selinux-policy setup error with SLES15 SP2

Hi ,
I am setting up selinux-policy on SLES 15 SP 2 and setup is failing to reboot after setup.

  1. zypper addrepo https://download.opensuse.org/reposi...y:SELinux.repo
  2. zypper refresh
  3. zypper install selinux-policy
  4. selinux-ready
    Start checking your system if it is selinux-ready or not:
    check_dir: OK. /selinux exists.
    check_filesystem: OK. Filesystem ‘securityfs’ exists.
    check_filesystem: ERR. Filesystem ‘selinuxfs’ is missing. Please enable SELinux while compiling the kernel.
    check_boot: Assuming GRUB2 as bootloader.
    check_boot: OK. Current kernel ‘vmlinuz-4.12.14-195-default’ has boot-parameters ‘security=selinux selinux=1’
    check_boot: OK. Other kernels with correct parameters: vmlinuz-4.12.14-195-default
    check_mkinitrd: OK. Your initrd seems to be correct.
    check_packages: OK. All essential packages are installed
    check_config: OK. Config file seems to be there.
    check_config: OK. SELINUX is set to ‘permissive’.
    check_pam: OK. Your PAM configuration seems to be correct.
    check_runlevel: OK. restorecond is enabled on your system
  5. Add following parameters to “/etc/default/grub”
    security=selinux selinux=1 enforcing=0
  6. Reboot hangs

Any help here would be greatly appreciated.

Thanks

@“ashish-kumar@hpe.com” Hi and welcome to the Forums :slight_smile:
Not sure why you are using unsupported openSUSE repositories? Is the system not registered for the SUSE repositories and updates?
Are you following: https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-selinux.html

We are having SUSE supported system. However there is no selinux-policy that is available along with SLES. The link provided indicates to use RefPolicy https://github.com/SELinuxProject/refpolicy/wiki. This means we would need to build the policies. Is that the approach that SUSE would recommend?

@“ashish-kumar@hpe.com” Hi, then why adding the openSUSE repository? All required files/libraries are available from the registered system repositories? I would remove the openSUSE repository and clean out the packages installed from there and install the SUSE ones…

Yes, that would be my assumption for the policies, I’m just a helper here, not a SUSE employee :wink:

Have removed all references to openSUSE and repository. Why does SUSE not provide selinux-policy? Registered system does not provide this package.

@“ashish-kumar@hpe.com” Hi, likely a generic policy would not fit the needs of most setups, hence the build your own for your requirements… seems a good idea as only the system administrator(s) know what their requirements are.

suse must provide minimal selinux policies and then if respective individual environment need more policies to be built and deployed then that can be taken care by individuals. I would strongly recommend SUSE to consider this for upcoming releases.