[Bug 1226937] New: [docs]: change repository for SELinux policy in documentation for 15.6
https://bugzilla.suse.com/show_bug.cgi?id=1226937 Bug ID: 1226937 Summary: [docs]: change repository for SELinux policy in documentation for 15.6 Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Documentation Assignee: fs@suse.com Reporter: cathy.hu@suse.com QA Contact: fs@suse.com CC: felix.niederwanger@suse.com Target Milestone: --- Found By: --- Blocker: --- The Leap 15.6 documentation links to the SELinux_legacy repo for testing purposes here: https://doc.opensuse.org/documentation/leap/security/html/book-security/cha-... For 15.6 this repository is linked in the documentation, which is wrong: https://download.opensuse.org/repositories/security:/SELinux_legacy/15.6/ The correct repository is: https://download.opensuse.org/repositories/security:/SELinux/15.6/ Could you update it? Thanks :) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226937 https://bugzilla.suse.com/show_bug.cgi?id=1226937#c1 --- Comment #1 from Felix Niederwanger <felix.niederwanger@suse.com> --- Hey Cathy! Is this correct? https://download.opensuse.org/repositories/security:/SELinux/15.6/ contains updates to the toolchain, but the (outdated) link to https://download.opensuse.org/repositories/security:/SELinux_legacy/ contains the SELinux policy. I cannot find any policies in https://download.opensuse.org/repositories/security:/SELinux/15.6/, so the new link provides something different than the documentation says it would. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226937 https://bugzilla.suse.com/show_bug.cgi?id=1226937#c2 --- Comment #2 from Felix Niederwanger <felix.niederwanger@suse.com> --- See https://doc.opensuse.org/documentation/leap/security/html/book-security/cha-... for more information. There it explicitly states it would be the repository for the policy, even suggests to install it via
sudo zypper in selinux-policy-targeted selinux-policy-devel
Those packages are not present AFAICS in https://download.opensuse.org/repositories/security:/SELinux/15.6/, so something looks wrong here. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226937 https://bugzilla.suse.com/show_bug.cgi?id=1226937#c3 --- Comment #3 from Cathy Hu <cathy.hu@suse.com> --- Hi Felix, I am not sure what you mean, the policy is in there as well, see for example: https://download.opensuse.org/repositories/security:/SELinux/15.6/noarch/sel... security:SELinux contains the toolchain and the policy Please let me know if I am misunderstanding, thanks :) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226937 https://bugzilla.suse.com/show_bug.cgi?id=1226937#c4 --- Comment #4 from Felix Niederwanger <felix.niederwanger@suse.com> --- (In reply to Cathy Hu from comment #3)
Hi Felix,
I am not sure what you mean, the policy is in there as well, see for example: https://download.opensuse.org/repositories/security:/SELinux/15.6/noarch/ selinux-policy-targeted-20240617-150600.237.2.noarch.rpm
security:SELinux contains the toolchain and the policy
Please let me know if I am misunderstanding, thanks :)
Thank you for the useful hint! You are right. It is in the noarch folder, therefore I missed it. I'm back to testing if this works now and will report back. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226937 https://bugzilla.suse.com/show_bug.cgi?id=1226937#c5 --- Comment #5 from Felix Niederwanger <felix.niederwanger@suse.com> --- I'm trying to setup SELinux following the steps from the documentation and using the new repository https://download.opensuse.org/repositories/security:/SELinux/15.6/ but it results in a borked system. ## Reproducer Install the SElinux toolchain and default policy (targeted):
# zypper ar -p 10 https://download.opensuse.org/repositories/security:/SELinux/15.6/ SELinux # zypper ref # zypper in --allow-vendor-change restorecond policycoreutils setools-console selinux-policy-targeted selinux-policy-devel
Check if SELinux is in permissive mode, and if the right policy is set
# cat /etc/selinux/config ... SELINUX=permissive SELINUXTYPE=targeted ...
Add SELinux to the kernel parameters (adding "security=selinux selinux=1" to GRUB_CMDLINE_LINUX_DEFAULT):
# vim /etc/default/grub ... # old value: GRUB_CMDLINE_LINUX_DEFAULT="preempt=full mitigations=auto quiet security=apparmor console=ttyS0" GRUB_CMDLINE_LINUX_DEFAULT="preempt=full mitigations=auto security=selinux selinux=1 console=ttyS0" ...
Then update the grub configuration
# update-bootloader
I'm also putting the autorelabel file there, but that doesn't seem to have any effect:
# touch /.autorelabel
Reboot the system:
# reboot
With those steps I end up in an emergency shell because systemd gets a SIGTERM. Find attached the full dmesg log, but the important messages are coming from Switch Root:
Starting Switch Root... [ 3.325002][ T187] systemd-journald[187]: Received SIGTERM from PID 1 (systemd). [ 3.406337][ T1] SELinux: policy capability network_peer_controls=1 [ 3.407332][ T1] SELinux: policy capability open_perms=1 [ 3.408284][ T1] SELinux: policy capability extended_socket_class=1 [ 3.409868][ T1] SELinux: policy capability always_check_network=0 [ 3.410543][ T1] SELinux: policy capability cgroup_seclabel=1 [ 3.411176][ T1] SELinux: policy capability nnp_nosuid_transition=1 [ 3.411875][ T1] SELinux: policy capability genfs_seclabel_symlinks=1 [ 3.412600][ T1] SELinux: policy capability ioctl_skip_cloexec=0 [ 3.469440][ T30] audit: type=1403 audit(1719911454.692:4): auid=4294967295 ses=4294967295 lsm=selinux res=1 [ 3.470858][ T1] systemd[1]: Failed to compute init label, ignoring. [ 3.472421][ T1] systemd[1]: Successfully loaded SELinux policy in 98.150ms. [ 3.540672][ T1] systemd[1]: Relabeled /dev, /dev/shm, /run, /sys/fs/cgroup in 23.695ms. [ 3.541949][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:device_t:s0 for /dev/core: Invalid argument [ 3.543604][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:device_t:s0 for /dev/fd: Invalid argument [ 3.545244][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:device_t:s0 for /dev/stdin: Invalid argument [ 3.546898][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:device_t:s0 for /dev/stdout: Invalid argument [ 3.548544][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:device_t:s0 for /dev/stderr: Invalid argument [ 3.550014][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd: Invalid argument [ 3.551481][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_unit_file_t:s0 for /run/systemd/system: Invalid argument [ 3.552990][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/mount-rootfs: Invalid argument [ 3.554577][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:var_run_t:s0 for /run/credentials: Invalid argument [ 3.555985][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible: Invalid argument [ 3.557511][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible/reg: Invalid argument [ 3.559026][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible/dir: Invalid argument [ 3.560483][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible/fifo: Invalid argument [ 3.562018][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible/sock: Invalid argument [ 3.563497][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible/chr: Invalid argument [ 3.565174][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible/blk: Invalid argument [ 3.568442][ T1] systemd[1]: systemd 254.13+suse.89.ga8a3a9567d running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified) [ 3.572478][ T1] systemd[1]: Detected virtualization kvm. [ 3.573086][ T1] systemd[1]: Detected architecture x86-64.
Welcome to openSUSE Leap 15.6!
[ 3.575453][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/propagate/.os-release-stage/os-release: Invalid argument [ 3.968451][ T1] systemd[1]: bpf-lsm: LSM BPF program attached [ 3.973575][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_unit_file_t:s0 for /run/systemd/units: Invalid argument [ 3.986780][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_unit_file_t:s0 for /run/systemd/generator: Invalid argument [ 3.995861][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_unit_file_t:s0 for /run/systemd/generator.early: Invalid argument [ 4.003085][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_unit_file_t:s0 for /run/systemd/generator.late: Invalid argument [ 4.065846][ T30] audit: type=1400 audit(1719911455.288:5): avc: denied { read } for pid=522 comm="grep" name="cmdline" dev="proc" ino=4026532015 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 [ 4.069101][ T30] audit: type=1400 audit(1719911455.288:6): avc: denied { open } for pid=522 comm="grep" path="/proc/cmdline" dev="proc" ino=4026532015 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 [ 4.072239][ T30] audit: type=1400 audit(1719911455.288:7): avc: denied { getattr } for pid=522 comm="grep" path="/proc/cmdline" dev="proc" ino=4026532015 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 [ 4.135495][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_userdbd_runtime_t:s0 for /run/systemd/userdb: Invalid argument [ 4.281057][ T1] systemd[1]: initrd-switch-root.service: Deactivated successfully. [ 4.296435][ T1] systemd[1]: Stopped Switch Root. [ 4.297447][ T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_passwd_var_run_t:s0 for /run/systemd/ask-password: Invalid argument [ OK ] Stopped Switch Root.
What am I doing wrong? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226937 https://bugzilla.suse.com/show_bug.cgi?id=1226937#c6 --- Comment #6 from Felix Niederwanger <felix.niederwanger@suse.com> --- Created attachment 875825 --> https://bugzilla.suse.com/attachment.cgi?id=875825&action=edit dmesg -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226937 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1227282 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226937 https://bugzilla.suse.com/show_bug.cgi?id=1226937#c7 --- Comment #7 from Cathy Hu <cathy.hu@suse.com> --- @Felix, thanks for testing, will have a look. lets discuss this in the cloned bug bsc#1227282 and leave this one for changes for the docs team -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226937 https://bugzilla.suse.com/show_bug.cgi?id=1226937#c8 --- Comment #8 from Felix Niederwanger <felix.niederwanger@suse.com> --- (In reply to Cathy Hu from comment #7)
@Felix, thanks for testing, will have a look. lets discuss this in the cloned bug bsc#1227282 and leave this one for changes for the docs team
Good idea. We will report back here, once we know which changes are needed in the documentation. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226937 https://bugzilla.suse.com/show_bug.cgi?id=1226937#c9 Tomáš Bažant <tbazant@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED Whiteboard| |https://jira.suse.com/brows | |e/DOCTEAM-1493 CC| |tbazant@suse.com Assignee|fs@suse.com |amrita.sakthivel@suse.com --- Comment #9 from Tomáš Bažant <tbazant@suse.com> --- Thank you for reporting this bug! It is being tracked and processed as part of our queue. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226937 Amrita Sakthivel <amrita.sakthivel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |IN_PROGRESS -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226937 https://bugzilla.suse.com/show_bug.cgi?id=1226937#c10 Amrita Sakthivel <amrita.sakthivel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(cathy.hu@suse.com | |) CC| |cathy.hu@suse.com --- Comment #10 from Amrita Sakthivel <amrita.sakthivel@suse.com> --- Hi Cathy, I have noticed this link (https://download.opensuse.org/repositories/security:/SELinux_legacy/15.6/) is there from 15.6-15.2 , can you please confirm if this repo link is applicable to the mentioned versions. Thanks Amrita -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226937 https://bugzilla.suse.com/show_bug.cgi?id=1226937#c11 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(cathy.hu@suse.com | |) | --- Comment #11 from Cathy Hu <cathy.hu@suse.com> --- the link is applicable for the versions <15.6, so the currents docs are correct for these versions. from 15.6 on we should use this link: https://download.opensuse.org/repositories/security:/SELinux/15.6/ -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1226937 https://bugzilla.suse.com/show_bug.cgi?id=1226937#c12 Amrita Sakthivel <amrita.sakthivel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #12 from Amrita Sakthivel <amrita.sakthivel@suse.com> --- Merged . -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com