I have a bootable DVD which boots the same Kernel as the Hard Drive (which uses SELinux). I have copied /etc/selinux and all kernel modules to my ramdisk, and have tried various combinations of selinux=1 and selinux 1 with enforcing 1 and enforcing 0. as Kernel boot parameters. All files contained in the checkpolicy, libselinux, policycoreutils, selinux-policy and selinux-policy-targeted rpms have also been copied into the ramdisk tree.
After the system boots from the ramdisk, I check dmesg:
% dmesg | grep -i selinux
Kernel command line: initrd=idrd.img ramdisk_size=110476 selinux=1
SELinux: Initializing.
SELinux: Starting in permissive mode
selinux_register_security: Registering secondary module capability
SElinux: Registering netfilter hooks
But SELinux isn't running:
% /usr/sbin/getenforce
Disabled
% /usr/sbin/setenforce 1
/usr/sbin/setenforce: SELinux is disabled
Neither /var/log/messages nor /proc/kmsg hold clues.
What's not immediately obvious is that SELINUX requires selinuxfs to be mounted. When mounted, selinuxfs appears in /proc/mounts but not in the output of the mount command.
Mounting selinuxfs in my initrd did the trick
Not really sure. What distro, out of curiosity? Perhaps
enforcing=1will do the trick. Dan Walsh is pretty knowledgeable on this, I think he does the policy for SELinux @ Fedora. I also base it off the Fedora Docs wiki page.