SELinux is not enabled

Question

I installed SELINUX on ubuntu using the command:

sudo apt-get install selinux

config file in /etc/selinux contain following information

SELINUX=permissive

SELINUXTYPE=default

SETLOCALDEFS=0

But i am not able to set selinux, when I check using sestatus -v command it gives output

SELINUX is disabled

How should I enable my SELINUX?

When I use command seinfo. it gives following output

ERROR: policydb version 26 does not match my version range 15-24
ERROR: Unable to open policy /etc/selinux/default/policy/policy.26.
ERROR: Input/output error

check-selinux-installation command gives following output ../proc/1 kernel..

SELinux is not enabled. The init process (PID 1) is running in an incorrect domain. /etc/pam.d/login is not SELinux enabled FSCKFIX is not enabled - not serious, but could prevent system from booting... udev will create nodes not labeled correctly

Please help

score 4 · Answer 1 · edited Apr 13 '17 at 12:23

4

This error might be because you are running AppArmor along with SELinux. AppArmor is installed by default in Ubuntu. You can't use 2 LSM (Linux security modules) at the same time. You need to remove AppArmor if you wish yo use SELinux

See an aswer here: Is it a bad idea to run SELinux and AppArmor at the same time?

edited Apr 13 '17 at 12:23

Community

1

answered May 18 '14 at 20:02

cioby23

2,535

mtalexan · Answer 2 · 2019-03-11T22:09:48.730

An absurdly old question, but it helped me track my problem down partially, so I'm adding another response.

Not only do you need to remove AppArmor like cioby23 says, but there are some extra steps received from the upstream Debian that aren't well documented at all. Here are the commands to convert a standard Ubuntu system (16.04.6 for me) to use SELinux in Permissive mode using the standard provided packages:

# make sure you have the most up-to-date info
apt-get update
apt-get dist-upgrade

#disable and remove apparmor
/etc/init.d/apparmor stop
apt-get remove apparmor

#install SELinux
apt-get install selinux

# install the missing dependency
apt-get install auditd

# install the activate tool required to make it work
apt-get install selinux-basics

#missing manual step to actually make SELinux work (part of selinux-basics)
selinux-activate

# need to restart for it to take effect
shutdown now

Personally I discovered that the selinux-activate has to be run manually from a discussion on the upstream Debian (https://unix.stackexchange.com/questions/136988/whats-missing-with-my-selinux-installation).
It solved the exact problem of the wrong context on PID 1, which also presents as a getfilecon error.

EDIT1: Update language to avoid confusion on policy naming.
EDIT2: Split up the commands with better descriptions for each

SELinux is not enabled

2 Answers2

Linked