Patrick McNeal wrote:
I'm new to SELinux, and have been banging my head against the wall on how to change from the targeted to the strict policy on my Fedora 7 box. I just figured out how to do it, and thought that it would be a good thing to have in the archive so others might more easily find a solution.
1 - Install the strict policy using the package manager. I used selinux-policy-strict-2.6.4-29.fc.noarch. 2 - Using the SELinux Administration tool, set the "system default policy type" to "strict". 3 - Set the "system default enforcing mode" to "permissive". 4 - Check "Relabel on next reboot". 3 - Reboot
If you leave enforcing mode set to the default of "enforcing" you'll get this error on reboot:
/sbin/init: error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Permission denied Kernel panic - not syncing: Attempted to kill init!
Note, you can also make these changes via the command line by editing /etc/selinux/config, setup a relabel by touching /.autorelabel and rebooting.
Hope that helps someone.
--Patrick
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You need to boot first in permissive mode to allow relabeling to happen, then reboot in enforcing mode.
Or just setenforce 1 after the first boot.
At the kernel boot line you can just enter enforcing=0 to boot in permissive mode.