From: sds@tycho.nsa.gov (Stephen Smalley) Date: Fri, 20 Feb 2009 09:14:27 -0500 Subject: [refpolicy] ext3 security labels missing In-Reply-To: References: Message-ID: <1235139267.6285.14.camel@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2009-02-19 at 23:04 -0800, Justin Mattock wrote: > I've a strange issue. > with my experimental learning machine(LFS) > I'm able to load the policy etc.. but have no labels > on my files.(just a question mark); > > > ls -lZ shows > > drwxr-xr-x 2 root root ? 4096 Feb 18 11:19 bin > drwxr-xr-x 3 root root ? 4096 Feb 19 22:36 boot > lrwxrwxrwx 1 root 999 ? 11 Feb 9 16:34 cdrom -> media/cdrom > drwxr-xr-x 17 root root ? 4120 Feb 19 22:42 dev > drwxr-xr-x 28 root root ? 4096 Feb 19 22:47 etc > drwxr-xr-x 4 root root ? 4096 Feb 19 22:36 home > drwxr-xr-x 4 root root ? 4096 Feb 18 11:19 include > drwxr-xr-x 10 root root ? 4096 Feb 19 18:52 lib > drwx------ 2 root root ? 16384 Feb 9 16:34 lost+found > drwxr-xr-x 3 root root ? 4096 Feb 19 22:42 media > drwxr-xr-x 3 root root ? 4096 Feb 11 12:09 mnt > drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 opt > dr-xr-xr-x 113 root root ? 0 Feb 19 22:42 proc > drwxr-xr-x 5 root root ? 4096 Feb 18 11:24 root > drwxr-xr-x 2 root root ? 4096 Feb 19 21:11 sbin > drwxr-xr-x 7 root root ? 0 Feb 19 22:42 selinux > drwxr-xr-x 8 root root ? 4096 Feb 18 11:19 share > drwxr-xr-x 2 root root ? 4096 Feb 10 09:54 srv > drwxr-xr-x 12 root root ? 0 Feb 19 22:42 sys > drwxrwxrwt 5 root root ? 4096 Feb 19 22:50 tmp > drwxr-xr-x 6 root root ? 4096 Feb 11 12:05 tools > drwxr-xr-x 14 root root ? 4096 Feb 14 10:09 usr > drwxr-xr-x 10 root root ? 4096 Feb 18 22:31 var > lrwxrwxrwx 1 root root ? 24 Feb 10 13:11 vmlinuz -> > /boot/vmlinuz-2.6.29-rc4 > > if I do a id -Z I get: > id: --context (-Z) works only on an SELinux-enabled kernel > (but it is enabled in the kernel) sestatus shows what? To be fully "enabled" as far as userspace is concerned, SELinux has to be: - enabled in your kernel build, - enabled at boot, - policy has to be loaded grep SELINUX .config cat /etc/selinux/config dmesg | grep SELinux > >From looking back, I enabled as much as possible in any app/lib I was compiling > that provided selinux support.(libc,xserver,hal,dbus, etc..); > But could be missing an important app/lib that might make the security labels > give the proper label. by chance if anybody had experienced this and/or knows > what might be going on,(would be really appreciated). > > regards; > -- Stephen Smalley National Security Agency