Fedora :: Selinux On Encrypted Root?
Oct 2, 2009
After my cloning problems this morning were resolved, I have been able to complete conversion of the clone to run from an encrypted root partition. However, I have been unable to enable selinux when running from the encrypted root. /etc/selinux/config contains the settings that work on my unencrypted system
SELINUX=enforcing
SELINUXTYPE=targeted
and it is not disabled from the grub bootline, but the encrypted system always comes up with selinux disabled. Attempting to enable it with the command setenforce 1 fails, and to add insult to injury, the selinux administration-gui shows that it is enabled and enforcing. The cloned, now encrypted, system was cloned via rsync -aHXv, so the selinux contexts/attributes have been maintained as near as I can tell. I did have to disable selinux while performing the rsync of the /selinux directory in order to get it to copy and I am wondering if there was still some issue with this method.
I know some of you are running from encrypted root fs's and was wondering: Do you have selinux enabled and is it functioning properly? Any suggestions as to how I might jumpstart it or force it to run? Maybe I should boot into the system and uninstalling/reinstalling selinux?
View 3 Replies
ADVERTISEMENT
Dec 23, 2009
I have installed Fedora Core 11 with SELinux enforcing.It appears (via log files) that if I use a .forward file in the home directory for root that SELinux prevents the use of this mechanism for forwarding e-mail.Is there a way to continue to use SELinux and be able to forward root's e-mail to an outside account?
View 3 Replies
View Related
Jul 13, 2010
I keep my /boot partition on a usb stick, where i keep the keyfile as well. I already generated the keyfile and added it to the LUKS LVM partition.Right now, on bootup I get a nice GUI to enter my 40 character password which is nice but a little tedious What do i need to modify for the system to automatically unlock the partition with the keyfile that is stored on the /boot partition
View 4 Replies
View Related
Dec 2, 2010
I like to do a minimal install, and then run some of my own scripts to install the rest of the packages I need, so to keep a lean system. When installing F14 with a partitioning scheme as follows:
Code:
/boot - 500MB
LVM
- swap - 2048 MB
- / - 15GB
- /home - Rest of file system - Encrypted
Everything works fine and the encryption works with no problem. However, as a friend pointed out to me, if you partition as follows:
Code:
/boot - 100MB/ - Rest of filesystem - Encrypted You are not able to boot the system when doing a minimal install. Meaning: you get up to the point to where you need to enter your password to decrypt the filesystem, and then nothing but..., well, nothing. However, and here it gets interesting, if you use the same partition layout, and you install the "Graphical Desktop", everything works fine. As I can not understand why this happens, I am currently testing a partition setup like so:
Code:
/boot - 100MB
LVM - Encrypted
- / - Rest of filesystem
Just to see if that works.
Anyhow: to make a long story short: It seems that the minimal install "forgets" to add some packages which are needed to decrypt the filesystem. Does anyone know which package this could be or why this occurs, so it can be added as part of the minimal install?
View 4 Replies
View Related
Jul 3, 2011
Been using fedora for a few years now, got a boot error this morning I just have no idea were to start looking. Got a luks encrypted root, getting the following after entering pass-phrase:
...
Starting Stdio Syslog Bridge.
Starting /dev/cgroup failed, see 'systemctl status dev-cgroup.mount' for details.
[code]....
View 2 Replies
View Related
Feb 23, 2009
You can find a list of all the booleans for SELinux (Fedora 10) using getsebool -a My question is, is there a reference online that describes each one. Most of obvious but it's one of those "I have to know because it's there situation).
View 5 Replies
View Related
May 20, 2010
Anyone had any experience with unlocking a LUKS encrypted root partition via ssh? It is ok to leave /boot unencrypted.
There are a few pages from google with the debians variants, archived by putting dropbear into initrd.
I like to do that with my fedora/centos remote servers, but struggle to find any resources specific to it. Anyone has any suggestions and thoughts as to what might be a suitable way forward?
View 2 Replies
View Related
Oct 24, 2010
My understanding is SELinux adds type enforcement to standard Linux. This means that both the standard Linux and enhanced SELinux access controls must be satisfied to access an object. Which means that thing that is prevented to do in the normal standard Linux will be also prevented in the SELinux System? Does SELinux make it possible to run a non-root software to bind to a port < 1024? something that standard Linux won't allow? If not, what other suggestions do you have for allowing a program to run as non-root but able to bind to privileged ports? I know all about using the port re-direction such as ipchains, iptables.
View 4 Replies
View Related
Jul 12, 2010
I try to encrypt root file system on Opensuse 11.1 and I have found up to two possibilities.
1. [url]
2. [url]
In the first case, i have a Problem with entering password, for each partition on encrypted disk, i must enter my password.(For 3 partition 3 times)
And in the second version to get i nowhere.
Code:
View 5 Replies
View Related
Dec 17, 2008
I am trying to get Slackware 12.2 running on a system with two identical harddiscs using RAID-1, LVM and LUKS.
Here is what I get:
Code:
The system is still the same, however, the results of upgrading or installing 12.2 are different. The system refuses to boot. The screen messages during boot seem to suggest, that the RAID system is "seen" by the system, but the encrypted filesystem is not.
I can boot with the installation DVD, however, and
Code:
View 14 Replies
View Related
Apr 2, 2010
Can't start Ubuntu, stops after first password. I can access files on my encrypted partitions with LiveCD but I wonder if I can install Ubuntu and still have access to the encrypted drives as I can with LiveCD?
View 1 Replies
View Related
Apr 15, 2009
OpenSuSE 11.1 is by far the best SuSE version in a long time. It's generally up to competition or ahead of it. It's admirable, how thoughtful this system is set up, and how clean and fast it is compared to its predecessors. It ssems, that SuSE is fighting its way back to where they came from before the Novell "merger."
Having said that, it is even harder to understand, IMHO, why the installer doesn't support encrypted root partitions. Of course, there is a manual solution:
http://en.opensuse.org/Encrypted_Roo...ith_SUSE_HOWTO
However, this HOW-TO doesn't explain how to combine LUKS encryption with LVM on a RAID-1 system, as described for Slackware 12.2 here:
[url]
[url]
Is there a similar guide anywhere available for OpenSuSE 11.1?
If not: Would it be possible to do all the low-level setup work, like partitioning, setting up the logical volumes and encrypting everything, with Slackware, following the document above, and then install OpenSuSE 11.1 on that system? Would that work?
View 5 Replies
View Related
Mar 21, 2011
there is a way to mount, encrypted partitions as a normal user and not as root so that i may copy files into it using the file manager itself? even in the case of normal partitions other than /home, i can't seem add any data in them. the mount points i used are seperate directories within the /home partition?? also, is there a way to create partitions in such a way that it can be accessed, just as how windows partitions are accessed in linux?
View 9 Replies
View Related
Jun 6, 2010
Recently set up root encryption with a couple of LVM volumes inside one LUKS volume, and I am just a little confused as to how I would go about getting it to automatically unlock using a keyfile stored on a USB flash drive, I presume I would have to put the drive in the fstab inside my initramfs (if there is one), and add a hook for USB device support.
But I digress, essentially, I want to know what I have to do to enable my LUKS volume (containing all of my partitions sans /boot) to unlock using a keyfile stored on a USB flash drive, rather than a manually entered passphrase.
View 2 Replies
View Related
Jun 1, 2013
I'm a long time user of Debian, but I'm having trouble with my partitioning process. Here is where I currently stand:
I am installing the latest Wheezy build. I am trying to install debian with an encrypted LVM that spans two hard disks.
My partitioning layout is as:
1. /home
2. /root
3. swap
4. /boot
I then added partitions 1, 2 and 3 to a physical volume group. I then took that physical volume group and added it to a logical volume. Then I encrypted the logical volume, leaving the /boot partition untouched. I was under the assumption that the only partition the system needed free to reach the loading of the LVM is the /boot partition, as it holds the files necessary for booting. But when I attempt to finalize the disk, it gives an error stating, "No root file system detected". That would be an issue as it is currently sitting inside the encrypted LV. Am I wrong in including the root partition in the encrypted LV?
What is the best way of having as little of my file system non-encrypted as possible while still allowing a proper boot?
View 9 Replies
View Related
Mar 31, 2009
Centos 5.3 includes Ext4 and improved support for encrypted file systems but it appears to be aimed at laptop/desktop systems, in that a password must be entered at boot time.
Is it possible to have a server with an encrypted root file system boot up without entering a password?
Mandos will do it...
http://wiki.fukt.bsnet.se/wiki/Mandos
...by serving up the password from another server...
http://packages.debian.org/squeeze/mandos
...to a client loaded into the initial RAM disk environment...
http://packages.debian.org/squeeze/mandos-client
...but it's not available on CentOS, and is only in Debian unstable.
Is there a similar (or any) solution for CentOS?
In particular, I'm envisaging encrypted virtual machines being served passwords from their virtual host.
Alternatively, the data that *really* needs to be protected could be encrypted while the system core remains unencrypted. But then the keys to decrypt the file system must be stored in the unencrypted portion, so this is not an effective method.
View 3 Replies
View Related
Jan 17, 2011
I'm running into some problems setting up Tor on Fedora 14. I have followed the following guide to a T (although I realize it is for Fedora 10):orum.org/showthread.php?t=211516.I believe the problem is SELinux... but I'm not sure. Has anyone had any success running Tor in Fedora 14 without it bugging out? If not, is there some sort of Unix alternative?
View 12 Replies
View Related
Jul 18, 2009
How can I solve the problem?
View 1 Replies
View Related
Jan 18, 2010
There are several options available, such as "Ignore Alert" and "Turn off memory protection". What are the consequences of choosing one or the other?I'm new to Fedora and I'm not familiar with SELinux. Can someone please give me guidelines (or explanation) on how to deal with SELinux alerts?
View 7 Replies
View Related
Mar 7, 2011
I installed Ubuntu 10.10 64 on my laptop with the entire 500gb setup as encrypted LVM. This has worked well for several months with no problems. During this time i have been backing up the data to an external usb drive (1tb) on a regular basis. The usb drive was not encrypted. So, I thought it would be a good idea to encrypt the backup drive too. I wiped out the backup drive and set it up as one large encrypted lvm and mbr. This seemed to work fine but immediately afterwards I decided to erase that and set it up as encrypted lvm guid instead of mbr. I couldn't delete it while logged into my desktop so i decided to do it from a bootable gparted usb stick. In gparted i erased the 1TB backup drive once again and planned on setting it up the way I wanted once I was logged back into my ubuntu desktop. Now I cant boot into my desktop with the following errors:
cryptsetup: evms_activate is not available b0d) does not begin with /dev/mapper/
Then after waiting for a few minutes I get an error followed by (initramfs)
When booting from a live version of ubuntu the 250MB boot patition is recognized and 500 partion is there but it is labeled as empty/unused.
Also, I did choose to use the exact same passphrase as what is used on the main bootable drive when I set up the encrypted partition on the external 1TB drive.
View 9 Replies
View Related
Jan 5, 2010
I've just started using ubuntu one. However, some of the files I store on there are sensitive so I encrypt them using seahorse. Right click, encrypt etc etc. My question is, is there a way to automatically get the encrypt process to delete the un-encrypted file when it makes the new encrypted copy?
View 6 Replies
View Related
Jul 14, 2009
I came across the following method of how to permanently disabling selinux and it's notifications. Although changing enforcement from the gui into permissive mode does most of the job, the notifications still pop-up when some applications are started.
So to disable it do the following:
open terminal as root and execute:
Quote:
And then change the SELINUX line to SELINUX=disabled
Quote:
This is it. Now reboot the system and selinux will never bother you again.
If you are not a Fedora user and you are using this forum just because we are cooler here then you will not find the /etc/selinux/config as in the fedora releases. What you need to do is to edit the kernel boot line and add selinux=0 at the end:
Quote:
Reboot the system
View 14 Replies
View Related
Nov 18, 2009
I just upgraded to fedora 12 via clean install with old /home partition and deleting old config files, and here is my issue. I need to edit the menu, and I need to set SELinux to permissive. OOo will not run with SELinux enabled for some reason, and besides, all my systems use SELinux in permissive. These two options no longer exist in the menu
View 7 Replies
View Related
Dec 4, 2009
I made the Selinux inactive with easylife how can I reactivate it.
View 6 Replies
View Related
Oct 20, 2010
I'm attempting to get MapServer running on my Fedora 13 computer. I was able to install with the package manager, and the executable (mapserv) was originally placed in /usr/sbin. But I need it in /var/www/cgi-bin to work on the webserver. So I copied the file to the right location. Unfortunately, it doesn't have the correct SELinux context. Here's the message from the troubleshooter:
SELinux denied access requested by /var/www/cgi-bin/mapserv. /var/www/cgi-bin/mapserv is mislabeled. /var/www/cgi-bin/mapserv default type is httpd_sys_script_exec_t, but its current type is httpd_sys_script_exec_t. Changing this file back to the default type, may fix your problem.
How's that for circular logic? Does anyone have an idea what the correct SELinux context for a cgi-bin executable might be?
View 3 Replies
View Related
Nov 10, 2010
Trying to keep selinux enabled. When I start SeLinux Troubleshooter from the menu, which is inautostart as well, It tells me SELinux not enabled, sealert will not run on nonSELinus systems".How do I get SELinux permanently started then
View 10 Replies
View Related
Jan 2, 2011
I get the SELinux and wine error. How can this be fixed?
View 1 Replies
View Related
Jan 9, 2011
I have trouble with my Fedora 14 on laptop, that I never had on previous Fedora versions (10-13).The SELinux not allow mplayer to play flv files and I cannot convert any files from flv to mp3.I have all codecs installed.Also Totem not works propely.I can shutdown SELinux (but dont want to) but there still remain (already installed) codec, which cant be found (decoder h.264).So its not matter if I shutdown SELinux because I still cant play flv
Ok so there are my error message (sorry for my english!):
Code:
ffmpeg
ffmpeg: error while loading shared libraries: libxvidcore.so.4: cannot enable executable
[code]...
View 5 Replies
View Related
Jan 17, 2011
My newly installed Fedora-14 (64-bit) has SELinux disabled. I can't find any way to enable it. I tried to set it manually in /etc/selinux/config to enforcing or permissive but nothing happens after reboot. In GUI configuration tool it is set to disabled and grayed out so that there is no way to enable it there. Is there another way to enable SELinux?
View 11 Replies
View Related
Apr 30, 2011
I tried to log in to my xguest account and it asked for a password, which it shouldn't, so there's a problem with SELinux.When I type getenforce it says it is disabled, yet when I go to /etc/selinux and look at the config, it is in enforcing mode and not commented out, type is strict.When I go to the SELinux management GUI I can't change the current enforcing mode and it's set to disabled and default to enforcing.
View 2 Replies
View Related