# selinux is disabled - won't enable - dmesg clean

## totony

Hi,

I tried to install selinux multiple times on my laptop, and failed every time.

I run a custom kernel and have SELINUX_* and SECURITY_LABELS enabled for ext4, my partition is ext4, but selinux won't enable.

The errors I have been able to see (my dmesg is clean and there is nothing is /var/log/audit/audit.log):

```
emerge selinux-base-policy

>>> Setting SELinux security labels

* Inseting the following modules, with base, into the strict module store:  application, authlogin, [...]

libsemanage.semanage_write_policydb: Could not open kernel policy /etc/selinux/strict/modules/tmp/policy.kern for writing (Is a directory).

semodule: Failed!

* ERROR: sec-policy/selinux-base-policy-2.20140311-r6::gentoo gailed (postinst phase)

*   Failed to load in base and modules application authlogin [...]

* Call stack: ebuild.sh line 93: called pkg_postinst

* environment, line 1726: called dir

* semodule -s ${i} -b base.pp ${COMMAND} || die

```

When I try semodule -s ${i} -b base.pp ${COMMAND} manually, there are multiple errors depending on the module added, but mostly errors about roles not being there. I tried reinstalling coreutilspolicy but to no avail.

```
rlpkg -ar

Running /usr/sbin/setfiles -F /etc/selinux/strict/contexts/files/file_contexts /

/usr/sbin/setfiles set context /->kernel failed: 'Operation not supported'

[...]

```

```
dmesg | grep selinux:

SELinux: Initializing.

SELinux: Starting in permissibe mode

SELinux: Registering netfilter hooks
```

Anyone know how I could make this work? Most commands I try return "SELinux is disabled".

In other words, how can I troubleshoot selinux?

Thanks,

totony

P.S.: I try downloading hardened-sources and building the recommanded kernel, but the same thing happen (even the "kernel operation not supported of rlpkg"). Tried it with the default settings.

----------

## hololeap

Some basic questions:

Are you using a SELinux profile?

Have you enabled the recommended kernel options for SELinux? 

----------

## totony

Thank you for replying, I followed the instructions in the SELinux installation page. The profile I use is default/linux/amd64/13.0/selinux with USE="xattr"

I enabled the options (I even tried the gentoo hardened kernel's default options). The only thing that differs is I don't have all the filesystem supports, I only have ext4 (which is my partition's type). Also, I didn't find the 

"Under "General setup"

[*] Prompt for development and/or incomplete code/drivers"

----------

## totony

Still interested in a solution (bump)

----------

## N8Fear

Do you have the selinux fs mounted somewhere (I think nowadays it's not in /selinux anymore, but somewhere under /sys)?

----------

## totony

Yes, it's mounted: selinuxfs on /selinux type selinuxfs (rw)

----------

## totony

update: the "Could not open kernel policy /etc/selinux/strict/modules/tmp/policy.kern" happens for:

su.pp

storage.pp

userdomain.pp

application.pp

in /usr/share"selinux/strict/*.pp

----------

