Selinux installation: Policy Problem, Xorg crashes.

[drawable]

Hello!

I tried to setup selinux. So I installed

Code: Select all

selinux-basics selinux-policy-default selinux-utils 

and activated it with

Code: Select all

selinux-activate

. When i try to check the config i get.

Code: Select all

getfilecon:  getfilecon(/proc/1) failed
SELinux is not enabled.
Could not read the domain of PID 1

Edit: Clearly selinux must be enabled first. However, when i restart, selinux lables my files and i get this error, in xorg.log:

Code: Select all

[    22.767] (WW) file_contexts:  line 0 has invalid context system_u:object_r:seclabel_xproperty_t:s0
[    22.768] SELinux: a property label lookup failed!
[    22.768]
Fatal server error:
[    22.768] SELinux: Failed to set label property on window!
[    22.768]
[    22.768]
Please consult the The X.Org Foundation support
         at http://wiki.x.org
 for help.
[    22.768] Please also check the log file at "/var/log/Xorg.0.log" for additional information.
[    22.768]
[    22.768] (II) AIGLX: Suspending AIGLX clients for VT switch
[    22.784] Server terminated with error (1). Closing log file.

There are two ways for labeling files: the recommendet one, with the

Code: Select all

/.autorelabel

file (through init) and another one by using

Code: Select all

fixfiles relabel

Source: http://www.centos.org/docs/5/html/5.2/D ... label.html. However, Iam not sure, if this is a policy related bug, or a file labeling related bug. This here http://readlist.com/lists/tycho.nsa.gov ... 16643.html is quite similar, but its from 02.02.2010 and the author said he fixed it (by the way the default policy in wheezy is the same as in sid.

[Revenger]

You must have done something wrong. I installed selinux on squeeze, and X, even Gnome worked without problems. (Even through gnome is not configured for selinux use on squeeze).

http://wiki.debian.org/SELinux/Setup

[drawable]

Well, i checked the page you mentioned, removed selinux entirely, reinstalled it and configured it according to the page. Still i get the same error. This is strange and i think about asking about this on another forum.

Edit: When i login as root, xorg is not configured. When i check my selinux installation, everything seems fine (no output at all). When i grep for the attribute

Code: Select all

ls -Z -R / | grep system_u:object_r:seclabel_xproperty_t:s0

i dont find it. Now i installed the source and will grep there, than disable it there and hopefully the policy wont be screwed. Could someone check if he has a file with that attribute? Thanks!

P.S.: I am googling for the issue and guess what pops up -- yes, my post.

[drawable]

This is from the user mailing list of selinux. I have nothing to add.

> I installed debian wheezy and tried to configure selinux. I followed the
> directions posted in the Debian Wiki [1] and activated selinux through

At this time SE Linux is not expected to work on Wheezy. Bugs have been filed
and I'll fix it as soon as I get time.

Squeeze works pretty well.

If you have some time to contribute to SE Linux development then that would be
great! Otherwise SE Linux on Wheezy is not for you at the moment.

I leave this topic as unsolved, so if someone has this problem too, he/she could contribute (to this topic) and if someone finds a solution to this particular issue he/she knows whom to tell. Thank you.

[masuch]

I have exactly the same problem:

$ check-selinux-installation
getfilecon: getfilecon(/proc/1) failed
SELinux is not enabled.
Could not read the domain of PID 1.
/etc/pam.d/login is not SELinux enabled
Postfix init script is syncing the chroots.
Postfix has chrooted service in master.cf
FSCKFIX is not enabled - not serious, but could prevent system from booting...
udev will create nodes not labeled correctly

[BradChesney79]

You can get rid of the FSCKFIX line with this:

vi /etc/default/rcS

----------

#
# /etc/default/rcS
#
# Default settings for the scripts in /etc/rcS.d/
#
# For information about these variables see the rcS(5) manual page.
#
# This file belongs to the "initscripts" package.

# delete files in /tmp during boot older than x days.
# '0' means always, -1 or 'infinite' disables the feature
#TMPTIME=0

# spawn sulogin during boot, continue normal boot if not used in 30 seconds
#SULOGIN=no

# do not allow users to log in until the boot has completed
#DELAYLOGIN=no

# be more verbose during the boot process
#VERBOSE=no

# automatically repair filesystems with inconsistencies during boot
FSCKFIX=yes

---------