-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to start in enforcing #99
Comments
Hey, thanks for the quick testing of the sample policy and the bug report. Can you reboot in permissive and grab the journal log and share that ( Likely issues would contain either a log entry with the string "AVC" or the string "SELinux", but there are a number of things that could cause a boot hang (either SELinux denials, or failures in SELinux aware userspace components such as systemd, dbus, xwayland and others). Each of the different user daemons has its own logging, so it's hard to say precisely what to look for in the abstract. If you are able to share the full log, I'll take a look through it and should be able to zero in on the problem from there. |
Thank you for the help and quick response. I've attached my journal.txt as requested. I did see some AVC denials in there. |
Thanks for the logs. It looks like everything is fine up until this point and at least most of what follows seems to be consequences of this part:
There are two issues here: 1. systemd seems to be running as the "kernel_sid" type. It should have transitioned to the "general" domain. 2. Several files are unlabeled, including /, /etc and some of the contents of /etc. Can you check the labels ( |
Running |
Thanks. Those errors are definitely relevant. The "Operation is not supported" error indicates that the filesystem doesn't support extended attributes, which are necessary for relabeling. Looking in your logs some more, it seems that you're using xfs for your root, which does have extended attribute support, but it isn't specified in the policy. Would you mind building this PR branch #100 and retesting and see if that resolves your problem? |
Success! I was able to boot into enforcing. One thing I will note, is I still have two lingering AVCs: allow kernel_sid self:capability2 syslog; From the audit.log: type=AVC msg=audit(1674874943.471:186): avc: denied { syslog } for pid=354 comm="plymouthd" capability=34 scontext=system_u:system_r:kernel_sid tcontext=system_u:system_r:kernel_sid tclass=capability2 permissive=0 Thank you for your help and quick responses! |
Glad it's working for you. Thanks for reporting the AVCs as well. Looks like plymouthd logs to the console in some situations, so it's reasonable to add to the policy. I've made a PR for that. #103 |
Hello! I am still getting my feet wet with SELinux, and I noticed that when I tried to follow the steps for the newly added 'full system' policy, my Fedora 36 VM will just... hang on start up? As soon as I select the OS I want to boot into, the system fails to proceed any farther, with no output on the screen. I moved the policy in place on the system, updated my config, rebooted in permissive, ran restorecon, then rebooted in enforcing. Any and all help on how to troubleshoot this problem would be greatly appreciated. If any more details are required, I can surely provide them. Thanks!
The text was updated successfully, but these errors were encountered: