Can I change default policy from targeted to minimum

Can I change default policy from targeted to minimum

[Divya Vyas]

[-- Attachment #1: Type: text/plain, Size: 599 bytes --]

Hi,

I have mls and targeted policy installed on my system. I want to have a
minimum policy with all user unconfined and nothing restricted.

I took a minimum policy from selinux-policy-minium noarch rpm and kept in
/etc/selinux folder and edit SELINUXTYPE=minimum. Is this enough to load a
new policy .

load_policy
SELinux:  Could not open policy file <=
/etc/selinux/minimum/policy/policy.28:  No such file or directory
load_policy:  Can't load policy:  No such file or directory

Getting this error while the policy.28 exists in the path.

Please guide me to have a minimum unrestricted policy.

[-- Attachment #2: Type: text/html, Size: 721 bytes --]

Re: Can I change default policy from targeted to minimum

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, Sep 11, 2015 at 05:25:39PM +0530, Divya Vyas wrote:
> Hi,
> 
> I have mls and targeted policy installed on my system. I want to have a
> minimum policy with all user unconfined and nothing restricted.
> 
> I took a minimum policy from selinux-policy-minium noarch rpm and kept in
> /etc/selinux folder and edit SELINUXTYPE=minimum. Is this enough to load a
> new policy .
> 
> load_policy
> SELinux:  Could not open policy file <=
> /etc/selinux/minimum/policy/policy.28:  No such file or directory
> load_policy:  Can't load policy:  No such file or directory
> 
> Getting this error while the policy.28 exists in the path.
> 
> Please guide me to have a minimum unrestricted policy.

Looks like youre using Fedora. the "minimum" policy model is specific to
Fedora. You might be able to get support on the Fedora selinux maillist:
https://admin.fedoraproject.org/mailman/listinfo/selinux

With that said. You could try (if things break then you get to keep the pieces): sudo setenforce 0 && sudo semodule -B &&
sudo load_policy

> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.


- -- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJV8tobAAoJENAR6kfG5xmcZc8L/R22F6gTxgCrQaOa6uZAQ+V3
G1Wyx8N31NYWJmJ4tpQCdOtKuLeNT3RTybPIGE7+W4tklAZRSob6ljpG4ySpJjO4
SaI03QDVr1L1Hn5EduZDYsEgWXr4rSbRwRbAfV7EW1G+7cKVQktV8OejLPXFLUhj
FsemqCJV44dvI8739w9T5KsmRJpVUvTDRwzlWPVWkmRk3Sj6yfPA/N2az3YAVq0B
FOV26XUqE8EmGJC4N93VqTEo+f9rH52PhTJVArzSElBdYsVsSDRrCJCuKSJd42Cr
MA1MtDu+DRwuGA0JZtEXekrKOG/6Jx/ZGKlfIwgMAqFjd3FSApWbtEpWDWvXD1Ol
i9NvOMheLi3PkyM0NUlaE73davDTbyb1hlk0h1WDFvSJCUlNYG5KVkk2metAYk5B
3NC7EYvrroqnClXq1DfQfPxFPk2KfnnB0A6I4szUK7pJyh1LXG9+BlcecbtQx8Oy
m1NC/L+9/+zv7hKl+SUMnkLimC2MrvM2qvYYMnm8aw==
=znWe
-----END PGP SIGNATURE-----

Re: Can I change default policy from targeted to minimum

[Divya Vyas]

[-- Attachment #1: Type: text/plain, Size: 2500 bytes --]

Hi Dominick,

No its not fedora. It is basically yocto based kernel and root filesystem .

Is it possible to have a minimum policy to allow everything and try out
limiting something.



On Fri, Sep 11, 2015 at 7:11 PM, Dominick Grift <dac.override@gmail.com>
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On Fri, Sep 11, 2015 at 05:25:39PM +0530, Divya Vyas wrote:
> > Hi,
> >
> > I have mls and targeted policy installed on my system. I want to have a
> > minimum policy with all user unconfined and nothing restricted.
> >
> > I took a minimum policy from selinux-policy-minium noarch rpm and kept in
> > /etc/selinux folder and edit SELINUXTYPE=minimum. Is this enough to load
> a
> > new policy .
> >
> > load_policy
> > SELinux:  Could not open policy file <=
> > /etc/selinux/minimum/policy/policy.28:  No such file or directory
> > load_policy:  Can't load policy:  No such file or directory
> >
> > Getting this error while the policy.28 exists in the path.
> >
> > Please guide me to have a minimum unrestricted policy.
>
> Looks like youre using Fedora. the "minimum" policy model is specific to
> Fedora. You might be able to get support on the Fedora selinux maillist:
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> With that said. You could try (if things break then you get to keep the
> pieces): sudo setenforce 0 && sudo semodule -B &&
> sudo load_policy
>
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>
>
> - --
> 02DFF788
> 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
> Dominick Grift
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQGcBAEBCgAGBQJV8tobAAoJENAR6kfG5xmcZc8L/R22F6gTxgCrQaOa6uZAQ+V3
> G1Wyx8N31NYWJmJ4tpQCdOtKuLeNT3RTybPIGE7+W4tklAZRSob6ljpG4ySpJjO4
> SaI03QDVr1L1Hn5EduZDYsEgWXr4rSbRwRbAfV7EW1G+7cKVQktV8OejLPXFLUhj
> FsemqCJV44dvI8739w9T5KsmRJpVUvTDRwzlWPVWkmRk3Sj6yfPA/N2az3YAVq0B
> FOV26XUqE8EmGJC4N93VqTEo+f9rH52PhTJVArzSElBdYsVsSDRrCJCuKSJd42Cr
> MA1MtDu+DRwuGA0JZtEXekrKOG/6Jx/ZGKlfIwgMAqFjd3FSApWbtEpWDWvXD1Ol
> i9NvOMheLi3PkyM0NUlaE73davDTbyb1hlk0h1WDFvSJCUlNYG5KVkk2metAYk5B
> 3NC7EYvrroqnClXq1DfQfPxFPk2KfnnB0A6I4szUK7pJyh1LXG9+BlcecbtQx8Oy
> m1NC/L+9/+zv7hKl+SUMnkLimC2MrvM2qvYYMnm8aw==
> =znWe
> -----END PGP SIGNATURE-----
>

[-- Attachment #2: Type: text/html, Size: 3525 bytes --]

Re: Can I change default policy from targeted to minimum

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, Sep 11, 2015 at 09:15:56PM +0530, Divya Vyas wrote:
> Hi Dominick,
> 
> No its not fedora. It is basically yocto based kernel and root filesystem .
> 
> Is it possible to have a minimum policy to allow everything and try out
> limiting something.

Sure, you could write one yourself (configurable policy is what SELinux
is all about amongst other things). Theres also this:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/security/SELinux.txt?id=e22619a29fcdb513b7bc020e84225bb3b5914259

But it has a bug that only recently got fixed

No matter what you choose, it is going to be a little hard if you arent
confident with SELinux

For the real adventurous theres my base policy, which needs tweaking to
get it to work:

https://github.com/doverride/cilpolicy


> 
> 
> 
> On Fri, Sep 11, 2015 at 7:11 PM, Dominick Grift <dac.override@gmail.com>
> wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > On Fri, Sep 11, 2015 at 05:25:39PM +0530, Divya Vyas wrote:
> > > Hi,
> > >
> > > I have mls and targeted policy installed on my system. I want to have a
> > > minimum policy with all user unconfined and nothing restricted.
> > >
> > > I took a minimum policy from selinux-policy-minium noarch rpm and kept in
> > > /etc/selinux folder and edit SELINUXTYPE=minimum. Is this enough to load
> > a
> > > new policy .
> > >
> > > load_policy
> > > SELinux:  Could not open policy file <=
> > > /etc/selinux/minimum/policy/policy.28:  No such file or directory
> > > load_policy:  Can't load policy:  No such file or directory
> > >
> > > Getting this error while the policy.28 exists in the path.
> > >
> > > Please guide me to have a minimum unrestricted policy.
> >
> > Looks like youre using Fedora. the "minimum" policy model is specific to
> > Fedora. You might be able to get support on the Fedora selinux maillist:
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> > With that said. You could try (if things break then you get to keep the
> > pieces): sudo setenforce 0 && sudo semodule -B &&
> > sudo load_policy
> >
> > > _______________________________________________
> > > Selinux mailing list
> > > Selinux@tycho.nsa.gov
> > > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > > To get help, send an email containing "help" to
> > Selinux-request@tycho.nsa.gov.
> >
> >
> > - --
> > 02DFF788
> > 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> > https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
> > Dominick Grift
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2
> >
> > iQGcBAEBCgAGBQJV8tobAAoJENAR6kfG5xmcZc8L/R22F6gTxgCrQaOa6uZAQ+V3
> > G1Wyx8N31NYWJmJ4tpQCdOtKuLeNT3RTybPIGE7+W4tklAZRSob6ljpG4ySpJjO4
> > SaI03QDVr1L1Hn5EduZDYsEgWXr4rSbRwRbAfV7EW1G+7cKVQktV8OejLPXFLUhj
> > FsemqCJV44dvI8739w9T5KsmRJpVUvTDRwzlWPVWkmRk3Sj6yfPA/N2az3YAVq0B
> > FOV26XUqE8EmGJC4N93VqTEo+f9rH52PhTJVArzSElBdYsVsSDRrCJCuKSJd42Cr
> > MA1MtDu+DRwuGA0JZtEXekrKOG/6Jx/ZGKlfIwgMAqFjd3FSApWbtEpWDWvXD1Ol
> > i9NvOMheLi3PkyM0NUlaE73davDTbyb1hlk0h1WDFvSJCUlNYG5KVkk2metAYk5B
> > 3NC7EYvrroqnClXq1DfQfPxFPk2KfnnB0A6I4szUK7pJyh1LXG9+BlcecbtQx8Oy
> > m1NC/L+9/+zv7hKl+SUMnkLimC2MrvM2qvYYMnm8aw==
> > =znWe
> > -----END PGP SIGNATURE-----
> >

> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.


- -- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJV8vkEAAoJENAR6kfG5xmcX90L+wQHC3H8XDMAT9F9ZbWQyz+P
4t32n22Q8o92p5vmVQeCUiQU6eBbkFtidW5f6gc8txtiW/+c+nccVjwXYxBh4SLn
t8P6zL6gknA2vpgSXspZgOhHtAaZY8jnPq2imHZvZIBbNHPna8JggTpDPHe2Ef4G
3asKRdwZY2cVDwGLdKph6yfgZq22WnhM3nG0UvE623JVubtUUWZ15sch31kU7bx1
qAA5jtEch38TOC1VZU+EjsUvGaX/HIrDV2C5v9uC6zUA++10x8mPKMn11/oV+KbW
6coANYiPf+Uer63wQLQCpXuzW/8ARhzJCRyxeNHk3pQTr4UDsk9r3dEyjZclG7wT
ryxNrgrrzBsizlPmuwL06kwi8/Nh+vZpyG6gU39U36/rP6fEyYvfiTL8/Pm1RavF
N6dOjDgKSMNRWT6qcS9/yCQ4WuNhgRxF9G2PlrZENnY9jYCiP0dPbrQXDJEa9nly
CK/lSaYqptSJ+zNMRhmZnEsFP/AIFw55guoaSWOZoQ==
=uFQg
-----END PGP SIGNATURE-----

Re: Can I change default policy from targeted to minimum

[Divya Vyas]

[-- Attachment #1: Type: text/plain, Size: 4859 bytes --]

Hi Dominick,

I have a question, What is role of policy.29/28/27 . If I understand
correctly  It is a binary policy called while kernel booting. Is is
symbolic lick with policy.kern.

Thanks,
Divya

On Fri, Sep 11, 2015 at 9:23 PM, Dominick Grift <dac.override@gmail.com>
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On Fri, Sep 11, 2015 at 09:15:56PM +0530, Divya Vyas wrote:
> > Hi Dominick,
> >
> > No its not fedora. It is basically yocto based kernel and root
> filesystem .
> >
> > Is it possible to have a minimum policy to allow everything and try out
> > limiting something.
>
> Sure, you could write one yourself (configurable policy is what SELinux
> is all about amongst other things). Theres also this:
>
>
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/security/SELinux.txt?id=e22619a29fcdb513b7bc020e84225bb3b5914259
>
> But it has a bug that only recently got fixed
>
> No matter what you choose, it is going to be a little hard if you arent
> confident with SELinux
>
> For the real adventurous theres my base policy, which needs tweaking to
> get it to work:
>
> https://github.com/doverride/cilpolicy
>
>
> >
> >
> >
> > On Fri, Sep 11, 2015 at 7:11 PM, Dominick Grift <dac.override@gmail.com>
> > wrote:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA512
> > >
> > > On Fri, Sep 11, 2015 at 05:25:39PM +0530, Divya Vyas wrote:
> > > > Hi,
> > > >
> > > > I have mls and targeted policy installed on my system. I want to
> have a
> > > > minimum policy with all user unconfined and nothing restricted.
> > > >
> > > > I took a minimum policy from selinux-policy-minium noarch rpm and
> kept in
> > > > /etc/selinux folder and edit SELINUXTYPE=minimum. Is this enough to
> load
> > > a
> > > > new policy .
> > > >
> > > > load_policy
> > > > SELinux:  Could not open policy file <=
> > > > /etc/selinux/minimum/policy/policy.28:  No such file or directory
> > > > load_policy:  Can't load policy:  No such file or directory
> > > >
> > > > Getting this error while the policy.28 exists in the path.
> > > >
> > > > Please guide me to have a minimum unrestricted policy.
> > >
> > > Looks like youre using Fedora. the "minimum" policy model is specific
> to
> > > Fedora. You might be able to get support on the Fedora selinux
> maillist:
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >
> > > With that said. You could try (if things break then you get to keep the
> > > pieces): sudo setenforce 0 && sudo semodule -B &&
> > > sudo load_policy
> > >
> > > > _______________________________________________
> > > > Selinux mailing list
> > > > Selinux@tycho.nsa.gov
> > > > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > > > To get help, send an email containing "help" to
> > > Selinux-request@tycho.nsa.gov.
> > >
> > >
> > > - --
> > > 02DFF788
> > > 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> > > https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
> > > Dominick Grift
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v2
> > >
> > > iQGcBAEBCgAGBQJV8tobAAoJENAR6kfG5xmcZc8L/R22F6gTxgCrQaOa6uZAQ+V3
> > > G1Wyx8N31NYWJmJ4tpQCdOtKuLeNT3RTybPIGE7+W4tklAZRSob6ljpG4ySpJjO4
> > > SaI03QDVr1L1Hn5EduZDYsEgWXr4rSbRwRbAfV7EW1G+7cKVQktV8OejLPXFLUhj
> > > FsemqCJV44dvI8739w9T5KsmRJpVUvTDRwzlWPVWkmRk3Sj6yfPA/N2az3YAVq0B
> > > FOV26XUqE8EmGJC4N93VqTEo+f9rH52PhTJVArzSElBdYsVsSDRrCJCuKSJd42Cr
> > > MA1MtDu+DRwuGA0JZtEXekrKOG/6Jx/ZGKlfIwgMAqFjd3FSApWbtEpWDWvXD1Ol
> > > i9NvOMheLi3PkyM0NUlaE73davDTbyb1hlk0h1WDFvSJCUlNYG5KVkk2metAYk5B
> > > 3NC7EYvrroqnClXq1DfQfPxFPk2KfnnB0A6I4szUK7pJyh1LXG9+BlcecbtQx8Oy
> > > m1NC/L+9/+zv7hKl+SUMnkLimC2MrvM2qvYYMnm8aw==
> > > =znWe
> > > -----END PGP SIGNATURE-----
> > >
>
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>
>
> - --
> 02DFF788
> 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
> Dominick Grift
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQGcBAEBCgAGBQJV8vkEAAoJENAR6kfG5xmcX90L+wQHC3H8XDMAT9F9ZbWQyz+P
> 4t32n22Q8o92p5vmVQeCUiQU6eBbkFtidW5f6gc8txtiW/+c+nccVjwXYxBh4SLn
> t8P6zL6gknA2vpgSXspZgOhHtAaZY8jnPq2imHZvZIBbNHPna8JggTpDPHe2Ef4G
> 3asKRdwZY2cVDwGLdKph6yfgZq22WnhM3nG0UvE623JVubtUUWZ15sch31kU7bx1
> qAA5jtEch38TOC1VZU+EjsUvGaX/HIrDV2C5v9uC6zUA++10x8mPKMn11/oV+KbW
> 6coANYiPf+Uer63wQLQCpXuzW/8ARhzJCRyxeNHk3pQTr4UDsk9r3dEyjZclG7wT
> ryxNrgrrzBsizlPmuwL06kwi8/Nh+vZpyG6gU39U36/rP6fEyYvfiTL8/Pm1RavF
> N6dOjDgKSMNRWT6qcS9/yCQ4WuNhgRxF9G2PlrZENnY9jYCiP0dPbrQXDJEa9nly
> CK/lSaYqptSJ+zNMRhmZnEsFP/AIFw55guoaSWOZoQ==
> =uFQg
> -----END PGP SIGNATURE-----
>

[-- Attachment #2: Type: text/html, Size: 7142 bytes --]

Re: Can I change default policy from targeted to minimum

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, Sep 11, 2015 at 10:13:34PM +0530, Divya Vyas wrote:
> Hi Dominick,
> 
> I have a question, What is role of policy.29/28/27 . If I understand
> correctly  It is a binary policy called while kernel booting. Is is
> symbolic lick with policy.kern.

the /etc/selinux/SELINUXTYPE/policy/policy.X file is supposed to be the
actually policy database. I am not sure why in your case this is a
symlink to policy.kern

see:

http://selinuxproject.org/page/NB_PolicyType

> 
> Thanks,
> Divya
> 
> On Fri, Sep 11, 2015 at 9:23 PM, Dominick Grift <dac.override@gmail.com>
> wrote:

- -- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJV8waiAAoJENAR6kfG5xmcKDgMAIeO5dBCzoDW/C1K6DiiKWk6
P8okCWnjclLhOQsvUjnHRvrRUf19aVkHfAjzG6qaV/NoHXbP3OsQc4UQelCRuflF
0uNMz+cyCumjSAVXcdDorUCVQ688vOSe0jFRV9kudycCrL8s1TeKFHtpXcyYj5pC
oWvUNZgdAkQle8A208UVeEOFfKsMVa1c9BKhpWXLiBvuyfYL+qNod6tx4YWIqkbT
R21wEVsm4FoI50bNXNQ3sqhElS4M81kKgohbIHha6yVi6BRHlVcWgRSrxkuwQyYc
o0R422FJKEGLHO3WM9Z2CGXglaZoyUtp8xLEQ+NvsP8xvX+PDpNPDAdkSiZZ2yue
hwk+svXeQas7mIRZBHDcRMWQwj8ZdsQOnMuXSAMZEJF0bazjNwvrI4//qUq0n4yq
USi9YJm58Ghj8H5UFtk80d0iyQEl1jg4819MSoEhrBeMqddfmZ14lq8DvPl/m3SH
n7uQ21YZfy3VDBPPiO+cyQmx0JWJgRUO3GWrzFCzWg==
=IJ/r
-----END PGP SIGNATURE-----

Re: Can I change default policy from targeted to minimum

[Stephen Smalley]

On 09/11/2015 12:43 PM, Divya Vyas wrote:
> Hi Dominick,
> 
> I have a question, What is role of policy.29/28/27 . If I understand
> correctly  It is a binary policy called while kernel booting. Is is
> symbolic lick with policy.kern.

The suffix indicates the policy format version; the version number is
also contained within the file header but having it as a file name
suffix is convenient for supporting multiple versions on the same system
(e.g. for booting different kernels) and for allowing userspace to
select the right file without having to parse it.

It isn't normally just a symlink.

In Android, we dispensed with the policy version suffix and just called
it "sepolicy" because we could ensure that the kernel and userspace were
aligned and that the policy file would always be compatible with the
kernel.  We also had to move it out of /etc and into / so that it could
be loaded before the /system partition was mounted, since /etc in
Android is just a symlink to /system/etc and is not available immediately.

how to run setsebool -P in chroot?

[Bond Masuda]

Hello,

I'm trying to run setsebool in a chroot environment like:

chroot /mnt/test /usr/sbin/setsebool -P antivirus_can_scan_system 1

But I get:

setsebool:  SELinux is disabled.

I'm guessing this is because the environment is not running. Is there a 
way around this? I need to be able to set some of the booleans this way.

Thanks
Bond

Re: how to run setsebool -P in chroot?

[Paul Moore]

On Fri, Sep 18, 2015 at 7:30 PM, Bond Masuda <bond.masuda@jlbond.com> wrote:
> Hello,
>
> I'm trying to run setsebool in a chroot environment like:
>
> chroot /mnt/test /usr/sbin/setsebool -P antivirus_can_scan_system 1
>
> But I get:
>
> setsebool:  SELinux is disabled.
>
> I'm guessing this is because the environment is not running. Is there a way
> around this? I need to be able to set some of the booleans this way.

You are likely seeing the SELinux disabled message because you don't
have /sys/fs/selinux mounted in your chroot.

-- 
paul moore
www.paul-moore.com

Re: how to run setsebool -P in chroot?

[Stephen Smalley]

On 09/18/2015 07:30 PM, Bond Masuda wrote:
> Hello,
> 
> I'm trying to run setsebool in a chroot environment like:
> 
> chroot /mnt/test /usr/sbin/setsebool -P antivirus_can_scan_system 1
> 
> But I get:
> 
> setsebool:  SELinux is disabled.
> 
> I'm guessing this is because the environment is not running. Is there a
> way around this? I need to be able to set some of the booleans this way.

I would try using semanage boolean -N instead of setsebool -P.