How to enable selinux in Fedora 24?

I've just deployed a fresh Fedora 24 server, and it tells me SELINUX is disabled:

[mike@msg-plan ~]$ sestatus
SELinux status:                 disabled

However, it should be enabled:

[mike@msg-plan ~]$ cat /etc/selinux/config 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 

What steps do I need to take, in order to enable selinux?

10 Replies

As near as I can tell the Linode kernel and/or boot settings have SELinux disabled/not explicitly enabled: # CONFIGSECURITYSELINUX is not set

cat /proc/config.gz | gunzip > running.config && cat running.config

Hmm I have the same request, but for CentOS 7. Why doesn't Linode provide us with a choice to use a kernel which does provide selinux support? This shouldn't be that big of a job?

Linode doesn't offer a kernel with SELinux enabled, but you're free to set one up that does! This guide should get you there with CentOS 7:

https://www.linode.com/docs/tools-refer … b-centos-7">https://www.linode.com/docs/tools-reference/custom-kernels-distros/custom-compiled-kernel-with-pvgrub-centos-7

Hey sohsoh5,

Thanks for your answer. I already found that guide. Imho it is a lot of work and not worth spending my time to create a custom compiled kernel. SELinux is a critical part of CentOS 7, which should be at least an optional feature when deploying or rebuilding a Linode.

Could you please consider making an official feature request to integrate an SELinux supporting kernel in the Linode Manager?

Grtz

Willem

Instead of a custom kernel, you can install the distribution-supplied kernel and switch to it: https://www.linode.com/docs/tools-refer … l-with-kvm">https://www.linode.com/docs/tools-reference/custom-kernels-distros/run-a-distribution-supplied-kernel-with-kvm

Hey AlexFornuto,

Again thanks for the link. I hadn't seen that one yet. But this is again a very lengthy procedure which is not easily automated, as it requires a lot of changes, including a reboot and changing config in the Linode Manager.

I still don't understand why there is no way to just select the default os provided kernel while deploying or rebuilding. This shouldn't be so much work for a team with so many Linux experience? Again, is it possible to make a feature request for this or are you really telling this can't be done?

Willem

I'll be the one to say it :mrgreen: In the time it took to type the above messages you would have been done. With the exception of planning for a reboot. I truly cannot recall a platform that gives more choices. They may not be default choices but given a few clicks and a dnf issue it's simple enough. Would you prefer a container?

willemdh, I've noted your request and included it as part of a discussion on our use of vanilla kernels.

In case anyone else is looking to install the original kernel on CentOS 7, here are the instructions I use:

  • Install the kernel, run:
yum install kernel.x86_64 grub2
  • Create or edit the file /etc/default/grub:
GRUB_TIMEOUT=10
GRUB_CMDLINE_LINUX="console=ttyS0,19200n8"
GRUB_DISABLE_LINUX_UUID=true
GRUB_SERIAL_COMMAND="serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1"
  • Generate a grub configuration, run:
mkdir /boot/grub
grub2-mkconfig -o /boot/grub/grub.cfg
  • Final step, in your Linode Configuration Profile, set the Kernel option to GRUB 2. Reboot :)

There is one catch, every time you update your kernel via yum/dnf, you have to re-run the last command.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct