https://bugzilla.suse.com/show_bug.cgi?id=1226937 https://bugzilla.suse.com/show_bug.cgi?id=1226937#c5 --- Comment #5 from Felix Niederwanger <felix.niederwanger@suse.com> --- I'm trying to setup SELinux following the steps from the documentation and using the new repository https://download.opensuse.org/repositories/security:/SELinux/15.6/ but it results in a borked system. ## Reproducer Install the SElinux toolchain and default policy (targeted):
# zypper ar -p 10 https://download.opensuse.org/repositories/security:/SELinux/15.6/ SELinux # zypper ref # zypper in --allow-vendor-change restorecond policycoreutils setools-console selinux-policy-targeted selinux-policy-devel
Check if SELinux is in permissive mode, and if the right policy is set
# cat /etc/selinux/config ... SELINUX=permissive SELINUXTYPE=targeted ...
Add SELinux to the kernel parameters (adding "security=selinux selinux=1" to GRUB_CMDLINE_LINUX_DEFAULT):
# vim /etc/default/grub ... # old value: GRUB_CMDLINE_LINUX_DEFAULT="preempt=full mitigations=auto quiet security=apparmor console=ttyS0" GRUB_CMDLINE_LINUX_DEFAULT="preempt=full mitigations=auto security=selinux selinux=1 console=ttyS0" ...
Then update the grub configuration
# update-bootloader
I'm also putting the autorelabel file there, but that doesn't seem to have any effect:
# touch /.autorelabel
Reboot the system:
# reboot
With those steps I end up in an emergency shell because systemd gets a SIGTERM. Find attached the full dmesg log, but the important messages are coming from Switch Root:
Starting Switch Root... [ 3.325002][ T187] systemd-journald[187]: Received SIGTERM from PID 1 (systemd). [ 3.406337][ T1] SELinux: policy capability network_peer_controls=1 [ 3.407332][ T1] SELinux: policy capability open_perms=1 [ 3.408284][ T1] SELinux: policy capability extended_socket_class=1 [ 3.409868][ T1] SELinux: policy capability always_check_network=0 [ 3.410543][ T1] SELinux: policy capability cgroup_seclabel=1 [ 3.411176][ T1] SELinux: policy capability nnp_nosuid_transition=1 [ 3.411875][ T1] SELinux: policy capability genfs_seclabel_symlinks=1 [ 3.412600][ T1] SELinux: policy capability ioctl_skip_cloexec=0 [ 3.469440][ T30] audit: type=1403 audit(1719911454.692:4): auid=4294967295 ses=4294967295 lsm=selinux res=1 [ 3.470858][ T1] systemd[1]: Failed to compute init label, ignoring. [ 3.472421][ T1] systemd[1]: Successfully loaded SELinux policy in 98.150ms. [ 3.540672][ T1] systemd[1]: Relabeled /dev, /dev/shm, /run, /sys/fs/cgroup in 23.695ms. [ 3.541949][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:device_t:s0 for /dev/core: Invalid argument [ 3.543604][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:device_t:s0 for /dev/fd: Invalid argument [ 3.545244][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:device_t:s0 for /dev/stdin: Invalid argument [ 3.546898][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:device_t:s0 for /dev/stdout: Invalid argument [ 3.548544][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:device_t:s0 for /dev/stderr: Invalid argument [ 3.550014][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd: Invalid argument [ 3.551481][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_unit_file_t:s0 for /run/systemd/system: Invalid argument [ 3.552990][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/mount-rootfs: Invalid argument [ 3.554577][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:var_run_t:s0 for /run/credentials: Invalid argument [ 3.555985][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible: Invalid argument [ 3.557511][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible/reg: Invalid argument [ 3.559026][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible/dir: Invalid argument [ 3.560483][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible/fifo: Invalid argument [ 3.562018][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible/sock: Invalid argument [ 3.563497][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible/chr: Invalid argument [ 3.565174][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible/blk: Invalid argument [ 3.568442][ T1] systemd[1]: systemd 254.13+suse.89.ga8a3a9567d running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified) [ 3.572478][ T1] systemd[1]: Detected virtualization kvm. [ 3.573086][ T1] systemd[1]: Detected architecture x86-64.
Welcome to openSUSE Leap 15.6!
[ 3.575453][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/propagate/.os-release-stage/os-release: Invalid argument [ 3.968451][ T1] systemd[1]: bpf-lsm: LSM BPF program attached [ 3.973575][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_unit_file_t:s0 for /run/systemd/units: Invalid argument [ 3.986780][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_unit_file_t:s0 for /run/systemd/generator: Invalid argument [ 3.995861][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_unit_file_t:s0 for /run/systemd/generator.early: Invalid argument [ 4.003085][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_unit_file_t:s0 for /run/systemd/generator.late: Invalid argument [ 4.065846][ T30] audit: type=1400 audit(1719911455.288:5): avc: denied { read } for pid=522 comm="grep" name="cmdline" dev="proc" ino=4026532015 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 [ 4.069101][ T30] audit: type=1400 audit(1719911455.288:6): avc: denied { open } for pid=522 comm="grep" path="/proc/cmdline" dev="proc" ino=4026532015 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 [ 4.072239][ T30] audit: type=1400 audit(1719911455.288:7): avc: denied { getattr } for pid=522 comm="grep" path="/proc/cmdline" dev="proc" ino=4026532015 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 [ 4.135495][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_userdbd_runtime_t:s0 for /run/systemd/userdb: Invalid argument [ 4.281057][ T1] systemd[1]: initrd-switch-root.service: Deactivated successfully. [ 4.296435][ T1] systemd[1]: Stopped Switch Root. [ 4.297447][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_passwd_var_run_t:s0 for /run/systemd/ask-password: Invalid argument [ OK ] Stopped Switch Root.
What am I doing wrong? -- You are receiving this mail because: You are on the CC list for the bug.