From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 29 Oct 2016 18:24:06 +0200 Subject: [refpolicy] I want to use refpolicy in centos 7 In-Reply-To: <8dde386aff5e14f9d20bb3ec592cbea@cvwapp03.nm.nhnsystem.com> References: <8dde386aff5e14f9d20bb3ec592cbea@cvwapp03.nm.nhnsystem.com> Message-ID: <1477758246.1401.4.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi. On Thu, 27/10/2016 at 17.21 +0900, ??? via refpolicy wrote: > I install centos7 and use targeted policy > > But i want to use refpolicy for modifying policy so i did?download > using?following steps > 1. #git clone https://github.com/TresysTechnology/refpolicy.git > > 2.?#cd refpolicy > 3. #git submodule init > 4. #git submodule update > 5. Change build.conf file > Type=mls > NAME = refpolicy > MONOLITHIC = y > 6. #make install-src > 7. cd /etc/selinux/refpolicy/src/policy/ > 8. #Make load > 9. #Cd /etc/selinux and?Change config file > SELINUX = permissive > SELINUXTYPE = refpolicy > 10. #touch /.autorelabel > 11. #Reboot > > After desktop is rebooted > 12. #setenforce 1 > 13. ...... permission deny > 14. #Sestatus > .... > Loaded policy name: targeted ???(refolicy -> targeted) > Current mode : enforcing > .... > Mode from config file : error (permission denied)??? > > What shuoud i do? > Helps me...? You should try rebooting in permissive mode by passing the enforcing=0 option before boot (if you are using the "grub" bootloader, press "e" during boot to edit kernel boot parameters). On some systems, you might also try editing /etc/selinux/config and replace "SELINUX=enforcing" with "SELINUX=permissive" (and then reboot), although that is not guaranteed to work with all systems. Then once you have booted in permissive mode, you should inspect the audit log file (usually /var/log/audit.log) for SELinux permission denials (log lines containing the " denied " string) and from that you can understand what is going on (SELinux is denying some permissions needed to run your system). I hope it helps. Guido