Siduction Forum

Siduction Forum => Upgrade Warnings (DE / EN) => Topic started by: kole on 2019/06/26, 18:50:01

Title: [solved] SELinux default policy relabel is required
Post by: kole on 2019/06/26, 18:50:01
Hi All
I have tried DU with kernels 5.1.10, 5.1.12 and 5.1.15. After reboot I get message "SELinux default policy relabel is required" and after while system reboots. On next very slow boot it shows all kind of errors, which do not appear in dmesg later, and eventualy boots as CLI. After logging in boot messages continue to appear occasionaly and system does not respond.
Title: Re: SELinux default policy relabel is required
Post by: axt on 2019/06/26, 19:38:55
Use

Code: [Select]
selinux=0
as a boot option!
Title: Re: SELinux default policy relabel is required
Post by: kole on 2019/06/26, 21:26:14
Perfect
Thank you axt
Title: Re: [solved] SELinux default policy relabel is required
Post by: dibl on 2019/06/27, 23:30:57
Quote from: axt
Use

Code: [Select]
selinux=0

YES!

This is the fix for my problem on this thread:

https://forum.siduction.org/index.php?topic=7675.0

Thanks axt!



Title: Re: [solved] SELinux default policy relabel is required
Post by: melmarker on 2019/06/28, 00:37:43
@dibl: normally the SELINUX things should not be relevant in a installed system - just because SELINUX is activated, but not strict - it was a problem for ISOs - so the kernel parameter is right :)

https://git.siduction.org/extra/pyfll/commit/489cd640acb1aa77360bc11273def74fcb29770f

Anyways - i would like to know the the SELINUX configuration of this particular installation.
Title: Re: [solved] SELinux default policy relabel is required
Post by: dibl on 2019/06/28, 15:34:23
@melmarker -- is there more to see than this?

Code: [Select]
don@n5110:~$ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# default - equivalent to the old strict and targeted policies
# mls     - Multi-Level Security (for military and educational use)
# src     - Custom policy built from source
SELINUXTYPE=default

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
don@n5110:~$
Title: Re: [solved] SELinux default policy relabel is required
Post by: melmarker on 2019/06/28, 16:45:33
No - the entry
Code: [Select]
SELINUX=permissive
should do the trick - all the things that would be otherwise enforced result only in warnings.
Title: Re: [solved] SELinux default policy relabel is required
Post by: dibl on 2019/06/28, 19:03:42
It must be a hardware-related compatibility issue, because I have had no such problem on 4 other kinds of hardware, all fully updated. Just this Dell laptop.  But selinux=0 fixed it.
Title: Re: [solved] SELinux default policy relabel is required
Post by: samoht on 2019/06/28, 20:59:47
On my siduction system that config file is missing:

Code: [Select]
# LANG=C ls -al /etc/selinux/
total 20
drwxr-xr-x   2 root root  4096 Mai  13 00:49 .
drwxr-xr-x 157 root root 12288 Jun  28 20:48 ..
-rw-r--r--   1 root root  2041 Sep  15  2017 semanage.conf

What could be the reason?
Title: Re: [solved] SELinux default policy relabel is required
Post by: melmarker on 2019/06/28, 21:15:16
@samoht - if /etc/selinux/config isn't there - it isn't there - in other words: the file is not provided by any package. so it seems that it is created on the fly by some unknown selinux package

To be blunt: I fucking hate such packaging practices.
Title: Re: [solved] SELinux default policy relabel is required
Post by: dibl on 2019/06/29, 12:45:18
When I looked at my other systems, I found one configured like @samoht.

Code: [Select]
don@Hibiscus:/$ ls -al /etc/selinux
total 20
drwxr-xr-x   2 root root  4096 Jun  8 17:45 .
drwxr-xr-x 179 root root 12288 Jun  8 17:54 ..
-rw-r--r--   1 root root  2041 Nov 18  2015 semanage.conf
don@Hibiscus:/$ cat /etc/selinux/semanage.conf
# Authors: Jason Tang <jtang@tresys.com>
#
# Copyright (C) 2004-2005 Tresys Technology, LLC
#
#  This library is free software; you can redistribute it and/or
#  modify it under the terms of the GNU Lesser General Public
#  License as published by the Free Software Foundation; either
#  version 2.1 of the License, or (at your option) any later version.
#
#  This library is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
#  Lesser General Public License for more details.
#
#  You should have received a copy of the GNU Lesser General Public
#  License along with this library; if not, write to the Free Software
#  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#
# Specify how libsemanage will interact with a SELinux policy manager.
# The four options are:
#
#  "source"     - libsemanage manipulates a source SELinux policy
#  "direct"     - libsemanage will write directly to a module store.
#  /foo/bar     - Write by way of a policy management server, whose
#                 named socket is at /foo/bar.  The path must begin
#                 with a '/'.
#  foo.com:4242 - Establish a TCP connection to a remote policy
#                 management server at foo.com.  If there is a colon
#                 then the remainder is interpreted as a port number;
#                 otherwise default to port 4242.
module-store = direct

# When generating the final linked and expanded policy, by default
# semanage will set the policy version to POLICYDB_VERSION_MAX, as
# given in <sepol/policydb.h>.  Change this setting if a different
# version is necessary.
#policy-version = 19

# expand-check check neverallow rules when executing all semanage commands.
# Large penalty in time if you turn this on.
expand-check=0

# By default, semanage will generate policies for the SELinux target.
# To build policies for Xen, uncomment the following line.
#target-platform = xen

Hardware & System
Code: [Select]
don@Hibiscus:/$ inxi -Fz
System:
  Host: Hibiscus Kernel: 5.1.6-towo.2-siduction-amd64 x86_64 bits: 64
  Desktop: KDE Plasma 5.14.5
  Distro: siduction 13.2.1 December - kde - (201401272125)
Machine:
  Type: Desktop System: ASUS product: All Series v: N/A serial: <filter>
  Mobo: ASUSTeK model: Z87-WS v: Rev 1.xx serial: <filter> BIOS: American Megatrends
  v: 2004 date: 06/05/2014
CPU:
  Topology: Quad Core model: Intel Core i7-4770 bits: 64 type: MT MCP
  L2 cache: 8192 KiB
  Speed: 1545 MHz min/max: 800/3900 MHz Core speeds (MHz): 1: 1546 2: 1545 3: 1545
  4: 1545 5: 1546 6: 1545 7: 1546 8: 1549
Graphics:
  Device-1: NVIDIA GM107 [GeForce GTX 750 Ti] driver: nvidia v: 418.74
  Display: x11 server: X.Org 1.20.4 driver: nvidia resolution: 1440x900~60Hz
  OpenGL: renderer: GeForce GTX 750 Ti/PCIe/SSE2 v: 4.6.0 NVIDIA 418.74
Audio:
  Device-1: Intel 8 Series/C220 Series High Definition Audio driver: snd_hda_intel
  Device-2: NVIDIA driver: snd_hda_intel
  Sound Server: ALSA v: k5.1.6-towo.2-siduction-amd64
Network:
  Device-1: Intel I210 Gigabit Network driver: igb
  IF: enp6s0 state: up speed: 1000 Mbps duplex: full mac: <filter>
  Device-2: Intel I210 Gigabit Network driver: igb
  IF: enp9s0 state: down mac: <filter>
  IF-ID-1: br0 state: up speed: N/A duplex: N/A mac: <filter>
Drives:
  Local Storage: total: 3.18 TiB used: 857.98 GiB (26.3%)
  ID-1: /dev/sda vendor: Western Digital model: WD1001FALS-00E8B0 size: 931.51 GiB
  ID-2: /dev/sdb vendor: Samsung model: SSD 850 EVO 500GB size: 465.76 GiB
  ID-3: /dev/sdc vendor: Western Digital model: WD1000DHTZ-04N21V0 size: 931.51 GiB
  ID-4: /dev/sdd vendor: Western Digital model: WD1000DHTZ-04N21V0 size: 931.51 GiB
Partition:
  ID-1: / size: 55.77 GiB used: 13.63 GiB (24.4%) fs: ext4 dev: /dev/sdb1
  ID-2: /home size: 401.45 GiB used: 52.61 GiB (13.1%) fs: ext4 dev: /dev/sdb3
  ID-3: swap-1 size: 1024.0 MiB used: 0 KiB (0.0%) fs: swap dev: /dev/sdb2
Sensors:
  System Temperatures: cpu: 29.8 C mobo: 27.8 C
  Fan Speeds (RPM): cpu: 0
Info:
  Processes: 275 Uptime: 4m Memory: 31.36 GiB used: 1.65 GiB (5.3%) Shell: bash
  inxi: 3.0.32
Title: Re: [solved] SELinux default policy relabel is required
Post by: melmarker on 2019/06/29, 13:32:21
@dibl: it would be worth to search where the configuration file comes from -  i really hate it to create such things on the fly or copy it from elsewhere. But i hate the pyfll things as in "we do a heredoc and cat it right in and nobody knows where it comes from" most

PS: And in case of SElinux filing a grave bug against would be appropriate.
Title: Re: [solved] SELinux default policy relabel is required
Post by: dibl on 2019/06/29, 14:12:36
I would be willing to file a bug, but I'm not sure who to blame.  The Dell was running perfectly on kernel 5.0.14. When I upgraded to the first kernel 5.1, it broke.  The errors came from selinux, but it appears that a change in the kernel triggered the errors.  And @kole reports different errors than I saw, so there's a complication.

???
Title: Re: [solved] SELinux default policy relabel is required
Post by: melmarker on 2019/06/29, 15:00:40
firsthand i see the problem in the "new" selinux configuration file - fuck, where does it come from? - Seems to be introduced some month ago. Right now i was to busy to search for ... :)
Title: Re: [solved] SELinux default policy relabel is required
Post by: melmarker on 2019/06/29, 15:02:02
hrm - the fuck is all about this file - it is hard to search for, even if one has a clue where it come from, there are not much possible packages.
Title: Re: [solved] SELinux default policy relabel is required
Post by: DeepDayze on 2019/06/29, 17:05:53
Setting SELINUX=disabled in the config file should also work to inactivate SELINUX as well.
Title: Re: [solved] SELinux default policy relabel is required
Post by: dibl on 2019/06/29, 17:40:36
Reading [here] (https://opensource.com/article/18/7/sysadmin-guide-selinux), I see this:

Quote
6. Kernel parameters for changing SELinux modes at boot:
autorelabel=1 → forces the system to relabel
selinux=0 → kernel doesn't load any part of the SELinux infrastructure
enforcing=0 → boot in permissive mode

So, by logic, if selinux=0 fixed a boot problem, then the existing selinux infrastructure which worked for kernel 5.0.14 broke 5.1.  That looks like some kernel development in 5.1 is a violation of the selinux infrastructe that was OK for 5.0.14 and many prior kernels. Maybe kernel devs need to talk with selinux devs.
Title: Re: [solved] SELinux default policy relabel is required
Post by: sidemmc on 2019/06/29, 18:36:29
Found semanage.conf   in:   libsemanage-common  2.8-2 - all