View previous topic :: View next topic |
Author |
Message |
ca87 n00b
Joined: 09 Sep 2022 Posts: 3
|
Posted: Fri Sep 09, 2022 8:47 am Post subject: SELinux strict+enforcing unable to boot |
|
|
Hello,
I've been trying to set up a fresh Gentoo system with SELinux on AMD64 following the handbook as well as the SELinux Installation guide, however, whenever it comes to booting the system in enforcing mode, I get stuck.
I will happily provide more details if required, but I'm wondering, is my assumption wrong that following these steps will lead me to a working system (strict+enforing)?
Thank you for your help!
Christoph |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Fri Sep 09, 2022 2:53 pm Post subject: |
|
|
Welcome to Gentoo Forums.
Plz set selinux to permissive in
/etc/selinux/config
and boot.
Then check
Code: |
grep AVC /var/log/audit/audit.log
|
Are you running a DE?
Quote: |
is my assumption wrong that following these steps will lead me to a working system (strict+enforing)?
|
Yes.
You need also hours of work and effort to make it right.
Probably you have to relabel your filesystem.
Also if you emerged packages via chroot you need to always relabel your filesystem.
https://wiki.gentoo.org/wiki/SELinux/Installation#Relabel _________________
|
|
Back to top |
|
|
ca87 n00b
Joined: 09 Sep 2022 Posts: 3
|
Posted: Sat Sep 10, 2022 9:10 pm Post subject: |
|
|
Thank you for your response!
With enforing=1 the boot process terminates like this:
Code: | [ 1.212276] dracut: Gentoo-2.8
Starting version 251
[ 1.331251] virtio_blk virtio5: [vda] 31457280 512-byte logical blocks (16.1 GB/15.0 GiB)
[ 1.332589] vda: vda1 vda2 vda3
[ 1.334774] scsi host6: Virtio SCSI HBA
[ 1.480447] EXT4-fs (vda2): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none.
[ 1.498397] dracut: Checking ext4: /dev/disk/by-uuid/a9c9f1ce-693a-4dd5-8469-f9e802d5d0b0
[ 1.499108] dracut: issuing e2fsck -a /dev/disk/by-uuid/a9c9f1ce-693a-4dd5-8469-f9e802d5d0b0
[ 1.502738] dracut: gentoo: clean, 243488/835584 files, 730220/3342080 blocks
[ 1.504578] dracut: Mounting /dev/disk/by-uuid/a9c9f1ce-693a-4dd5-8469-f9e802d5d0b0 with -o noatime,ro
[ 1.506803] EXT4-fs (vda2): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none.
[ 1.515376] dracut: Mounted root filesystem /dev/vda2
[ 1.521530] dracut: Loading SELinux policy
[ 1.531703] SELinux: policy capability network_peer_controls=1
[ 1.532242] SELinux: policy capability open_perms=1
[ 1.532619] SELinux: policy capability extended_socket_class=1
[ 1.533096] SELinux: policy capability always_check_network=0
[ 1.533604] SELinux: policy capability cgroup_seclabel=1
[ 1.534044] SELinux: policy capability nnp_nosuid_transition=1
[ 1.534521] SELinux: policy capability genfs_seclabel_symlinks=0
[ 1.535006] SELinux: policy capability ioctl_skip_cloexec=0
[ 1.542726] audit: type=1403 audit(1662882106.219:2): auid=4294967295 ses=4294967295 lsm=selinux res=1
[ 1.544571] dracut:
[ 1.573392] dracut: Switching root
switch_root: failed to mount moving /run to /sysroot/run: Permission denied
switch_root: forcing unmount of /run
[ 1.575850] audit: type=1400 audit(1662882106.253:3): avc: denied { mounton } for pid=1 comm="switch_root" path="/sysroot/run" dev="vda2" ino=131073 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=0
Mount failed for selinuxfs on /sys/fs/selinux: No such file or directory
Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.
[ 1.579722] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100
[ 1.580396] CPU: 0 PID: 1 Comm: init Not tainted 5.15.63-gentoo-dist #1
[ 1.580967] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS d55cb5a 04/01/2014
[ 1.581618] Call Trace:
[ 1.581855] <TASK>
[ 1.582033] dump_stack_lvl+0x46/0x5e
[ 1.582342] panic+0xe3/0x2a0
[ 1.582591] do_exit.cold+0x43/0x9f
[ 1.582879] do_group_exit+0x33/0xa0
[ 1.583176] __x64_sys_exit_group+0x14/0x20
[ 1.583526] do_syscall_64+0x38/0xc0
[ 1.583849] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 1.584283] RIP: 0033:0x7fe811c8c489
[ 1.584596] Code: 00 4c 8b 05 99 99 11 00 be e7 00 00 00 ba 3c 00 00 00 eb 12 0f 1f 44 00 00 89 d0 0f 05 48 3d 00 f0 ff ff 77 1c f4 89 f0 0f 05 <48> 3d 00 f0 ff ff 76 e7 f7 d8 64 41 89 00 eb df 0f 1f 80 00 00 00
[ 1.586127] RSP: 002b:00007ffe05ede4e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 1.586768] RAX: ffffffffffffffda RBX: 00007fe811da2820 RCX: 00007fe811c8c489
[ 1.587451] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
[ 1.588011] RBP: 0000000000000001 R08: fffffffffffffe98 R09: 000055743680e940
[ 1.588612] R10: c3014e6f02946c8b R11: 0000000000000246 R12: 00007fe811da2820
[ 1.589191] R13: 0000000000000000 R14: 00007fe811da7d08 R15: 00007fe811da7d20
[ 1.589776] </TASK>
[ 1.590083] Kernel Offset: 0x3b000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 1.590979] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 ]--- |
alamahant wrote: | Plz set selinux to permissive in /etc/selinux/config and boot. Then check |
dmesg | grep avc
Code: | [ 1.487054] audit: type=1400 audit(1662881794.366:3): avc: denied { create } for pid=443 comm="systemd-udevd" name="13:33.tmp-c13:33" scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:device_t tclass=lnk_file permissive=1
[ 1.488046] audit: type=1400 audit(1662881794.366:4): avc: denied { rename } for pid=443 comm="systemd-udevd" name="13:33.tmp-c13:33" dev="devtmpfs" ino=415 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:device_t tclass=lnk_file permissive=1
[ 1.519908] audit: type=1400 audit(1662881794.396:5): avc: denied { mounton } for pid=1 comm="switch_root" path="/sysroot/run" dev="vda2" ino=131073 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
[ 1.521593] audit: type=1400 audit(1662881794.403:6): avc: denied { mounton } for pid=1 comm="init" path="/proc" dev="proc" ino=1 scontext=system_u:system_r:init_t tcontext=system_u:object_r:proc_t tclass=dir permissive=1
[ 1.522372] audit: type=1400 audit(1662881794.403:7): avc: denied { mount } for pid=1 comm="init" name="/" dev="proc" ino=1 scontext=system_u:system_r:init_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1
[ 1.523127] audit: type=1400 audit(1662881794.403:8): avc: denied { mounton } for pid=1 comm="init" path="/sys" dev="sysfs" ino=1 scontext=system_u:system_r:init_t tcontext=system_u:object_r:sysfs_t tclass=dir permissive=1
[ 1.523900] audit: type=1400 audit(1662881794.403:9): avc: denied { mount } for pid=1 comm="init" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:init_t tcontext=system_u:object_r:sysfs_t tclass=filesystem permissive=1
[ 1.524724] audit: type=1400 audit(1662881794.403:10): avc: denied { mount } for pid=1 comm="init" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:init_t tcontext=system_u:object_r:security_t tclass=filesystem permissive=1 |
grep AVC /var/log/audit/audit.log
Code: | type=AVC msg=audit(1662881796.799:57): avc: denied { dac_read_search } for pid=1877 comm="chronyd" capability=2 scontext=system_u:system_r:chronyd_t tcontext=system_u:system_r:chronyd_t tclass=capability permissive=1
type=AVC msg=audit(1662881797.108:58): avc: denied { read } for pid=2060 comm="dhclient" name="random" dev="devtmpfs" ino=8 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=1
type=AVC msg=audit(1662881797.108:58): avc: denied { open } for pid=2060 comm="dhclient" path="/dev/random" dev="devtmpfs" ino=8 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=1
type=AVC msg=audit(1662881797.108:59): avc: denied { getattr } for pid=2060 comm="dhclient" path="/dev/random" dev="devtmpfs" ino=8 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=1
type=AVC msg=audit(1662881797.108:60): avc: denied { ioctl } for pid=2060 comm="dhclient" path="/dev/random" dev="devtmpfs" ino=8 ioctlcmd=0x5401 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=1
type=AVC msg=audit(1662881802.911:70): avc: denied { search } for pid=2231 comm="sudo" name="2229" dev="proc" ino=19749 scontext=staff_u:staff_r:staff_sudo_t tcontext=staff_u:staff_r:staff_t tclass=dir permissive=1
type=AVC msg=audit(1662881802.911:70): avc: denied { read } for pid=2231 comm="sudo" name="stat" dev="proc" ino=19750 scontext=staff_u:staff_r:staff_sudo_t tcontext=staff_u:staff_r:staff_t tclass=file permissive=1
type=AVC msg=audit(1662881802.911:70): avc: denied { open } for pid=2231 comm="sudo" path="/proc/2229/stat" dev="proc" ino=19750 scontext=staff_u:staff_r:staff_sudo_t tcontext=staff_u:staff_r:staff_t tclass=file permissive=1
type=AVC msg=audit(1662881804.855:76): avc: denied { search } for pid=2232 comm="su" name="faillock" dev="tmpfs" ino=790 scontext=staff_u:sysadm_r:sysadm_su_t tcontext=system_u:object_r:faillog_t tclass=dir permissive=1
type=AVC msg=audit(1662881804.855:77): avc: denied { write } for pid=2232 comm="su" name="faillock" dev="tmpfs" ino=790 scontext=staff_u:sysadm_r:sysadm_su_t tcontext=system_u:object_r:faillog_t tclass=dir permissive=1
type=AVC msg=audit(1662881804.855:77): avc: denied { add_name } for pid=2232 comm="su" name="root" scontext=staff_u:sysadm_r:sysadm_su_t tcontext=system_u:object_r:faillog_t tclass=dir permissive=1
type=AVC msg=audit(1662881804.855:77): avc: denied { create } for pid=2232 comm="su" name="root" scontext=staff_u:sysadm_r:sysadm_su_t tcontext=staff_u:object_r:faillog_t tclass=file permissive=1
type=AVC msg=audit(1662881804.855:78): avc: denied { setattr } for pid=2232 comm="su" name="root" dev="tmpfs" ino=843 scontext=staff_u:sysadm_r:sysadm_su_t tcontext=staff_u:object_r:faillog_t tclass=file permissive=1
type=AVC msg=audit(1662881805.768:82): avc: denied { getattr } for pid=1029 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="vda2" ino=393871 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:systemd_hwdb_t tclass=file permissive=1 |
Quote: | Are you running a DE? |
No, I don't. I just performed the minimal installation following the handbook.
Quote: |
Quote: | is my assumption wrong that following these steps will lead me to a working system (strict+enforing)? |
Yes. You need also hours of work and effort to make it right.
Probably you have to relabel your filesystem.
|
The relabeling I did following the SELinux installation guide. https://wiki.gentoo.org/wiki/SELinux/Installation#Relabel
Btw, these are all the steps I did: (libvirt, virtio harddisk 15 GB)
* Boot into the live system (minimal installatio disk)
Code: | #!/usr/bin/env bash
# Filename: 1-prepare-and-chroot.sh
set -exuo pipefail
HD=/dev/vda
LATEST=`curl -sL "https://bouncer.gentoo.org/fetch/root/all/releases/amd64/autobuilds/latest-stage3-amd64-hardened-nomultilib-openrc.txt" | grep -oE "^[0-9]+T[0-9]+Z"`
STAGE=/dev/shm/stage3-amd64-hardened-nomultilib-openrc-$LATEST.tar.xz
(
cd /dev/shm
curl -Z -C - \
-OL "https://bouncer.gentoo.org/fetch/root/all/releases/amd64/autobuilds/$LATEST/stage3-amd64-hardened-nomultilib-openrc-$LATEST.tar.xz.DIGESTS" \
-OL "https://bouncer.gentoo.org/fetch/root/all/releases/amd64/autobuilds/$LATEST/stage3-amd64-hardened-nomultilib-openrc-$LATEST.tar.xz.asc" \
-OL "https://bouncer.gentoo.org/fetch/root/all/releases/amd64/autobuilds/$LATEST/stage3-amd64-hardened-nomultilib-openrc-$LATEST.tar.xz"
gpg --keyserver hkps://keys.gentoo.org --recv-keys 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
gpg --verify $STAGE.asc
gpg --verify $STAGE.DIGESTS
sha512sum --ignore-missing -c $STAGE.DIGESTS
)
# 15 GB disk
cat << "EOF" | sfdisk $HD
label: dos
label-id: 0x5506134f
device: /dev/vda
unit: sectors
sector-size: 512
/dev/vda1 : start= 2048, size= 524288, type=83
/dev/vda2 : start= 526336, size= 26736640, type=83
/dev/vda3 : start= 27262976, size= 4194304, type=82
EOF
mkfs.ext4 -T small -L boot -U 0ebda18b-b405-4f79-966c-b0f22ad89404 ${HD}1
mkfs.ext4 -L gentoo -U a9c9f1ce-693a-4dd5-8469-f9e802d5d0b0 ${HD}2
mkswap -L swap -U 708d4deb-2f8d-41a6-9521-c807321ab9e5 ${HD}3
swapon ${HD}3
mkdir --parents /mnt/gentoo
mount ${HD}2 /mnt/gentoo
( cd /mnt/gentoo && tar xpf $STAGE --xattrs-include='*.*' --numeric-owner )
# make.conf
cp /mnt/gentoo/etc/portage/make.conf /mnt/gentoo/etc/portage/make.conf.bak
cat > /mnt/gentoo/etc/portage/make.conf << "EOF"
# These settings were set by the catalyst build script that automatically
# built this stage.
# Please consult /usr/share/portage/config/make.conf.example for a more
# detailed example.
COMMON_FLAGS="-march=native -O2 -pipe"
CFLAGS="${COMMON_FLAGS}"
CXXFLAGS="${COMMON_FLAGS}"
FCFLAGS="${COMMON_FLAGS}"
FFLAGS="${COMMON_FLAGS}"
# NOTE: This stage was built with the bindist Use flag enabled
PORTDIR="/var/db/repos/gentoo"
DISTDIR="/var/cache/distfiles"
PKGDIR="/var/cache/binpkgs"
# Portage log
# https://wiki.gentoo.org/wiki/Portage_log
PORTAGE_LOGDIR="/var/log/portage"
FEATURES="split-log"
# This sets the language of build output to English.
# Please keep this setting intact when reporting bugs.
LC_MESSAGES=C
# EMERGE_DEFAULT_OPTS is set automatically by livecd-tools autoconfig during first live boot.
# This should be equal to number of processors, see "man emerge" for details.
MAKEOPTS="--jobs 12"
GENTOO_MIRRORS="rsync://mirrors.dotsrc.org/gentoo/ rsync://ftp.wh2.tu-dresden.de/gentoo rsync://ftp.halifax.rwth-aachen.de/gentoo/"
ACCEPT_LICENSE="-* @FREE"
GRUB_PLATFORMS="pc"
POLICY_TYPES="strict targeted"
EOF
# Installing the Gentoo base system
# https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Base
# mirrors
mkdir --parents /mnt/gentoo/etc/portage/repos.conf
cp /mnt/gentoo/usr/share/portage/config/repos.conf /mnt/gentoo/etc/portage/repos.conf/gentoo.conf
# copy DNS info
cp --dereference /etc/resolv.conf /mnt/gentoo/etc/
# mounting file systems
mount --types proc /proc /mnt/gentoo/proc
mount --rbind /sys /mnt/gentoo/sys
mount --make-rslave /mnt/gentoo/sys
mount --rbind /dev /mnt/gentoo/dev
mount --make-rslave /mnt/gentoo/dev
mount --bind /run /mnt/gentoo/run
mount --make-slave /mnt/gentoo/run
# chroot
cp "`dirname $0`/2-base-system.sh" /mnt/gentoo/2-base-system.sh
chroot /mnt/gentoo /2-base-system.sh $HD
rm -f /mnt/gentoo/2-base-system.sh
umount -lv /mnt/gentoo/dev{/shm,/pts,}
umount -Rv /mnt/gentoo |
* Chrooted:
Code: | #!/usr/bin/env bash
# Filename: 2-base-system.sh
set -exuo pipefail
HD=$1
#ASK="--ask"
ASK=""
# boot partition
mount ${HD}1 /boot
# portage
emerge --sync --quiet
# Timezone
echo "Europe/Berlin" > /etc/timezone
rm /etc/localtime
emerge --config sys-libs/timezone-data
# Configure locales
cat > /etc/locale.gen << "EOF"
en_US ISO-8859-1
en_US.UTF-8 UTF-8
C.UTF8 UTF-8
EOF
locale-gen
locale -a
cat > /etc/locale.conf << "EOF"
LANG="en_US.utf8"
LC_COLLATE="C.utf8"
EOF
env-update && source /etc/profile
emerge $ASK app-portage/cpuid2cpuflags
echo "*/* $(cpuid2cpuflags)" > /etc/portage/package.use/00cpu-flags
emerge $ASK --verbose --update --deep --newuse @world
emerge $ASK --depclean
# Installing the dist kernel
# https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel
emerge $ASK --noreplace sys-kernel/installkernel-gentoo
cat > /etc/portage/package.use/gentoo-kernel-bin << "EOF"
sys-kernel/gentoo-kernel-bin initramfs
EOF
emerge $ASK sys-kernel/gentoo-kernel-bin
eselect kernel set 1
# load module binfmt_misc
mkdir -p /etc/modules-load.d
echo "binfmt_misc" > /etc/modules-load.d/binfmt_misc.conf
# Configuring the system
# https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/System
printf "${HD}1\t/boot\text4\tdefaults,noatime\t0 2\n" >> /etc/fstab
printf "${HD}2\t/\text4\tnoatime\t0 1\n" >> /etc/fstab
printf "${HD}3\tnone\tswap\tsw\t0 0\n" >> /etc/fstab
# Host and domain information
cat > /etc/conf.d/hostname << "EOF"
# Hostname fallback if /etc/hostname does not exist
hostname="gentoovm"
EOF
# network
emerge $ASK --noreplace net-misc/dhcp net-misc/netifrc
ln -s net.lo /etc/init.d/net.enp1s0
rc-update add net.enp1s0 default
rc-update del netmount default
cat > /etc/conf.d/net << "EOF"
# Note: DHCP is the default behavior if /etc/conf.d/net is empty or missing
config_enp1s0="dhcp"
EOF
# root password
passwd
printf "\nPermitRootLogin yes\n" >> /etc/ssh/sshd_config
# Installing system tools
# https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Tools
emerge $ASK app-admin/sysklogd net-misc/chrony
rc-update add sysklogd default
rc-update add chronyd default
# sshd, auditd
rc-update add sshd default
# Configuring the bootloader
# https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Bootloader
echo "sys-boot/grub -fonts -nls -themes" > /etc/portage/package.use/grub
emerge $ASK sys-boot/grub
grub-install "$HD"
grub-mkconfig -o /boot/grub/grub.cfg
# Finalizing
# sudo
# https://wiki.gentoo.org/wiki/Sudo
emerge $ASK app-admin/sudo
# add user
useradd -m -G users,wheel,audio -s /bin/bash gentoo
passwd gentoo
# remove allow root password login
sed -i '$d' /etc/ssh/sshd_config
mkdir -p /etc/sudoers.d
echo "gentoo ALL=(ALL:ALL) ALL" > /etc/sudoers.d/gentoo
visudo -cf /etc/sudoers.d/gentoo
#reboot into new system |
* Once rebooted, install SELinux
Code: | #!/usr/bin/env bash
# Filename: 3-selinux.sh
set -exuo pipefail
#ASK="--ask"
ASK=""
printf "tmpfs\t/run\ttmpfs\tmode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t\t0 0\n" >> /etc/fstab
cat >> /etc/portage/make.conf << EOF
USE="peer_perms ubac"
EOF
eselect profile list
eselect profile set "default/linux/amd64/17.1/no-multilib/hardened/selinux"
FEATURES="-selinux" emerge $ASK -1 selinux-base
rc-update add auditd default
cat /etc/selinux/config
FEATURES="-selinux -sesandbox" emerge $ASK -1 selinux-base
FEATURES="-selinux -sesandbox" emerge $ASK -1 selinux-base-policy
emerge $ASK -uDN @world
dispatch-conf
emerge $ASK --depclean
mkdir /mnt/gentoo
mount -o bind / /mnt/gentoo
setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/{dev,home,proc,run,sys,tmp}
umount /mnt/gentoo
rmdir /mnt/gentoo
echo "gentoo ALL=(ALL:ALL) TYPE=sysadm_t ROLE=sysadm_r ALL" > /etc/sudoers.d/gentoo
visudo -cf /etc/sudoers.d/gentoo
rlpkg -a -r
semanage login -a -s staff_u gentoo
restorecon -R -F /home/gentoo
semanage user -m -R "staff_r sysadm_r system_r" root
semanage user -m -R "staff_r sysadm_r system_r" staff_u
mkdir -p /etc/dracut.conf.d
cat > /etc/dracut.conf.d/gentoo.conf << "EOF"
add_dracutmodules+=" selinux "
EOF
sed -i -E 's/^#GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="lsm=selinux"/g' /etc/default/grub
grub-mkconfig -o /boot/grub/grub.cfg
emerge --config sys-kernel/gentoo-kernel-bin
sed -i -E 's/^SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/config
# reboot |
Last edited by ca87 on Sun Sep 11, 2022 7:43 am; edited 3 times in total |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
|
Back to top |
|
|
ca87 n00b
Joined: 09 Sep 2022 Posts: 3
|
Posted: Sun Sep 11, 2022 7:23 am Post subject: |
|
|
Quote: | Ok you are using a live cd.
Plz boot in permissive mode and THEN relabel filesystem, rerun dracut,reinstall kernel and update grub.Anything you do via a livecd will lack proper file contexts in your selinux system. |
Sorry for not being clear. I used the live cd only for installing the system, then I booted the system and followed the SELinux/Installation instructions.
For labeling I used the following command (like in the instructions):
Code: | mkdir -p /mnt/gentoo && mount -o bind / /mnt/gentoo && setfiles -r /mnt/gentoo /etc/selinux/strict/contexts/files/file_contexts /mnt/gentoo/{dev,home,proc,run,sys,tmp} && umount /mnt/gentoo && rmdir /mnt/gentoo && rlpkg -a -r |
kernel & dracut:
Code: | emerge sys-kernel/gentoo-kernel-bin |
But with enforcing=1 booting still fails with a kernel panic (Unable to load SELinux policy).
In permissive mode and after adding several policies using audit2allow I noticed the following output:
Code: | [ 1.722638] audit: type=1400 audit(1662880846.620:3): avc: denied { load_policy } for pid=1 comm="init" scontext=system_u:system_r:init_t tcontext=system_u:object_r:security_t tclass=security permissive=1 |
Quote: | stage3-amd64-hardened-nomultilib-selinux-openrc |
I also tried using the hardened-selinux stage, but it leads to the same issue. |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3879
|
Posted: Sun Sep 11, 2022 9:45 am Post subject: |
|
|
Ok when you boot into your system plz edit
Code: |
GRUB_CMDLINE_LINUX=".......security=selinux selinux=1........."
|
then run
Code: |
dracut --force #### check if selinux module is loaded
grub-mkconfig -o /boot/grub/grub.cfg
|
this
Quote: |
[ 1.722638] audit: type=1400 audit(1662880846.620:3): avc: denied { load_policy } for pid=1 comm="init" scontext=system_u:system_r:init_t tcontext=system_u:object_r:security_t tclass=security permissive=1
|
means init can not load selinux policy.
Maybe dracut problem?
If the above doesnt help start
Code: |
getsebool -a and setsebool <-P> <boolean> on|off ###try to find anything related to init dracut boot etc
semanage fcontext -a -t <context > <files|directories>
restorecon -R <file|directory>
write policy
|
Your script lacks selinux options for /run ant /tmp
https://wiki.gentoo.org/wiki/SELinux/Installation#Setting_file_system_contexts
Also maybe policy=strict is way too much.
Try targeted and relabel.
EDIT I installed a new minimal selinux system on disk with dracut and grub and it boots just fine in Enforcing/strict.
You have
Quote: |
switch_root: failed to mount moving /run to /sysroot/run: Permission denied
switch_root: forcing unmount of /run
[ 1.575850] audit: type=1400 audit(1662882106.253:3): avc: denied { mounton } for pid=1 comm="switch_root" path="/sysroot/run" dev="vda2" ino=131073 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=0
Mount failed for selinuxfs on /sys/fs/selinux: No such file or directory
Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.
|
Try
Code: |
setsebool -P init_mounton_non_security on
|
and
Code: |
tmpfs /tmp tmpfs defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t 0 0
tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t 0 0
|
in etc/fstab.
First try the fstab way.
Then the boolean. _________________
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|