1 |
Hi all, |
2 |
|
3 |
I have a couple of cheap small machines ( AMD Kabinis on AM1 baords - |
4 |
cheap and old, but still interesting stuff) that I tred to convert from |
5 |
hardened profile to hardened/selinux. |
6 |
|
7 |
On two out of three, it works. |
8 |
|
9 |
On a third one, I always get to boot into selunx disabled state ( as |
10 |
reported by getenforce or sestate). |
11 |
|
12 |
I tried loading policy int kernel manually and it failed. |
13 |
load_policy kept repeating that it needs to try with lesser selinx |
14 |
policy version which it can't find. |
15 |
|
16 |
I tried going through it with debugger and have seen that it fails |
17 |
to mount selinuxfs. |
18 |
|
19 |
cat /proc/filesystems doesn't list selinuxfs, even though I clearly have |
20 |
selinux suppoort compiled in. |
21 |
|
22 |
I thought that I might have screwed something else in .config, but that |
23 |
deosn't seem to be the case. Kernel compiles and runs fine and same |
24 |
.config is used on other twoo working machines. |
25 |
|
26 |
also looking fthrough kernel buffer doesn't show anything unusual. |
27 |
selinux gets mentioned just twice in it - once when echoing "BOOT_IMAGE" |
28 |
line and once when echoing kernel parameter line ( both are practically |
29 |
the same) |
30 |
|
31 |
And nothing else. Just at the ond of kernel initialisation, just before |
32 |
systemd get started, there are no audit lines that usually marrk the |
33 |
point where policy gets loaded. |
34 |
|
35 |
No error, no info, nothing else. |
36 |
|
37 |
IS it possible that kernels itself switches selinux off if the |
38 |
filesystem labels don't smell the right way or something similar ? |
39 |
|
40 |
|
41 |
In that case, I'd expect to see at least a notice, but this fails |
42 |
silently... |
43 |
|
44 |
|
45 |
BTW, failing machhine is a local mini server, has a couple disks in RAID |
46 |
and is often used, so I can't just simply dissasemble it, swap the disks |
47 |
with working ones and see what happens. |