Newbie question on fixfiles

Newbie question on fixfiles

[Thomas Downing]

Hi,

I need to get SELinux running on an appliance we are building, not based on a 
distro that already supports SELinux.

I've got all the userspace stuff built, (including setools3) without any 
warnings or errors. I followed instructions for installing and loading 
refpolicy, no warnings or errors.  (Except the python tools, which all import 
selinux.py, which does not seem to be included in the source tree.)

I'm booting with kernel options "security=selinux selinux=1", and dmesg shows 
SELinux initializing, and no errors or warnings.

sestatus output:

SELinux status:				enabled
SELinuxfs mount:			/sys/fs/selinux
SELinux root directory:		/etc/selinux
Loaded policy name:		refpolicy
Current mode:				permissive
Mode from config file:		permissive
Policy MLS status:			disabled
Policy deny_unknown status:	denied
Max kernel policy version:		30

Problem is: fixfiles does not actually label anything, and the underlying reason 
is that none of the mounted disk filesystems (all ext4) have option 'seclabel'.

Any pointers?

Also, given the absence of the seclabel option, I question if the kernel part 
of SELinux is in fact really happy...and if it isn't, I'm dead in the water 
anyway.

Thanks much,

Thomas Downing

Re: Newbie question on fixfiles

[Joe Wulf]

[-- Attachment #1: Type: text/plain, Size: 2126 bytes --]

What filesystem is applied to your disk and its various partitions?For this to work, that FS has to be one that supports SELinux labeling (seclabel).You are right---if what you are using doesn't support that, you are dead in the water (currently).What options do you have to change to an SELinux-compliant FS?
 

      From: Thomas Downing <tdowning@bomgar.com>
 To: selinux@tycho.nsa.gov 
 Sent: Friday, January 29, 2016 12:25 PM
 Subject: Newbie question on fixfiles
   
Hi,

I need to get SELinux running on an appliance we are building, not based on a 
distro that already supports SELinux.

I've got all the userspace stuff built, (including setools3) without any 
warnings or errors. I followed instructions for installing and loading 
refpolicy, no warnings or errors.  (Except the python tools, which all import 
selinux.py, which does not seem to be included in the source tree.)

I'm booting with kernel options "security=selinux selinux=1", and dmesg shows 
SELinux initializing, and no errors or warnings.

sestatus output:

SELinux status:                enabled
SELinuxfs mount:            /sys/fs/selinux
SELinux root directory:        /etc/selinux
Loaded policy name:        refpolicy
Current mode:                permissive
Mode from config file:        permissive
Policy MLS status:            disabled
Policy deny_unknown status:    denied
Max kernel policy version:        30

Problem is: fixfiles does not actually label anything, and the underlying reason 
is that none of the mounted disk filesystems (all ext4) have option 'seclabel'.

Any pointers?

Also, given the absence of the seclabel option, I question if the kernel part 
of SELinux is in fact really happy...and if it isn't, I'm dead in the water 
anyway.

Thanks much,

Thomas Downing

_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.


  

[-- Attachment #2: Type: text/html, Size: 4358 bytes --]

Re: Newbie question on fixfiles

[Stephen Smalley]

On 01/29/2016 12:25 PM, Thomas Downing wrote:
> Hi,
>
> I need to get SELinux running on an appliance we are building, not based on a
> distro that already supports SELinux.
>
> I've got all the userspace stuff built, (including setools3) without any
> warnings or errors. I followed instructions for installing and loading
> refpolicy, no warnings or errors.  (Except the python tools, which all import
> selinux.py, which does not seem to be included in the source tree.)
>
> I'm booting with kernel options "security=selinux selinux=1", and dmesg shows
> SELinux initializing, and no errors or warnings.
>
> sestatus output:
>
> SELinux status:				enabled
> SELinuxfs mount:			/sys/fs/selinux
> SELinux root directory:		/etc/selinux
> Loaded policy name:		refpolicy
> Current mode:				permissive
> Mode from config file:		permissive
> Policy MLS status:			disabled
> Policy deny_unknown status:	denied
> Max kernel policy version:		30
>
> Problem is: fixfiles does not actually label anything, and the underlying reason
> is that none of the mounted disk filesystems (all ext4) have option 'seclabel'.
>
> Any pointers?
>
> Also, given the absence of the seclabel option, I question if the kernel part
> of SELinux is in fact really happy...and if it isn't, I'm dead in the water
> anyway.

This implies that you haven't loaded a policy into the kernel. Normally 
this is done by init; both sysvinit and systemd should already include 
the necessary bits but you may have to enable them in your configure.

Re: Newbie question on fixfiles

[Thomas Downing]

On Friday, January 29, 2016 17:37:15 Joe Wulf wrote:
> What filesystem is applied to your disk and its various partitions?For this
> to work, that FS has to be one that supports SELinux labeling
> (seclabel).You are right---if what you are using doesn't support that, you
> are dead in the water (currently).What options do you have to change to an
> SELinux-compliant FS?

The disk partitions are all ext4.

cat /proc/config.gz | gunzip - | grep CONFIG_EXT4 yeilds:

CONFIG_EXT4_FS=y
CONFIG_EXT4_FS_USE_FOR_EXT2=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_EXT4_FS_SECURITY=y

as root, cat /proc/self/mounts | grep ext4 yeids:

/dev/root / ext4 rw,relatime,data=ordered 0 0
/dev/sda5 /home ext4 rw,relatime,data=ordered 0 0
/dev/sda6 /var ext4 rw,relatime,data=ordered 0 0
/dev/sda1 /boot ext4 rw,relatime,data=ordered 0 0


Thanks

Thomas Downing.


> 
>       From: Thomas Downing <tdowning@bomgar.com>
>  To: selinux@tycho.nsa.gov
>  Sent: Friday, January 29, 2016 12:25 PM
>  Subject: Newbie question on fixfiles
> 
> Hi,
> 
> I need to get SELinux running on an appliance we are building, not based on
> a distro that already supports SELinux.
> 
> I've got all the userspace stuff built, (including setools3) without any
> warnings or errors. I followed instructions for installing and loading
> refpolicy, no warnings or errors.  (Except the python tools, which all
> import selinux.py, which does not seem to be included in the source tree.)
> 
> I'm booting with kernel options "security=selinux selinux=1", and dmesg
> shows SELinux initializing, and no errors or warnings.
> 
> sestatus output:
> 
> SELinux status:                enabled
> SELinuxfs mount:            /sys/fs/selinux
> SELinux root directory:        /etc/selinux
> Loaded policy name:        refpolicy
> Current mode:                permissive
> Mode from config file:        permissive
> Policy MLS status:            disabled
> Policy deny_unknown status:    denied
> Max kernel policy version:        30
> 
> Problem is: fixfiles does not actually label anything, and the underlying
> reason is that none of the mounted disk filesystems (all ext4) have option
> 'seclabel'.
> 
> Any pointers?
> 
> Also, given the absence of the seclabel option, I question if the kernel
> part of SELinux is in fact really happy...and if it isn't, I'm dead in the
> water anyway.
> 
> Thanks much,
> 
> Thomas Downing

Re: Newbie question on fixfiles

[Stephen Smalley]

On 01/29/2016 01:02 PM, Stephen Smalley wrote:
> On 01/29/2016 12:25 PM, Thomas Downing wrote:
>> Hi,
>>
>> I need to get SELinux running on an appliance we are building, not
>> based on a
>> distro that already supports SELinux.
>>
>> I've got all the userspace stuff built, (including setools3) without any
>> warnings or errors. I followed instructions for installing and loading
>> refpolicy, no warnings or errors.  (Except the python tools, which all
>> import
>> selinux.py, which does not seem to be included in the source tree.)
>>
>> I'm booting with kernel options "security=selinux selinux=1", and
>> dmesg shows
>> SELinux initializing, and no errors or warnings.
>>
>> sestatus output:
>>
>> SELinux status:                enabled
>> SELinuxfs mount:            /sys/fs/selinux
>> SELinux root directory:        /etc/selinux
>> Loaded policy name:        refpolicy
>> Current mode:                permissive
>> Mode from config file:        permissive
>> Policy MLS status:            disabled
>> Policy deny_unknown status:    denied
>> Max kernel policy version:        30
>>
>> Problem is: fixfiles does not actually label anything, and the
>> underlying reason
>> is that none of the mounted disk filesystems (all ext4) have option
>> 'seclabel'.
>>
>> Any pointers?
>>
>> Also, given the absence of the seclabel option, I question if the
>> kernel part
>> of SELinux is in fact really happy...and if it isn't, I'm dead in the
>> water
>> anyway.
>
> This implies that you haven't loaded a policy into the kernel. Normally
> this is done by init; both sysvinit and systemd should already include
> the necessary bits but you may have to enable them in your configure.

Sorry, I didn't read that carefully enough - your sestatus output would 
suggest that you have loaded a policy.

What's the actual output you got from SELinux during boot?

What's your kernel version?

Re: Newbie question on fixfiles

[Thomas Downing]

On Friday, January 29, 2016 13:02:42 Stephen Smalley wrote:
> On 01/29/2016 12:25 PM, Thomas Downing wrote:
> > Hi,
> > 
> > I need to get SELinux running on an appliance we are building, not based
> > on a distro that already supports SELinux.
> > 
> > I've got all the userspace stuff built, (including setools3) without any
> > warnings or errors. I followed instructions for installing and loading
> > refpolicy, no warnings or errors.  (Except the python tools, which all
> > import selinux.py, which does not seem to be included in the source
> > tree.)
> > 
> > I'm booting with kernel options "security=selinux selinux=1", and dmesg
> > shows SELinux initializing, and no errors or warnings.
> > 
> > sestatus output:
> > 
> > SELinux status:				enabled
> > SELinuxfs mount:			/sys/fs/selinux
> > SELinux root directory:		/etc/selinux
> > Loaded policy name:		refpolicy
> > Current mode:				permissive
> > Mode from config file:		permissive
> > Policy MLS status:			disabled
> > Policy deny_unknown status:	denied
> > Max kernel policy version:		30
> > 
> > Problem is: fixfiles does not actually label anything, and the underlying
> > reason is that none of the mounted disk filesystems (all ext4) have
> > option 'seclabel'.
> > 
> > Any pointers?
> > 
> > Also, given the absence of the seclabel option, I question if the kernel
> > part of SELinux is in fact really happy...and if it isn't, I'm dead in
> > the water anyway.
> 
> This implies that you haven't loaded a policy into the kernel. Normally
> this is done by init; both sysvinit and systemd should already include
> the necessary bits but you may have to enable them in your configure.

Okay, my bad, I thought I had done "make load" in 
/etc/selinux/refpolicy/src/policy, but I guess I missed that.  So now 
"seclabel" shows up on all ext4 file systems in /proc/mounts, so that is good.

Now running "fixfiles -F -f -v -l fixfiles.log relabel" does not complain.

But now I've got two other problems:

1. Looking at the log file produced, only a few files are said to be labeled, 
outside of /run/udev, /dev etc.  What happened to everything else in 
file_contexts?

2. None of the files that the log file claims were relabeled, are in fact 
labeled, according to 'ls -Z'.

There is no sysvinit script for selinux stuff for this distro, I need to create 
all that.  Looking at Fedora 22 that is current SELinux enabled, I can't find 
the systemd unit file that does the load, or I would use that as a reference.

On the other hand, I seems I should be able to use what "make load" does as a 
reference as well.  Is that a valid assuption?

Thanks

Thomas Downing

Re: Newbie question on fixfiles

[Thomas Downing]

On Friday, January 29, 2016 13:47:39 Stephen Smalley wrote:
> On 01/29/2016 01:02 PM, Stephen Smalley wrote:
> > On 01/29/2016 12:25 PM, Thomas Downing wrote:
> >> Hi,
> >> 
> >> I need to get SELinux running on an appliance we are building, not
> >> based on a
> >> distro that already supports SELinux.
> >> 
> >> I've got all the userspace stuff built, (including setools3) without any
> >> warnings or errors. I followed instructions for installing and loading
> >> refpolicy, no warnings or errors.  (Except the python tools, which all
> >> import
> >> selinux.py, which does not seem to be included in the source tree.)
> >> 
> >> I'm booting with kernel options "security=selinux selinux=1", and
> >> dmesg shows
> >> SELinux initializing, and no errors or warnings.
> >> 
> >> sestatus output:
> >> 
> >> SELinux status:                enabled
> >> SELinuxfs mount:            /sys/fs/selinux
> >> SELinux root directory:        /etc/selinux
> >> Loaded policy name:        refpolicy
> >> Current mode:                permissive
> >> Mode from config file:        permissive
> >> Policy MLS status:            disabled
> >> Policy deny_unknown status:    denied
> >> Max kernel policy version:        30
> >> 
> >> Problem is: fixfiles does not actually label anything, and the
> >> underlying reason
> >> is that none of the mounted disk filesystems (all ext4) have option
> >> 'seclabel'.
> >> 
> >> Any pointers?
> >> 
> >> Also, given the absence of the seclabel option, I question if the
> >> kernel part
> >> of SELinux is in fact really happy...and if it isn't, I'm dead in the
> >> water
> >> anyway.
> > 
> > This implies that you haven't loaded a policy into the kernel. Normally
> > this is done by init; both sysvinit and systemd should already include
> > the necessary bits but you may have to enable them in your configure.

> 
> Sorry, I didn't read that carefully enough - your sestatus output would
> suggest that you have loaded a policy.
> 
> What's the actual output you got from SELinux during boot?
> 
> What's your kernel version?

The only output I see in dmesg is:

[    0.000557] SELinux:  Initializing.
[    0.000563] SELinux:  Starting in permissive mode
[    0.361186] SELinux:  Registering netfilter hooks

The kernel stuff is 4.4.0 SMP x86_64 Intel Core i7-4800MQ CPU.  If it matters 
gcc is 5.3.0.

Thanks
td

Re: Newbie question on fixfiles

[Stephen Smalley]

On 01/29/2016 02:03 PM, Thomas Downing wrote:
> On Friday, January 29, 2016 13:02:42 Stephen Smalley wrote:
>> On 01/29/2016 12:25 PM, Thomas Downing wrote:
>>> Hi,
>>>
>>> I need to get SELinux running on an appliance we are building, not based
>>> on a distro that already supports SELinux.
>>>
>>> I've got all the userspace stuff built, (including setools3) without any
>>> warnings or errors. I followed instructions for installing and loading
>>> refpolicy, no warnings or errors.  (Except the python tools, which all
>>> import selinux.py, which does not seem to be included in the source
>>> tree.)
>>>
>>> I'm booting with kernel options "security=selinux selinux=1", and dmesg
>>> shows SELinux initializing, and no errors or warnings.
>>>
>>> sestatus output:
>>>
>>> SELinux status:				enabled
>>> SELinuxfs mount:			/sys/fs/selinux
>>> SELinux root directory:		/etc/selinux
>>> Loaded policy name:		refpolicy
>>> Current mode:				permissive
>>> Mode from config file:		permissive
>>> Policy MLS status:			disabled
>>> Policy deny_unknown status:	denied
>>> Max kernel policy version:		30
>>>
>>> Problem is: fixfiles does not actually label anything, and the underlying
>>> reason is that none of the mounted disk filesystems (all ext4) have
>>> option 'seclabel'.
>>>
>>> Any pointers?
>>>
>>> Also, given the absence of the seclabel option, I question if the kernel
>>> part of SELinux is in fact really happy...and if it isn't, I'm dead in
>>> the water anyway.
>>
>> This implies that you haven't loaded a policy into the kernel. Normally
>> this is done by init; both sysvinit and systemd should already include
>> the necessary bits but you may have to enable them in your configure.
>
> Okay, my bad, I thought I had done "make load" in
> /etc/selinux/refpolicy/src/policy, but I guess I missed that.  So now
> "seclabel" shows up on all ext4 file systems in /proc/mounts, so that is good.
>
> Now running "fixfiles -F -f -v -l fixfiles.log relabel" does not complain.
>
> But now I've got two other problems:
>
> 1. Looking at the log file produced, only a few files are said to be labeled,
> outside of /run/udev, /dev etc.  What happened to everything else in
> file_contexts?
>
> 2. None of the files that the log file claims were relabeled, are in fact
> labeled, according to 'ls -Z'.
>
> There is no sysvinit script for selinux stuff for this distro, I need to create
> all that.  Looking at Fedora 22 that is current SELinux enabled, I can't find
> the systemd unit file that does the load, or I would use that as a reference.
>
> On the other hand, I seems I should be able to use what "make load" does as a
> reference as well.  Is that a valid assuption?

SELinux initialization is normally done directly from init code, not 
from a script file or unit file, because we need init to load policy and 
then re-exec itself or dynamically switch contexts to get init into its 
own security context (otherwise it will be left in the kernel's domain). 
  sysvinit and systemd source code already include that support (as does 
Android init); if using them, you might just need to rebuild with the 
appropriate configure flags.

Alternatively, you could invoke "load_policy -i" from an initramfs 
script after switching to the real root and before executing init.

If you run restorecon -v /path/to/file for one of these files that 
wasn't labeled, what does it say?  What does ls -Z show for the file 
before and after?

Re: Newbie question on fixfiles

[Thomas Downing]

On Friday, January 29, 2016 14:25:43 Stephen Smalley wrote:
[snip]
> >> This implies that you haven't loaded a policy into the kernel. Normally
> >> this is done by init; both sysvinit and systemd should already include
> >> the necessary bits but you may have to enable them in your configure.
> > 
> > Okay, my bad, I thought I had done "make load" in
> > /etc/selinux/refpolicy/src/policy, but I guess I missed that.  So now
> > "seclabel" shows up on all ext4 file systems in /proc/mounts, so that is
> > good.
> > 
> > Now running "fixfiles -F -f -v -l fixfiles.log relabel" does not complain.
> > 
> > But now I've got two other problems:
> > 
> > 1. Looking at the log file produced, only a few files are said to be
> > labeled, outside of /run/udev, /dev etc.  What happened to everything
> > else in file_contexts?
> > 
> > 2. None of the files that the log file claims were relabeled, are in fact
> > labeled, according to 'ls -Z'.
> > 
> > There is no sysvinit script for selinux stuff for this distro, I need to
> > create all that.  Looking at Fedora 22 that is current SELinux enabled, I
> > can't find the systemd unit file that does the load, or I would use that
> > as a reference.
> > 
> > On the other hand, I seems I should be able to use what "make load" does
> > as a reference as well.  Is that a valid assuption?
> 
> SELinux initialization is normally done directly from init code, not
> from a script file or unit file, because we need init to load policy and
> then re-exec itself or dynamically switch contexts to get init into its
> own security context (otherwise it will be left in the kernel's domain).
>   sysvinit and systemd source code already include that support (as does
> Android init); if using them, you might just need to rebuild with the
> appropriate configure flags.
> 
> Alternatively, you could invoke "load_policy -i" from an initramfs
> script after switching to the real root and before executing init.
> 
> If you run restorecon -v /path/to/file for one of these files that
> wasn't labeled, what does it say?  What does ls -Z show for the file
> before and after?

About init, duh, just not thinking.  I will indeed need to rebuild init.

restorecon -v /home/tdowning/.viminfo:

restorecon reset /home/tdowning/.viminfo context 
system_u:object_r:user_home_dir_t->system_u:object_r:user_home_t

But ls -aZ:

? .viminfo

(~/.viminfo is the only file under /home that fixfiles even tried to relabel).

It occurs to me that maybe all of fileutils, coreutils,sysutils, libnss*, pam* 
and such like might need to be rebuilt?  Maybe ls is just not build right.  I 
note that 'id -Z' complains "works only on an SELinux-enabled kernel", 
indicating the need to rebuild all that stuff.

thanks

td

Re: Newbie question on fixfiles

[Stephen Smalley]

On 01/29/2016 02:41 PM, Thomas Downing wrote:
> On Friday, January 29, 2016 14:25:43 Stephen Smalley wrote:
> [snip]
>>>> This implies that you haven't loaded a policy into the kernel. Normally
>>>> this is done by init; both sysvinit and systemd should already include
>>>> the necessary bits but you may have to enable them in your configure.
>>>
>>> Okay, my bad, I thought I had done "make load" in
>>> /etc/selinux/refpolicy/src/policy, but I guess I missed that.  So now
>>> "seclabel" shows up on all ext4 file systems in /proc/mounts, so that is
>>> good.
>>>
>>> Now running "fixfiles -F -f -v -l fixfiles.log relabel" does not complain.
>>>
>>> But now I've got two other problems:
>>>
>>> 1. Looking at the log file produced, only a few files are said to be
>>> labeled, outside of /run/udev, /dev etc.  What happened to everything
>>> else in file_contexts?
>>>
>>> 2. None of the files that the log file claims were relabeled, are in fact
>>> labeled, according to 'ls -Z'.
>>>
>>> There is no sysvinit script for selinux stuff for this distro, I need to
>>> create all that.  Looking at Fedora 22 that is current SELinux enabled, I
>>> can't find the systemd unit file that does the load, or I would use that
>>> as a reference.
>>>
>>> On the other hand, I seems I should be able to use what "make load" does
>>> as a reference as well.  Is that a valid assuption?
>>
>> SELinux initialization is normally done directly from init code, not
>> from a script file or unit file, because we need init to load policy and
>> then re-exec itself or dynamically switch contexts to get init into its
>> own security context (otherwise it will be left in the kernel's domain).
>>    sysvinit and systemd source code already include that support (as does
>> Android init); if using them, you might just need to rebuild with the
>> appropriate configure flags.
>>
>> Alternatively, you could invoke "load_policy -i" from an initramfs
>> script after switching to the real root and before executing init.
>>
>> If you run restorecon -v /path/to/file for one of these files that
>> wasn't labeled, what does it say?  What does ls -Z show for the file
>> before and after?
>
> About init, duh, just not thinking.  I will indeed need to rebuild init.
>
> restorecon -v /home/tdowning/.viminfo:
>
> restorecon reset /home/tdowning/.viminfo context
> system_u:object_r:user_home_dir_t->system_u:object_r:user_home_t
>
> But ls -aZ:
>
> ? .viminfo
>
> (~/.viminfo is the only file under /home that fixfiles even tried to relabel).
>
> It occurs to me that maybe all of fileutils, coreutils,sysutils, libnss*, pam*
> and such like might need to be rebuilt?  Maybe ls is just not build right.  I
> note that 'id -Z' complains "works only on an SELinux-enabled kernel",
> indicating the need to rebuild all that stuff.

Yes, you need to rebuild your userspace with SELinux enabled.  You may 
be able to see the actual file context by using getfattr directly, e.g.
getfattr -n security.selinux /path/to/file

I assume you aren't using openembedded / yocto for your appliance? 
Because that already has a meta-selinux layer for enabling SELinux support.

Re: Newbie question on fixfiles

[Thomas Downing]

On Friday, January 29, 2016 15:05:54 Stephen Smalley wrote:
> On 01/29/2016 02:41 PM, Thomas Downing wrote:
> > On Friday, January 29, 2016 14:25:43 Stephen Smalley wrote:
> > [snip]
> > 
> >>>> This implies that you haven't loaded a policy into the kernel. Normally
> >>>> this is done by init; both sysvinit and systemd should already include
> >>>> the necessary bits but you may have to enable them in your configure.
> >>> 
> >>> Okay, my bad, I thought I had done "make load" in
> >>> /etc/selinux/refpolicy/src/policy, but I guess I missed that.  So now
> >>> "seclabel" shows up on all ext4 file systems in /proc/mounts, so that is
> >>> good.
> >>> 
> >>> Now running "fixfiles -F -f -v -l fixfiles.log relabel" does not
> >>> complain.
> >>> 
> >>> But now I've got two other problems:
> >>> 
> >>> 1. Looking at the log file produced, only a few files are said to be
> >>> labeled, outside of /run/udev, /dev etc.  What happened to everything
> >>> else in file_contexts?
> >>> 
> >>> 2. None of the files that the log file claims were relabeled, are in
> >>> fact
> >>> labeled, according to 'ls -Z'.
> >>> 
> >>> There is no sysvinit script for selinux stuff for this distro, I need to
> >>> create all that.  Looking at Fedora 22 that is current SELinux enabled,
> >>> I
> >>> can't find the systemd unit file that does the load, or I would use that
> >>> as a reference.
> >>> 
> >>> On the other hand, I seems I should be able to use what "make load" does
> >>> as a reference as well.  Is that a valid assuption?
> >> 
> >> SELinux initialization is normally done directly from init code, not
> >> from a script file or unit file, because we need init to load policy and
> >> then re-exec itself or dynamically switch contexts to get init into its
> >> own security context (otherwise it will be left in the kernel's domain).
> >> 
> >>    sysvinit and systemd source code already include that support (as does
> >> 
> >> Android init); if using them, you might just need to rebuild with the
> >> appropriate configure flags.
> >> 
> >> Alternatively, you could invoke "load_policy -i" from an initramfs
> >> script after switching to the real root and before executing init.
> >> 
> >> If you run restorecon -v /path/to/file for one of these files that
> >> wasn't labeled, what does it say?  What does ls -Z show for the file
> >> before and after?
> > 
> > About init, duh, just not thinking.  I will indeed need to rebuild init.
> > 
> > restorecon -v /home/tdowning/.viminfo:
> > 
> > restorecon reset /home/tdowning/.viminfo context
> > system_u:object_r:user_home_dir_t->system_u:object_r:user_home_t
> > 
> > But ls -aZ:
> > 
> > ? .viminfo
> > 
> > (~/.viminfo is the only file under /home that fixfiles even tried to
> > relabel).
> > 
> > It occurs to me that maybe all of fileutils, coreutils,sysutils, libnss*,
> > pam* and such like might need to be rebuilt?  Maybe ls is just not build
> > right.  I note that 'id -Z' complains "works only on an SELinux-enabled
> > kernel", indicating the need to rebuild all that stuff.
> 
> Yes, you need to rebuild your userspace with SELinux enabled.  You may
> be able to see the actual file context by using getfattr directly, e.g.
> getfattr -n security.selinux /path/to/file
> 
> I assume you aren't using openembedded / yocto for your appliance?
> Because that already has a meta-selinux layer for enabling SELinux support.

Yep, getfattr does show the correct label, which leaves me with one small 
task, rebuild a bunch of stuff with --enable-selinux; and one big task, tailor 
refpolicy to my disto.

Thanks again!

td