Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic:  [solved] SELinux default policy relabel is required  (Read 6158 times)

Offline kole

  • User
  • Posts: 6
Hi All
I have tried DU with kernels 5.1.10, 5.1.12 and 5.1.15. After reboot I get message "SELinux default policy relabel is required" and after while system reboots. On next very slow boot it shows all kind of errors, which do not appear in dmesg later, and eventualy boots as CLI. After logging in boot messages continue to appear occasionaly and system does not respond.
« Last Edit: 2019/06/26, 21:45:56 by kole »

Offline axt

  • User
  • Posts: 494
    • axebase.net
Re: SELinux default policy relabel is required
« Reply #1 on: 2019/06/26, 19:38:55 »
Use

Code: [Select]
selinux=0
as a boot option!

Offline kole

  • User
  • Posts: 6
Re: SELinux default policy relabel is required
« Reply #2 on: 2019/06/26, 21:26:14 »
Perfect
Thank you axt

Offline dibl

  • siduction community member
  • Global Moderator
  • User
  • *****
  • Posts: 2.345
    • Land of the Buckeye
Re: [solved] SELinux default policy relabel is required
« Reply #3 on: 2019/06/27, 23:30:57 »
Quote from: axt
Use

Code: [Select]
selinux=0

YES!

This is the fix for my problem on this thread:

https://forum.siduction.org/index.php?topic=7675.0

Thanks axt!



System76 Oryx Pro, Intel Core i7-11800H, SSD 970 EVO Plus;  Asus ROG STRIX X299-E, Core i7-7740X, Nvidia GTX-1060, dual monitors, SSD 860 EVO

Offline melmarker

  • User
  • Posts: 2.799
    • g-com.eu
Re: [solved] SELinux default policy relabel is required
« Reply #4 on: 2019/06/28, 00:37:43 »
@dibl: normally the SELINUX things should not be relevant in a installed system - just because SELINUX is activated, but not strict - it was a problem for ISOs - so the kernel parameter is right :)

https://git.siduction.org/extra/pyfll/commit/489cd640acb1aa77360bc11273def74fcb29770f

Anyways - i would like to know the the SELINUX configuration of this particular installation.
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. (Benjamin Franklin, November 11, 1755)
Never attribute to malice that which can be adequately explained by stupidity. (Hanlons razor)

Offline dibl

  • siduction community member
  • Global Moderator
  • User
  • *****
  • Posts: 2.345
    • Land of the Buckeye
Re: [solved] SELinux default policy relabel is required
« Reply #5 on: 2019/06/28, 15:34:23 »
@melmarker -- is there more to see than this?

Code: [Select]
don@n5110:~$ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# default - equivalent to the old strict and targeted policies
# mls     - Multi-Level Security (for military and educational use)
# src     - Custom policy built from source
SELINUXTYPE=default

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
don@n5110:~$
System76 Oryx Pro, Intel Core i7-11800H, SSD 970 EVO Plus;  Asus ROG STRIX X299-E, Core i7-7740X, Nvidia GTX-1060, dual monitors, SSD 860 EVO

Offline melmarker

  • User
  • Posts: 2.799
    • g-com.eu
Re: [solved] SELinux default policy relabel is required
« Reply #6 on: 2019/06/28, 16:45:33 »
No - the entry
Code: [Select]
SELINUX=permissive
should do the trick - all the things that would be otherwise enforced result only in warnings.
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. (Benjamin Franklin, November 11, 1755)
Never attribute to malice that which can be adequately explained by stupidity. (Hanlons razor)

Offline dibl

  • siduction community member
  • Global Moderator
  • User
  • *****
  • Posts: 2.345
    • Land of the Buckeye
Re: [solved] SELinux default policy relabel is required
« Reply #7 on: 2019/06/28, 19:03:42 »
It must be a hardware-related compatibility issue, because I have had no such problem on 4 other kinds of hardware, all fully updated. Just this Dell laptop.  But selinux=0 fixed it.
System76 Oryx Pro, Intel Core i7-11800H, SSD 970 EVO Plus;  Asus ROG STRIX X299-E, Core i7-7740X, Nvidia GTX-1060, dual monitors, SSD 860 EVO

Offline samoht

  • User
  • Posts: 478
Re: [solved] SELinux default policy relabel is required
« Reply #8 on: 2019/06/28, 20:59:47 »
On my siduction system that config file is missing:

Code: [Select]
# LANG=C ls -al /etc/selinux/
total 20
drwxr-xr-x   2 root root  4096 Mai  13 00:49 .
drwxr-xr-x 157 root root 12288 Jun  28 20:48 ..
-rw-r--r--   1 root root  2041 Sep  15  2017 semanage.conf

What could be the reason?

Offline melmarker

  • User
  • Posts: 2.799
    • g-com.eu
Re: [solved] SELinux default policy relabel is required
« Reply #9 on: 2019/06/28, 21:15:16 »
@samoht - if /etc/selinux/config isn't there - it isn't there - in other words: the file is not provided by any package. so it seems that it is created on the fly by some unknown selinux package

To be blunt: I fucking hate such packaging practices.
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. (Benjamin Franklin, November 11, 1755)
Never attribute to malice that which can be adequately explained by stupidity. (Hanlons razor)

Offline dibl

  • siduction community member
  • Global Moderator
  • User
  • *****
  • Posts: 2.345
    • Land of the Buckeye
Re: [solved] SELinux default policy relabel is required
« Reply #10 on: 2019/06/29, 12:45:18 »
When I looked at my other systems, I found one configured like @samoht.

Code: [Select]
don@Hibiscus:/$ ls -al /etc/selinux
total 20
drwxr-xr-x   2 root root  4096 Jun  8 17:45 .
drwxr-xr-x 179 root root 12288 Jun  8 17:54 ..
-rw-r--r--   1 root root  2041 Nov 18  2015 semanage.conf
don@Hibiscus:/$ cat /etc/selinux/semanage.conf
# Authors: Jason Tang <jtang@tresys.com>
#
# Copyright (C) 2004-2005 Tresys Technology, LLC
#
#  This library is free software; you can redistribute it and/or
#  modify it under the terms of the GNU Lesser General Public
#  License as published by the Free Software Foundation; either
#  version 2.1 of the License, or (at your option) any later version.
#
#  This library is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
#  Lesser General Public License for more details.
#
#  You should have received a copy of the GNU Lesser General Public
#  License along with this library; if not, write to the Free Software
#  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#
# Specify how libsemanage will interact with a SELinux policy manager.
# The four options are:
#
#  "source"     - libsemanage manipulates a source SELinux policy
#  "direct"     - libsemanage will write directly to a module store.
#  /foo/bar     - Write by way of a policy management server, whose
#                 named socket is at /foo/bar.  The path must begin
#                 with a '/'.
#  foo.com:4242 - Establish a TCP connection to a remote policy
#                 management server at foo.com.  If there is a colon
#                 then the remainder is interpreted as a port number;
#                 otherwise default to port 4242.
module-store = direct

# When generating the final linked and expanded policy, by default
# semanage will set the policy version to POLICYDB_VERSION_MAX, as
# given in <sepol/policydb.h>.  Change this setting if a different
# version is necessary.
#policy-version = 19

# expand-check check neverallow rules when executing all semanage commands.
# Large penalty in time if you turn this on.
expand-check=0

# By default, semanage will generate policies for the SELinux target.
# To build policies for Xen, uncomment the following line.
#target-platform = xen

Hardware & System
Code: [Select]
don@Hibiscus:/$ inxi -Fz
System:
  Host: Hibiscus Kernel: 5.1.6-towo.2-siduction-amd64 x86_64 bits: 64
  Desktop: KDE Plasma 5.14.5
  Distro: siduction 13.2.1 December - kde - (201401272125)
Machine:
  Type: Desktop System: ASUS product: All Series v: N/A serial: <filter>
  Mobo: ASUSTeK model: Z87-WS v: Rev 1.xx serial: <filter> BIOS: American Megatrends
  v: 2004 date: 06/05/2014
CPU:
  Topology: Quad Core model: Intel Core i7-4770 bits: 64 type: MT MCP
  L2 cache: 8192 KiB
  Speed: 1545 MHz min/max: 800/3900 MHz Core speeds (MHz): 1: 1546 2: 1545 3: 1545
  4: 1545 5: 1546 6: 1545 7: 1546 8: 1549
Graphics:
  Device-1: NVIDIA GM107 [GeForce GTX 750 Ti] driver: nvidia v: 418.74
  Display: x11 server: X.Org 1.20.4 driver: nvidia resolution: 1440x900~60Hz
  OpenGL: renderer: GeForce GTX 750 Ti/PCIe/SSE2 v: 4.6.0 NVIDIA 418.74
Audio:
  Device-1: Intel 8 Series/C220 Series High Definition Audio driver: snd_hda_intel
  Device-2: NVIDIA driver: snd_hda_intel
  Sound Server: ALSA v: k5.1.6-towo.2-siduction-amd64
Network:
  Device-1: Intel I210 Gigabit Network driver: igb
  IF: enp6s0 state: up speed: 1000 Mbps duplex: full mac: <filter>
  Device-2: Intel I210 Gigabit Network driver: igb
  IF: enp9s0 state: down mac: <filter>
  IF-ID-1: br0 state: up speed: N/A duplex: N/A mac: <filter>
Drives:
  Local Storage: total: 3.18 TiB used: 857.98 GiB (26.3%)
  ID-1: /dev/sda vendor: Western Digital model: WD1001FALS-00E8B0 size: 931.51 GiB
  ID-2: /dev/sdb vendor: Samsung model: SSD 850 EVO 500GB size: 465.76 GiB
  ID-3: /dev/sdc vendor: Western Digital model: WD1000DHTZ-04N21V0 size: 931.51 GiB
  ID-4: /dev/sdd vendor: Western Digital model: WD1000DHTZ-04N21V0 size: 931.51 GiB
Partition:
  ID-1: / size: 55.77 GiB used: 13.63 GiB (24.4%) fs: ext4 dev: /dev/sdb1
  ID-2: /home size: 401.45 GiB used: 52.61 GiB (13.1%) fs: ext4 dev: /dev/sdb3
  ID-3: swap-1 size: 1024.0 MiB used: 0 KiB (0.0%) fs: swap dev: /dev/sdb2
Sensors:
  System Temperatures: cpu: 29.8 C mobo: 27.8 C
  Fan Speeds (RPM): cpu: 0
Info:
  Processes: 275 Uptime: 4m Memory: 31.36 GiB used: 1.65 GiB (5.3%) Shell: bash
  inxi: 3.0.32
System76 Oryx Pro, Intel Core i7-11800H, SSD 970 EVO Plus;  Asus ROG STRIX X299-E, Core i7-7740X, Nvidia GTX-1060, dual monitors, SSD 860 EVO

Offline melmarker

  • User
  • Posts: 2.799
    • g-com.eu
Re: [solved] SELinux default policy relabel is required
« Reply #11 on: 2019/06/29, 13:32:21 »
@dibl: it would be worth to search where the configuration file comes from -  i really hate it to create such things on the fly or copy it from elsewhere. But i hate the pyfll things as in "we do a heredoc and cat it right in and nobody knows where it comes from" most

PS: And in case of SElinux filing a grave bug against would be appropriate.
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. (Benjamin Franklin, November 11, 1755)
Never attribute to malice that which can be adequately explained by stupidity. (Hanlons razor)

Offline dibl

  • siduction community member
  • Global Moderator
  • User
  • *****
  • Posts: 2.345
    • Land of the Buckeye
Re: [solved] SELinux default policy relabel is required
« Reply #12 on: 2019/06/29, 14:12:36 »
I would be willing to file a bug, but I'm not sure who to blame.  The Dell was running perfectly on kernel 5.0.14. When I upgraded to the first kernel 5.1, it broke.  The errors came from selinux, but it appears that a change in the kernel triggered the errors.  And @kole reports different errors than I saw, so there's a complication.

???
System76 Oryx Pro, Intel Core i7-11800H, SSD 970 EVO Plus;  Asus ROG STRIX X299-E, Core i7-7740X, Nvidia GTX-1060, dual monitors, SSD 860 EVO

Offline melmarker

  • User
  • Posts: 2.799
    • g-com.eu
Re: [solved] SELinux default policy relabel is required
« Reply #13 on: 2019/06/29, 15:00:40 »
firsthand i see the problem in the "new" selinux configuration file - fuck, where does it come from? - Seems to be introduced some month ago. Right now i was to busy to search for ... :)
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. (Benjamin Franklin, November 11, 1755)
Never attribute to malice that which can be adequately explained by stupidity. (Hanlons razor)

Offline melmarker

  • User
  • Posts: 2.799
    • g-com.eu
Re: [solved] SELinux default policy relabel is required
« Reply #14 on: 2019/06/29, 15:02:02 »
hrm - the fuck is all about this file - it is hard to search for, even if one has a clue where it come from, there are not much possible packages.
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. (Benjamin Franklin, November 11, 1755)
Never attribute to malice that which can be adequately explained by stupidity. (Hanlons razor)