https://bugzilla.suse.com/show_bug.cgi?id=1234621 https://bugzilla.suse.com/show_bug.cgi?id=1234621#c2 --- Comment #2 from pallas wept <pallaswept@proton.me> --- (In reply to Thorsten Kukuk from comment #1) Thanks for your help Thorsten :) I tried to be brief (Poor Cathy has heard me talk enough haha) but I think I left out too much detail.

You need to add "security=selinux" to all boot entries,

I followed these instructions for my migration: https://en.opensuse.org/Portal:SELinux/Setup#Setup_SELinux_on_existing_tumbl... So I have that param in GRUB_CMDLINE_LINUX_DEFAULT, and that way, it will be applied to all boot entries. Except, that doesn't work for the recovery mode entries, so if we have some kind of disaster, then use recovery mode, it breaks selinux, and we need to relabel. That is the problem I hoped to resolve here, that using these recovery mode entries in grub, requires manual relabelling afterwards. To avoid this, I thought that I could add the param to GRUB_CMDLINE_LINUX_RECOVERY, but that does not exist yet, soi it felt like maybe I would be 'doing it wrong'. I also considered that, rather than putting the param in both of those entries, I could just use GRUB_CMDLINE_LINUX, which applies both to normal boot and also recovery mode, and is already present in the grub config file. However, that does not appear to be editable by yast, so I thought that the _RECOVERY entry might be best.

as the default for Tumbleweed is AppArmor and not SELinux.

Pardon me if I've misunderstood, but for new installations, I understood that the default would be SELinux since recently? ( https://bugzilla.opensuse.org/show_bug.cgi?id=1230118 ) It was my intention to configure my machine as it would be for selinux on a new installation, since I assume this problem would not exist there, but I am unsure how the configuration is applied. I can see that it definitely isn't in the grub package (there, the GRUB_CMDLINE_LINUX* entries are just empty), but otherwise, I'm unsure. Perhaps this problem with recovery mode also exists in new installations? Perhaps it is intentional, to disable selinux in recovery mode, so that selinux problems can not prevent it from being functional? If so, perhaps the grub 30_os-prober script could make two entries for recovery mode, one with selinux, and one without? Sorry I'm a bit fuzzy on the details. -- You are receiving this mail because: You are on the CC list for the bug.