selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Cannot go to enforcing

Cannot go to enforcing

From: AlannY <m_at_nospam>
Date: Sun Jan 31 2010 - 16:05:44 GMT

Hi there. Still tryint to go to enforcing in Archlinux.

First of all, my sestatus -v SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: refpolicy Process contexts: Current context: user_u:user_r:user_t:s0 Init context: system_u:system_r:init_t:s0
/sbin/agetty system_u:system_r:getty_t:s0
File contexts: Controlling term: user_u:object_r:user_tty_device_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:init_exec_t:s0
/lib/ system_u:object_r:lib_t:s0 -> system_u:object_r:lib_t:s0

I'm using latest refpolicy with build.conf as in Fedora:

TYPE = mcs
NAME = refpolicy
DISTRO = redhat
UNK_PERMS = allow
UBAC = n
MCS_CATS = 1024 I want to make system as Fedora do. But, when I'm in enforcing in Fedora I have:

    %# id -Z

On Archlinux I have:

    %# id -Z


    %# su
    %# setenforce

I cannot

    %# ls

Error: Permission denied. With non-root user I can `ls` directory. After `exit` from current user, nothing shows (must show another login prompt), system hangs and I can only reboot it and boot in permissive.

    %# audit2allow -d

#============= chkpwd_t ==============
allow chkpwd_t tmpfs_t:dir search;

#============= getty_t ==============
allow getty_t tmpfs_t:dir search;

#============= sysadm_t ==============
allow sysadm_t file_t:chr_file { read write };

#============= user_su_t ============== allow user_su_t default_context_t:file { read getattr open }; allow user_su_t init_t:unix_stream_socket connectto; allow user_su_t security_t:security compute_user; allow user_su_t tmpfs_t:dir search; allow user_su_t tmpfs_t:sock_file write;

#============= user_t ==============
allow user_t self:capability { sys_ptrace dac_override };

What should I do next? Repeat: I want SELinux system in Archlinux that works like Fedora.

Thanks for patience. -- )\._.,--....,'``. /, _.. \ _\ (`._ ,. `._.-(,_..'--(,_..'`-.;.' -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to with the words "unsubscribe selinux" without quotes as the message.