View previous topic :: View next topic |
Author |
Message |
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1200
|
Posted: Tue Dec 11, 2018 8:15 am Post subject: [Solved] Unable to set selinux |
|
|
Hello, i have little problem. After global update, i have seen selinux failed to set context, i have always this error:
Code: | !!! Failed to set new SELinux execution context. Is your current SELinux context allowed to run Portage?
|
Why ? Selinux need something after global update or kernel update ?
Last edited by Fulgurance on Tue Jan 15, 2019 12:35 pm; edited 1 time in total |
|
Back to top |
|
|
papas Tux's lil' helper
Joined: 01 Dec 2014 Posts: 141 Location: Athens
|
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1200
|
Posted: Wed Dec 12, 2018 10:50 am Post subject: |
|
|
After this command, it's work, but this command don't really solve my problem permantly |
|
Back to top |
|
|
papas Tux's lil' helper
Joined: 01 Dec 2014 Posts: 141 Location: Athens
|
Posted: Wed Dec 12, 2018 5:02 pm Post subject: |
|
|
I don't know if you already have done this, but first of all you have to check your user.
you have to be privileged user like stuff_u.
I don't know the reason for this behavior. I have seen this message once or twice in my machine but i can't remember how i solved the issue.
By the way, may i asked you, are you permissive or enforced mode?
Last edited by papas on Thu Dec 13, 2018 7:25 am; edited 1 time in total |
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1200
|
Posted: Wed Dec 12, 2018 11:38 pm Post subject: |
|
|
I have this:
Code: | fulgurance@msi-gs73vr-6rf ~ id -Z ✔ 209 00:36:38
staff_u:staff_r:staff_t
|
|
|
Back to top |
|
|
papas Tux's lil' helper
Joined: 01 Dec 2014 Posts: 141 Location: Athens
|
Posted: Thu Dec 13, 2018 8:39 am Post subject: |
|
|
so you are stuff_u, you can run portage, i don't know why you still getting this message.
(since you can change role to sysadm_r, as you wrote above, you have already add the sysadm_r role to user stuff_u). |
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1200
|
Posted: Thu Dec 13, 2018 10:59 am Post subject: |
|
|
How i do that ? I'm not an expert with selinux |
|
Back to top |
|
|
papas Tux's lil' helper
Joined: 01 Dec 2014 Posts: 141 Location: Athens
|
Posted: Thu Dec 13, 2018 11:31 am Post subject: |
|
|
Fulgurance wrote: | How i do that ? I'm not an expert with selinux |
me too, i am not an expert , i've managed to run my personal machine with selinux enabled, nothing more.
just read this guide:
https://wiki.gentoo.org/wiki/SELinux/Installation
("Define the administrator accounts"). |
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1200
|
Posted: Thu Dec 13, 2018 2:54 pm Post subject: |
|
|
I have already following this part of selinux tutorial... i don't know what i need to do ... |
|
Back to top |
|
|
papas Tux's lil' helper
Joined: 01 Dec 2014 Posts: 141 Location: Athens
|
Posted: Thu Dec 13, 2018 6:11 pm Post subject: |
|
|
Well i am thinking :
since the error started after a @world update, sounds reasonable to me, to restore your user contexts (restorecon). Take a look to restorecon man page, usually:
restorecon -R -F /home/your-user.
Maybe you have to restore your contexts and for the root user.
By the way you must understand what are you trying to do, before you do it. There is many strategies to try solve your problem.
I guess you are in permissive mode, so it is not critical for you to try set your contexts again, or you can just change role (newrole -r) every time you need to run portage or you can find your audit.log (if you have enabled) and try fix the denial, or you can disable selinux.
Last edited by papas on Fri Dec 14, 2018 2:49 pm; edited 1 time in total |
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1200
|
Posted: Thu Dec 13, 2018 11:36 pm Post subject: |
|
|
I have following your advice, but no, the same problem :C |
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1200
|
Posted: Tue Jan 15, 2019 12:35 pm Post subject: |
|
|
Finally solved. It's better to start to no selinux stage and install selinux profile and packages after, and all work fine.
It's very delicate package... |
|
Back to top |
|
|
|