# SELinux starts enforcing during install!

## KintaroBC

Edit: I tried loading a backup and trying the SELinux install again, and the problem is different than I describe in this OP. In this comment I discovered that SELinux is becoming enabled during part one of installing the SELinux utilities.

This topic was originally titled: SELinux boots into enforcing mode

I have been building an SELinux system which now boots, and clearly the policy works and is more secure. Yet despite what I have in /etc/selinux/config the system starts in enforcing mode. I also cannot put the system in permissive mode even though I am running in sysadm_r because of the restrictions.

seinfo...

```

Statistics for policy file: /sys/fs/selinux/policy

Policy Version:             33 (MLS disabled)

Target Policy:              selinux

Handle unknown classes:     allow

  Classes:             131    Permissions:         423

  Sensitivities:         0    Categories:            0

  Types:              1393    Attributes:          108

  Users:                 6    Roles:                 8

  Booleans:             71    Cond. Expr.:          64

  Allow:             16137    Neverallow:            0

  Auditallow:            1    Dontaudit:          3249

  Type_trans:          857    Type_change:           9

  Type_member:           6    Range_trans:           0

  Role allow:           11    Role_trans:            0

  Constraints:         133    Validatetrans:         0

  MLS Constrain:         0    MLS Val. Tran:         0

  Permissives:           0    Polcap:                5

  Defaults:              0    Typebounds:            0

  Allowxperm:            0    Neverallowxperm:       0

  Auditallowxperm:       0    Dontauditxperm:        0

  Ibendportcon:          0    Ibpkeycon:             0

  Initial SIDs:         27    Fs_use:               27

  Genfscon:             92    Portcon:             486

  Netifcon:              0    Nodecon:               0

```

getenforce...

```

Enforcing

```

I have switched from staff_u to sysadm_r on the system, and it is working, according to id -Z...

```

# id -Z

root:sysadm_r:sysadm_t

```

It gives this error when I try to 'setenforce 0...

```

setenforce:  setenforce() failed

```

This the /etc/selinux/config which clearly states permissive...

```

# This file controls the state of SELinux on the system on boot.

# SELINUX can take one of these three values:

#   enforcing - SELinux security policy is enforced.

#   permissive - SELinux prints warnings instead of enforcing.

#   disabled - No SELinux policy is loaded.

SELINUX=permissive

# SELINUXTYPE can take one of these four values:

#   targeted - Only targeted network daemons are protected.

#   strict   - Full SELinux protection.

#   mls      - Full SELinux protection with Multi-Level Security

#   mcs      - Full SELinux protection with Multi-Category Security 

#              (mls, but only one sensitivity level)

SELINUXTYPE=strict

```

The only other configuration I did myself is in /etc/default/grub

```

GRUB_CMDLINE_LINUX="console=ttyS0,115200n8 security=selinux selinux=1"

```

The top of dmesg shows that the system is using those settings...

```

[    0.000000] Command line: BOOT_IMAGE=/vmlinuz-5.10.49-gentoo-r1-nextgen-004 root=/dev/vda4 ro console=ttyS0,115200n8 security=selinux selinux=0

```

This is not my first SELinux system and I have a few in production, though I have not installed SELinux on Gentoo in a couple of years. I think it might be possible that this is a bug of some kind. It seems to be ignoring /etc/selinux/config on my system.Last edited by KintaroBC on Mon Jul 19, 2021 1:26 am; edited 3 times in total

----------

## alamahant

Do you have these in your .config

```

CONFIG_SECURITY_SELINUX=y

CONFIG_SECURITY_SELINUX_BOOTPARAM=y

# CONFIG_SECURITY_SELINUX_DISABLE is not set

CONFIG_SECURITY_SELINUX_DEVELOP=y

CONFIG_SECURITY_SELINUX_AVC_STATS=y

CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0

CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9

CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256

# CONFIG_DEFAULT_SECURITY_SELINUX is not set

```

If not then plz use a full binary kernel like

gentoo-kernel-bin

No it doesnt boot with selinux enabled

 *Quote:*   

> 
> 
> [    0.000000] Command line: BOOT_IMAGE=/vmlinuz-5.10.49-gentoo-r1-nextgen-004 root=/dev/vda4 ro console=ttyS0,115200n8 security=selinux selinux=0
> 
> 

 

Why is that i wonder........?

All security config i could grep

```

# CONFIG_NFIT_SECURITY_DEBUG is not set

CONFIG_IP_NF_SECURITY=m

CONFIG_IP6_NF_SECURITY=m

CONFIG_EXT4_FS_SECURITY=y

CONFIG_REISERFS_FS_SECURITY=y

CONFIG_JFS_SECURITY=y

CONFIG_F2FS_FS_SECURITY=y

CONFIG_JFFS2_FS_SECURITY=y

CONFIG_UBIFS_FS_SECURITY=y

CONFIG_EROFS_FS_SECURITY=y

CONFIG_NFS_V4_SECURITY_LABEL=y

CONFIG_NFSD_V4_SECURITY_LABEL=y

CONFIG_CEPH_FS_SECURITY_LABEL=y

CONFIG_9P_FS_SECURITY=y

# Security options

CONFIG_SECURITY_DMESG_RESTRICT=y

CONFIG_SECURITY=y

CONFIG_SECURITYFS=y

CONFIG_SECURITY_NETWORK=y

CONFIG_SECURITY_INFINIBAND=y

CONFIG_SECURITY_NETWORK_XFRM=y

CONFIG_SECURITY_PATH=y

CONFIG_SECURITY_SELINUX=y

CONFIG_SECURITY_SELINUX_BOOTPARAM=y

# CONFIG_SECURITY_SELINUX_DISABLE is not set

CONFIG_SECURITY_SELINUX_DEVELOP=y

CONFIG_SECURITY_SELINUX_AVC_STATS=y

CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0

CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9

CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256

CONFIG_SECURITY_SMACK=y

CONFIG_SECURITY_SMACK_BRINGUP=y

CONFIG_SECURITY_SMACK_NETFILTER=y

CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y

CONFIG_SECURITY_TOMOYO=y

CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048

CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024

# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set

CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/usr/bin/tomoyo-init"

CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/usr/lib/systemd/systemd"

# CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is not set

CONFIG_SECURITY_APPARMOR=y

CONFIG_SECURITY_APPARMOR_HASH=y

CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y

# CONFIG_SECURITY_APPARMOR_DEBUG is not set

CONFIG_SECURITY_LOADPIN=y

CONFIG_SECURITY_LOADPIN_ENFORCE=y

CONFIG_SECURITY_YAMA=y

CONFIG_SECURITY_SAFESETID=y

CONFIG_SECURITY_LOCKDOWN_LSM=y

# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set

CONFIG_SECURITY_LANDLOCK=y

# CONFIG_DEFAULT_SECURITY_SELINUX is not set

# CONFIG_DEFAULT_SECURITY_SMACK is not set

# CONFIG_DEFAULT_SECURITY_TOMOYO is not set

# CONFIG_DEFAULT_SECURITY_APPARMOR is not set

CONFIG_DEFAULT_SECURITY_DAC=y

```

do you think some maybe relevant and/or missing?

----------

## KintaroBC

I actually made a mistake and pasted the line from dmesg in my OP, after a reboot where I disabled SELinux.

Here is the SELinux related stuff in my kernel config...

```

CONFIG_SECURITY_SELINUX=y

CONFIG_SECURITY_SELINUX_BOOTPARAM=y

# CONFIG_SECURITY_SELINUX_DISABLE is not set

# CONFIG_SECURITY_SELINUX_DEVELOP is not set

CONFIG_SECURITY_SELINUX_AVC_STATS=y

CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0

CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9

CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256

```

I only have an ext4 file system and it has everything set right.

```

CONFIG_EXT4_FS_SECURITY=y

```

Keep in mind the system is (mostly) working and is just stuck in enforcing mode.

----------

## KintaroBC

I decided to load a backup and try installing SELinux again.

It is failing on part two of installing policies and utilities in the installation guide on the wiki.

```

# FEATURES="-selinux -sesandbox" emerge -1 selinux-base

...

>>> Installing (1 of 1) sec-policy/selinux-base-2.20200818-r2::gentoo

!!! Failed to move /var/tmp/portage/sec-policy/selinux-base-2.20200818-r2/image/etc/selinux/config to /etc/selinux/config

!!! [Errno 61] No data available

```

I think I missed this error when I wrote the OP and this is actually where things went wrong. I have created other SELinux Gentoo systems in the past and this behavior is quite bizarre.

While doing part one of the installing policies and utilities SELinux has someone become enabled prematurely...

```

Enforcing

```

SELinux is going into enforcing mode during part one before this step, and the error above is because of that.

emerge --info

```

Portage 3.0.20 (python 3.9.5-final-0, default/linux/amd64/17.1/no-multilib/hardened/selinux, gcc-10.3.0, glibc-2.33-r1, 5.10.49-gentoo-r1-nextgen-006 x86_64)

=================================================================

System uname: Linux-5.10.49-gentoo-r1-nextgen-006-x86_64-Intel_Core_Processor_-Skylake,_IBRS-with-glibc2.33

KiB Mem:     4042932 total,   2008360 free

KiB Swap:    7999484 total,   7999484 free

Timestamp of repository gentoo: Sun, 18 Jul 2021 20:30:01 +0000

Head commit of repository gentoo: 99e07544b3564a426c91f954e1ab7542e316563b

sh bash 5.1_p8

ld GNU ld (Gentoo 2.35.2 p1) 2.35.2

app-shells/bash:          5.1_p8::gentoo

dev-lang/perl:            5.32.1::gentoo

dev-lang/python:          3.9.5_p2::gentoo

dev-util/cmake:           3.18.5::gentoo

sys-apps/baselayout:      2.7::gentoo

sys-apps/openrc:          0.42.1-r1::gentoo

sys-apps/sandbox:         2.24::gentoo

sys-devel/autoconf:       2.69-r5::gentoo

sys-devel/automake:       1.16.3-r1::gentoo

sys-devel/binutils:       2.35.2::gentoo

sys-devel/gcc:            10.3.0-r2::gentoo

sys-devel/gcc-config:     2.4::gentoo

sys-devel/libtool:        2.4.6-r6::gentoo

sys-devel/make:           4.3::gentoo

sys-kernel/linux-headers: 5.10::gentoo (virtual/os-headers)

sys-libs/glibc:           2.33-r1::gentoo

Repositories:

gentoo

    location: /var/db/repos/gentoo

    sync-type: rsync

    sync-uri: rsync://rsync.gentoo.org/gentoo-portage

    priority: -1000

    sync-rsync-extra-opts: 

    sync-rsync-verify-metamanifest: yes

    sync-rsync-verify-max-age: 24

    sync-rsync-verify-jobs: 1

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="@FREE"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-O2 -pipe -march=native"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-O2 -pipe -march=native"

DISTDIR="/var/cache/distfiles"

ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"

FCFLAGS="-O2 -pipe -march=native"

FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch preserve-libs protect-owned qa-unresolved-soname-deps sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"

FFLAGS="-O2 -pipe -march=native"

GENTOO_MIRRORS="https://gentoo.osuosl.org/"

LANG="C.UTF8"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

MAKEOPTS="-j5"

PKGDIR="/var/cache/binpkgs"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"

PORTAGE_TMPDIR="/var/tmp"

USE="acl amd64 audit bzip2 caps crypt hardened iconv ipv6 libglvnd libtirpc ncurses nls nptl openmp pam pcre pie python readline seccomp selinux split-usr ssl ssp unicode xattr xtpax zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-3 php7-4" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_9" PYTHON_TARGETS="python3_9" RUBY_TARGETS="ruby26" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RUSTFLAGS

```

----------

## lorenzoi

Have you had any luck so far? I'm getting the same issue and it seems like this is the only thread which talks about it.

----------

## bedwardly-down

I know this is a bit of a late reply here but I just ran into the same problem on a new server box. For some reason, setting your profile to an SELinux one (such as the hardened one recommended in the docs) seems to prematurely enforce it. To do the rest of the steps without changing the profile just yet, I've only found a small handful of things that need to be set up for it to work. 

1) Manually add these to /etc/portage/package.use/sec-policy/selinux-base (for the correct python modules to get built)

sys-libs/libselinux python

sys-process/audit python 

2) Follow the selinux-base installation steps

3) Install the selinux-base-policy (this sometimes kept disconnecting me from the server, though, mid compile; still figuring it out)

EDIT: The server disconnects seem to only be an issue when setting SELINUXTYPE="targeted" in /etc/selinux/config. Switching that to strict but leaving it as targeted in the /etc/portage/make.conf seems to be a workaround. 

4) Switch profile over

5) Rebuild system as per instructions

----------

