SELinux configure in permissive mode

SUSE Product Topics SLES Configure-Administer
1

Hi Team,
I am trying to configure SLES15SP1 system with SELinux in permissive mode, for that i followed the steps mentioned in this docs: https://documentation.suse.com/sles/15-SP1/pdf/book-security_color_en.pdf
And found out that SUSE does not give default selinux-policy, and hence we need to install the same.
From internet found one from link: https://software.opensuse.org/download.html?project=security%3ASELinux&package=selinux-policy

But i am getting the errors:

sles15sp1-selinux-exp:~ # zypper install selinux-policy-targeted

Problem: selinux-policy-targeted-20200219-2.2.noarch requires policycoreutils >= 3.0, but this requirement cannot be provided
not installable providers: policycoreutils-3.0-145.2.x86_64[security_SELinux]
Solution 1: Following actions will be done:
install policycoreutils-3.0-145.2.x86_64 (with vendor change)
SUSE LLC https://www.suse.com/ → obs://build.opensuse.org/security:SELinux
install policycoreutils-lang-3.0-145.2.noarch (with vendor change)
SUSE LLC https://www.suse.com/ → obs://build.opensuse.org/security:SELinux
install python3-policycoreutils-3.0-145.2.x86_64 (with vendor change)
SUSE LLC https://www.suse.com/ → obs://build.opensuse.org/security:SELinux
install libsepol1-3.0-86.1.x86_64 (with vendor change)
SUSE LLC https://www.suse.com/ → obs://build.opensuse.org/security:SELinux
install libsepol-devel-3.0-86.1.x86_64 (with vendor change)
SUSE LLC https://www.suse.com/ → obs://build.opensuse.org/security:SELinux
Solution 2: do not install selinux-policy-targeted-20200219-2.2.noarch
Solution 3: break selinux-policy-targeted-20200219-2.2.noarch by ignoring some of its dependencies
Choose from above solutions by number or cancel [1/2/3/c/d/?] (c): 1

The following 7 packages have no support information from their vendor:
libsepol-devel libsepol1 policycoreutils policycoreutils-lang python3-policycoreutils selinux-policy selinux-policy-targeted
5 packge to upgrade, 2 new, 5 to change vendor.
Overall download size: 11.9 MiB. Already cached: 0 B. After the operation, additional 33.7 MiB will be used.
Continue? [y/n/v/…? shows all options] (y):
Retrieving package libsepol1-3.0-86.1.x86_64 (1/7), 277.4 KiB (798.5 KiB unpacked)
Retrieving: libsepol1-3.0-86.1.x86_64.rpm …[done]
Retrieving package python3-policycoreutils-3.0-145.2.x86_64 (2/7), 1.6 MiB ( 2.9 MiB unpacked)
Retrieving: python3-policycoreutils-3.0-145.2.x86_64.rpm …[done (418.5 KiB/s)]
Retrieving package libsepol-devel-3.0-86.1.x86_64 (3/7), 44.7 KiB (125.1 KiB unpacked)
Retrieving: libsepol-devel-3.0-86.1.x86_64.rpm …[done]
Retrieving package policycoreutils-3.0-145.2.x86_64 (4/7), 284.0 KiB (680.0 KiB unpacked)
Retrieving: policycoreutils-3.0-145.2.x86_64.rpm …[done (374.8 KiB/s)]
Retrieving package selinux-policy-20200219-2.2.noarch (5/7), 26.2 KiB ( 18.2 KiB unpacked)
Retrieving: selinux-policy-20200219-2.2.noarch.rpm …[done]
Retrieving package policycoreutils-lang-3.0-145.2.noarch (6/7), 410.8 KiB ( 3.3 MiB unpacked)
Retrieving: policycoreutils-lang-3.0-145.2.noarch.rpm …[done]
Retrieving package selinux-policy-targeted-20200219-2.2.noarch (7/7), 9.3 MiB ( 33.3 MiB unpacked)
Retrieving: selinux-policy-targeted-20200219-2.2.noarch.rpm …[done (634.7 KiB/s)]
Checking for file conflicts: …[done]
(1/7) Installing: libsepol1-3.0-86.1.x86_64 …[done]
(2/7) Installing: python3-policycoreutils-3.0-145.2.x86_64 …[done]
(3/7) Installing: libsepol-devel-3.0-86.1.x86_64 …[done]
(4/7) Installing: policycoreutils-3.0-145.2.x86_64 …[done]
(5/7) Installing: selinux-policy-20200219-2.2.noarch …[done]
Additional rpm output:
Updating /etc/sysconfig/selinux-policy …
(6/7) Installing: policycoreutils-lang-3.0-145.2.noarch …[error]
Installation of policycoreutils-lang-3.0-145.2.noarch failed:
Error: Subprocess failed. Error: RPM failed: error: Plugin selinux: hook tsm_pre failed
Abort, retry, ignore? [a/r/i] (a): i
(7/7) Installing: selinux-policy-targeted-20200219-2.2.noarch …[error]
Installation of selinux-policy-targeted-20200219-2.2.noarch failed:
Error: Subprocess failed. Error: RPM failed: error: Plugin selinux: hook tsm_pre failed
Abort retry, ignore? [a/r/i] (a): i
sles15sp1-selinux-exp:~ #
++++++++++++++++++++++++++++++++++++++++++
I modified the grub 2 to enable selinux and set enforce to permissive mode, but after reboot of the system, system never comes to permissive mode.
sestatus -v, always shows disabled, and i am stuck with this situation.
can you guide me to resolve to this issue, as i want to run system in permissive mode.
Thanks,
Akash

2

Hi
If your tempted/going to use unsupported files for the Open Build Service it really needs to be built against SLE Backports so it stays in sync with SLE. You could ask the maintainers to build against backports, if so you won’t get those conflicts. The other option is to grab the src rpm and rebuild that locally so it uses the SLE build environment.
Neither of the above leads to a supported system, maybe consider opening a Support Request to see why only parts are provided?