /etc/default/rcS should return FSCKFIX=yes if the command check-selinux-installation returns just /etc/pam.d/login is not SELinux enabled then it's fine and the above return is a false positive.

    – cioby23
    May 27 '14 at 6:34





    Check sestatus if it returns enabled then it's working fine. Also enter the command grep FSC /etc/default/rcS If it returns #FSCKFIX=no then use gedit or any other editing tool to edit the rcS file uncomment the line and set it to yes (like this FSCKFIX=yes) then save and exit gedit. After editing the file re-enter the command grep FSC /etc/default/rcS should return FSCKFIX=yes if the command check-selinux-installation returns just /etc/pam.d/login is not SELinux enabled then it's fine and the above return is a false positive.

    – cioby23
    May 27 '14 at 6:34













    FSCKFIX probelm is fixed. now when I run check-selinux-installation command. It gives following error. .. /proc/1 kernel... The init process (PID 1) is running in an incorrect domain. I am not able to enable SELINUX(I installed 3.9 kernel also). Please help.

    – user282924
    Jun 8 '14 at 10:34







    FSCKFIX probelm is fixed. now when I run check-selinux-installation command. It gives following error. .. /proc/1 kernel... The init process (PID 1) is running in an incorrect domain. I am not able to enable SELINUX(I installed 3.9 kernel also). Please help.

    – user282924
    Jun 8 '14 at 10:34















    There is one more probelm that /selinux folder is empty. How can I get it contents back as without it i can get my system booted once I enable SELINUX. Please help

    – user282924
    Jun 15 '14 at 19:13





    There is one more probelm that /selinux folder is empty. How can I get it contents back as without it i can get my system booted once I enable SELINUX. Please help

    – user282924
    Jun 15 '14 at 19:13













    0














    An absurdly old question, but it helped me track my problem down partially, so I'm adding another response.



    Not only do you need to remove AppArmor like cioby23 says, but there are some extra steps received from the upstream Debian that aren't well documented at all. Here are the commands to convert a standard Ubuntu system (16.04.6 for me) to use SELinux in Permissive mode using the standard provided packages:



    # make sure you have the most up-to-date info
    apt-get update
    apt-get dist-upgrade

    #disable and remove apparmor
    /etc/init.d/apparmor stop
    apt-get remove apparmor

    #install SELinux
    apt-get install selinux

    # install the missing dependency
    apt-get install auditd

    # install the activate tool required to make it work
    apt-get install selinux-basics

    #missing manual step to actually make SELinux work (part of selinux-basics)
    selinux-activate

    # need to restart for it to take effect
    shutdown now


    Personally I discovered that the selinux-activate has to be run manually from a discussion on the upstream Debian (https://unix.stackexchange.com/questions/136988/whats-missing-with-my-selinux-installation).

    It solved the exact problem of the wrong context on PID 1, which also presents as a getfilecon error.



    EDIT1: Update language to avoid confusion on policy naming.
    EDIT2: Split up the commands with better descriptions for each






    share|improve this answer






























      0














      An absurdly old question, but it helped me track my problem down partially, so I'm adding another response.



      Not only do you need to remove AppArmor like cioby23 says, but there are some extra steps received from the upstream Debian that aren't well documented at all. Here are the commands to convert a standard Ubuntu system (16.04.6 for me) to use SELinux in Permissive mode using the standard provided packages:



      # make sure you have the most up-to-date info
      apt-get update
      apt-get dist-upgrade

      #disable and remove apparmor
      /etc/init.d/apparmor stop
      apt-get remove apparmor

      #install SELinux
      apt-get install selinux

      # install the missing dependency
      apt-get install auditd

      # install the activate tool required to make it work
      apt-get install selinux-basics

      #missing manual step to actually make SELinux work (part of selinux-basics)
      selinux-activate

      # need to restart for it to take effect
      shutdown now


      Personally I discovered that the selinux-activate has to be run manually from a discussion on the upstream Debian (https://unix.stackexchange.com/questions/136988/whats-missing-with-my-selinux-installation).

      It solved the exact problem of the wrong context on PID 1, which also presents as a getfilecon error.



      EDIT1: Update language to avoid confusion on policy naming.
      EDIT2: Split up the commands with better descriptions for each






      share|improve this answer




























        0












        0








        0







        An absurdly old question, but it helped me track my problem down partially, so I'm adding another response.



        Not only do you need to remove AppArmor like cioby23 says, but there are some extra steps received from the upstream Debian that aren't well documented at all. Here are the commands to convert a standard Ubuntu system (16.04.6 for me) to use SELinux in Permissive mode using the standard provided packages:



        # make sure you have the most up-to-date info
        apt-get update
        apt-get dist-upgrade

        #disable and remove apparmor
        /etc/init.d/apparmor stop
        apt-get remove apparmor

        #install SELinux
        apt-get install selinux

        # install the missing dependency
        apt-get install auditd

        # install the activate tool required to make it work
        apt-get install selinux-basics

        #missing manual step to actually make SELinux work (part of selinux-basics)
        selinux-activate

        # need to restart for it to take effect
        shutdown now


        Personally I discovered that the selinux-activate has to be run manually from a discussion on the upstream Debian (https://unix.stackexchange.com/questions/136988/whats-missing-with-my-selinux-installation).

        It solved the exact problem of the wrong context on PID 1, which also presents as a getfilecon error.



        EDIT1: Update language to avoid confusion on policy naming.
        EDIT2: Split up the commands with better descriptions for each






        share|improve this answer















        An absurdly old question, but it helped me track my problem down partially, so I'm adding another response.



        Not only do you need to remove AppArmor like cioby23 says, but there are some extra steps received from the upstream Debian that aren't well documented at all. Here are the commands to convert a standard Ubuntu system (16.04.6 for me) to use SELinux in Permissive mode using the standard provided packages:



        # make sure you have the most up-to-date info
        apt-get update
        apt-get dist-upgrade

        #disable and remove apparmor
        /etc/init.d/apparmor stop
        apt-get remove apparmor

        #install SELinux
        apt-get install selinux

        # install the missing dependency
        apt-get install auditd

        # install the activate tool required to make it work
        apt-get install selinux-basics

        #missing manual step to actually make SELinux work (part of selinux-basics)
        selinux-activate

        # need to restart for it to take effect
        shutdown now


        Personally I discovered that the selinux-activate has to be run manually from a discussion on the upstream Debian (https://unix.stackexchange.com/questions/136988/whats-missing-with-my-selinux-installation).

        It solved the exact problem of the wrong context on PID 1, which also presents as a getfilecon error.



        EDIT1: Update language to avoid confusion on policy naming.
        EDIT2: Split up the commands with better descriptions for each







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited 3 hours ago

























        answered 4 hours ago









        mtalexanmtalexan

        1516




        1516






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Ask Ubuntu!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f468821%2fselinux-is-not-enabled%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            GameSpot

            日野市

            Tu-95轟炸機