# secure boot[self solved]

## idella4

I'm trying to get selinux to work, just need to polish it.

I have followed the guides.  I've relabeled the system time & time again.

I've tried many variations on the kernel which is where I still think the answer lies.

On boot, I keep getting selinux log statements citing some content are not contained in the loaded policy.

It cites missing classes. It has to be in permissive mode to boot.

The messages usually cite audit, so I've turned on everything I can find audit related in the kernel.

According to the guide there are only about 3 settings.  I think there are some more.

The point is it keeps citing non-existent content.

```

[    8.748466] Freeing unused kernel memory: 416k freed

[    9.259915] SELinux:  class kernel_service not defined in policy

[    9.260004] SELinux:  class tun_socket not defined in policy

[    9.260004] SELinux:  permission open in class sock_file not defined in policy

[    9.260004] SELinux:  permission module_request in class system not defined in policy

[    9.260004] SELinux:  permission nlmsg_tty_audit in class netlink_audit_socket not defined in policy

[    9.260004] SELinux: the above unknown classes and permissions will be denied

[    9.773803] type=1403 audit(1282852506.915:2): policy loaded auid=4294967295 ses=4294967295

 * Mounting /proc ...

[   10.132044] type=1400 audit(1282852253.501:3): avc:  denied  { write } for  pid=729 comm="mount" name="/" dev=proc ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:proc_t tclass=dir

 [ ok ]

 * Mounting xenfs ...

[   10.346099] type=1400 audit(1282852253.715:4): avc:  denied  { mounton } for  pid=734 comm="mount" path="/proc/xen" dev=proc ino=4026531930 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:proc_xen_t tclass=dir

[   10.347005] type=1400 audit(1282852253.715:5): avc:  denied  { mount } for  pid=734 comm="mount" name="/" dev=xenfs ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem

[   10.754049] type=1400 audit(1282852254.123:6): avc:  denied  { write } for  pid=734 comm="mount" name="/" dev=xenfs ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:unlabeled_t tclass=dir

 [ ok ]

[   10.979637] type=1400 audit(1282852254.348:7): avc:  denied  { write } for  pid=741 comm="mount" name="/" dev=tmpfs ino=1385 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:tmpfs_t tclass=dir

```

kernel_service & tun_socket are classes.  The others are not present in the cited classes which are present.

```

gentoo_pristine ~ # ls /selinux/class/kernel_service

ls: cannot access /selinux/class/kernel_service: No such file or directory

gentoo_pristine ~ # ls /selinux/class/tun_socket   

ls: cannot access /selinux/class/tun_socket: No such file or directory

gentoo_pristine ~ # ls /selinux/class/sock_file 

index  perms

gentoo_pristine ~ # grep open /selinux/class/sock_file

gentoo_pristine ~ # 

gentoo_pristine ~ # grep module_request /selinux/class/system   

gentoo_pristine ~ # 

```

How is it looking for content which it hasn't made?  I can only think it's something that the kernel need make on boot.

selinux is closely bound to the kernel content.

The above are not such a problem in the boot, but they should be fixed.

The problem is after relabeling and booting with enforcing on, login is refused.

This is after doing all in the guide.

```

gentoo_pristine ~ # semanage login -l

Login Name                SELinux User             

__default__               unconfined_u             

idella                    staff_u                  

root                      staff_u                  

system_u                  system_u                 

gentoo_pristine ~ # semanage login -a -s staff_u root

/usr/sbin/semanage: Login mapping for root is already defined

gentoo_pristine ~ # semanage login -a -s staff_u idella

/usr/sbin/semanage: Login mapping for idella is already defined

```

I get permission disallowed on login!!!!????  What does it take?

Also have a version discrepancy.  In the kernel config, it stipulates a maximum version value.

It was initially set to 18 which is about fedora 4 era!  The system cites a version of 24.

On inserting 24 in the version config, the config rejects it as invalid, but takes 23.

Seems best to leave it unchecked so as to not create two differing values.

----------

## idella4

any-one selinux aware??

It would be have been good to get a reply.  I've managed to boot in in enforcing mode, but the aboce is still unresolved

----------

