Siduction Forum
Siduction Forum => Upgrade Warnings => Topic started by: kole on 2019/06/26, 18:50:01
-
Hi All
I have tried DU with kernels 5.1.10, 5.1.12 and 5.1.15. After reboot I get message "SELinux default policy relabel is required" and after while system reboots. On next very slow boot it shows all kind of errors, which do not appear in dmesg later, and eventualy boots as CLI. After logging in boot messages continue to appear occasionaly and system does not respond.
-
Use
selinux=0
as a boot option!
-
Perfect
Thank you axt
-
Use
selinux=0
YES!
This is the fix for my problem on this thread:
https://forum.siduction.org/index.php?topic=7675.0
Thanks axt!
-
@dibl: normally the SELINUX things should not be relevant in a installed system - just because SELINUX is activated, but not strict - it was a problem for ISOs - so the kernel parameter is right :)
https://git.siduction.org/extra/pyfll/commit/489cd640acb1aa77360bc11273def74fcb29770f
Anyways - i would like to know the the SELINUX configuration of this particular installation.
-
@melmarker -- is there more to see than this?
don@n5110:~$ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# default - equivalent to the old strict and targeted policies
# mls - Multi-Level Security (for military and educational use)
# src - Custom policy built from source
SELINUXTYPE=default
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
don@n5110:~$
-
No - the entry
SELINUX=permissive
should do the trick - all the things that would be otherwise enforced result only in warnings.
-
It must be a hardware-related compatibility issue, because I have had no such problem on 4 other kinds of hardware, all fully updated. Just this Dell laptop. But selinux=0 fixed it.
-
On my siduction system that config file is missing:
# LANG=C ls -al /etc/selinux/
total 20
drwxr-xr-x 2 root root 4096 Mai 13 00:49 .
drwxr-xr-x 157 root root 12288 Jun 28 20:48 ..
-rw-r--r-- 1 root root 2041 Sep 15 2017 semanage.conf
What could be the reason?
-
@samoht - if /etc/selinux/config isn't there - it isn't there - in other words: the file is not provided by any package. so it seems that it is created on the fly by some unknown selinux package
To be blunt: I fucking hate such packaging practices.
-
When I looked at my other systems, I found one configured like @samoht.
don@Hibiscus:/$ ls -al /etc/selinux
total 20
drwxr-xr-x 2 root root 4096 Jun 8 17:45 .
drwxr-xr-x 179 root root 12288 Jun 8 17:54 ..
-rw-r--r-- 1 root root 2041 Nov 18 2015 semanage.conf
don@Hibiscus:/$ cat /etc/selinux/semanage.conf
# Authors: Jason Tang <jtang@tresys.com>
#
# Copyright (C) 2004-2005 Tresys Technology, LLC
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# Specify how libsemanage will interact with a SELinux policy manager.
# The four options are:
#
# "source" - libsemanage manipulates a source SELinux policy
# "direct" - libsemanage will write directly to a module store.
# /foo/bar - Write by way of a policy management server, whose
# named socket is at /foo/bar. The path must begin
# with a '/'.
# foo.com:4242 - Establish a TCP connection to a remote policy
# management server at foo.com. If there is a colon
# then the remainder is interpreted as a port number;
# otherwise default to port 4242.
module-store = direct
# When generating the final linked and expanded policy, by default
# semanage will set the policy version to POLICYDB_VERSION_MAX, as
# given in <sepol/policydb.h>. Change this setting if a different
# version is necessary.
#policy-version = 19
# expand-check check neverallow rules when executing all semanage commands.
# Large penalty in time if you turn this on.
expand-check=0
# By default, semanage will generate policies for the SELinux target.
# To build policies for Xen, uncomment the following line.
#target-platform = xen
Hardware & System
don@Hibiscus:/$ inxi -Fz
System:
Host: Hibiscus Kernel: 5.1.6-towo.2-siduction-amd64 x86_64 bits: 64
Desktop: KDE Plasma 5.14.5
Distro: siduction 13.2.1 December - kde - (201401272125)
Machine:
Type: Desktop System: ASUS product: All Series v: N/A serial: <filter>
Mobo: ASUSTeK model: Z87-WS v: Rev 1.xx serial: <filter> BIOS: American Megatrends
v: 2004 date: 06/05/2014
CPU:
Topology: Quad Core model: Intel Core i7-4770 bits: 64 type: MT MCP
L2 cache: 8192 KiB
Speed: 1545 MHz min/max: 800/3900 MHz Core speeds (MHz): 1: 1546 2: 1545 3: 1545
4: 1545 5: 1546 6: 1545 7: 1546 8: 1549
Graphics:
Device-1: NVIDIA GM107 [GeForce GTX 750 Ti] driver: nvidia v: 418.74
Display: x11 server: X.Org 1.20.4 driver: nvidia resolution: 1440x900~60Hz
OpenGL: renderer: GeForce GTX 750 Ti/PCIe/SSE2 v: 4.6.0 NVIDIA 418.74
Audio:
Device-1: Intel 8 Series/C220 Series High Definition Audio driver: snd_hda_intel
Device-2: NVIDIA driver: snd_hda_intel
Sound Server: ALSA v: k5.1.6-towo.2-siduction-amd64
Network:
Device-1: Intel I210 Gigabit Network driver: igb
IF: enp6s0 state: up speed: 1000 Mbps duplex: full mac: <filter>
Device-2: Intel I210 Gigabit Network driver: igb
IF: enp9s0 state: down mac: <filter>
IF-ID-1: br0 state: up speed: N/A duplex: N/A mac: <filter>
Drives:
Local Storage: total: 3.18 TiB used: 857.98 GiB (26.3%)
ID-1: /dev/sda vendor: Western Digital model: WD1001FALS-00E8B0 size: 931.51 GiB
ID-2: /dev/sdb vendor: Samsung model: SSD 850 EVO 500GB size: 465.76 GiB
ID-3: /dev/sdc vendor: Western Digital model: WD1000DHTZ-04N21V0 size: 931.51 GiB
ID-4: /dev/sdd vendor: Western Digital model: WD1000DHTZ-04N21V0 size: 931.51 GiB
Partition:
ID-1: / size: 55.77 GiB used: 13.63 GiB (24.4%) fs: ext4 dev: /dev/sdb1
ID-2: /home size: 401.45 GiB used: 52.61 GiB (13.1%) fs: ext4 dev: /dev/sdb3
ID-3: swap-1 size: 1024.0 MiB used: 0 KiB (0.0%) fs: swap dev: /dev/sdb2
Sensors:
System Temperatures: cpu: 29.8 C mobo: 27.8 C
Fan Speeds (RPM): cpu: 0
Info:
Processes: 275 Uptime: 4m Memory: 31.36 GiB used: 1.65 GiB (5.3%) Shell: bash
inxi: 3.0.32
-
@dibl: it would be worth to search where the configuration file comes from - i really hate it to create such things on the fly or copy it from elsewhere. But i hate the pyfll things as in "we do a heredoc and cat it right in and nobody knows where it comes from" most
PS: And in case of SElinux filing a grave bug against would be appropriate.
-
I would be willing to file a bug, but I'm not sure who to blame. The Dell was running perfectly on kernel 5.0.14. When I upgraded to the first kernel 5.1, it broke. The errors came from selinux, but it appears that a change in the kernel triggered the errors. And @kole reports different errors than I saw, so there's a complication.
???
-
firsthand i see the problem in the "new" selinux configuration file - fuck, where does it come from? - Seems to be introduced some month ago. Right now i was to busy to search for ... :)
-
hrm - the fuck is all about this file - it is hard to search for, even if one has a clue where it come from, there are not much possible packages.
-
Setting SELINUX=disabled in the config file should also work to inactivate SELINUX as well.
-
Reading [here] (https://opensource.com/article/18/7/sysadmin-guide-selinux), I see this:
6. Kernel parameters for changing SELinux modes at boot:
autorelabel=1 → forces the system to relabel
selinux=0 → kernel doesn't load any part of the SELinux infrastructure
enforcing=0 → boot in permissive mode
So, by logic, if selinux=0 fixed a boot problem, then the existing selinux infrastructure which worked for kernel 5.0.14 broke 5.1. That looks like some kernel development in 5.1 is a violation of the selinux infrastructe that was OK for 5.0.14 and many prior kernels. Maybe kernel devs need to talk with selinux devs.
-
Found semanage.conf in: libsemanage-common 2.8-2 - all