SELinux: Unable to switch to permissive mode

[vyedmic]

Hello,

I have followed the SELinux installation guide and have now multiple times selected SELinux profile and then de-selected it, rebuilt world and depcleaned all selinux remnants but I always hit this same problem. It does not matter whether SELINUX=permissive is set or whether enforcing=0 is passed to kernel. This error always stops init from running.

Code: Select all

SELinux: Unable to switch to permissive mode: Invalid argument

https://paste.pics/SIYEG

[sMueggli]

How or where did you set it?

Does the kernel boot if you pass (ad-hoc) "selinux=0" to the kernel parameters?

[vyedmic]

Yes, kernel boots without lsm=selinux

I set it in /etc/selinux/config and I also tried passing enforcing=0 to kernel

[sMueggli]

Can you please share your complete /etc/selinux/config?

And also the kernel parameters, that you pass to the kernel?

[vyedmic]

Kernel parameters

Code: Select all

root=PARTUUID=my-root-part-uuid ro lsm=selinux

/etc/selinux/config is standard, unchanged from the install.

Code: Select all

# This file controls the state of SELinux on the system on boot.

# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive

# SELINUXTYPE can take one of these four values:
#       targeted - Only targeted network daemons are protected.
#       strict   - Full SELinux protection.
#       mls      - Full SELinux protection with Multi-Level Security
#       mcs      - Full SELinux protection with Multi-Category Security 
#                  (mls, but only one sensitivity level)
SELINUXTYPE=strict

I am at the point of SELinux installation guide where I am supposed to reboot to label my system.

[nicop]

Did you set CONFIG_SECURITY_SELINUX_BOOTPARAM=y ?

[vyedmic]

Yes I did.

Since I am in such an early stage I am considering nuking the install and start again.

Unless it would be useful to investigate further?

[nicop]

I also see 'unlabeled_t', something has to be solved.

[Hu]

Starting over is rarely helpful. If you do not understand how you got into the bad situation this time, how will you avoid doing it wrong again next time?

[sMueggli]

Does adding "lsm.debug" to the kernel command line show more output?

Did you install from scratch or did you convert an existing installation?

[vyedmic]

Starting over is rarely helpful. If you do not understand how you got into the bad situation this time, how will you avoid doing it wrong again next time?

I think I know how I got into this situation. It is an edge case. I have labelled my system directories using file_contexts.local by being overzealous with tab. I didn't realise I need selinux-dbus to get the file_contexts as I don't want dbus on my system. Should it still prevent me from booting even after switching to non-selinux profile, depcleaning and manually deleting all selinux remnants?

I had hoped someone has encountered something similar.

Can I nuke it and be a good person and install selinux-dbus and see how far I can get before inevitably breaking it again?

[vyedmic]

Formatted /, followed handbook up until I booted in. Installed only app-misc/screen and then followed SELinux Installation guide. I am at exactly the same spot. Only thing that did not change is the kernel.

Did I make a mistake by using H/SElinux stage3?

lsm.debug does not add anything

Can I dump kernel config here or is there a preferred way?

[grknight]

Formatted /, followed handbook up until I booted in. Installed only app-misc/screen and then followed SELinux Installation guide. I am at exactly the same spot. Only thing that did not change is the kernel.

Do you mean https://wiki.gentoo.org/wiki/SELinux/Installation ? If so, this guide is for an existing install that did not include an SELinux stage3 originally. The stage3 includes all of those listed steps.
From that link:

Code: Select all

This document assumes the reader starts with an existing Gentoo Linux system which needs to be converted to Gentoo with SELinux. It is possible to make the right decisions during a Gentoo installation to immediately start with an SELinux system. However, this article is focusing on a conversion of an existing system as that is the most common approach.

[vyedmic]

Thanks. I'll try again.

[vyedmic]

I formatted again and followed the guide to the letter using Hardened stage 3 and then converting it to SELinux. I get exactly the same result as in the screenshot in the first post. So it does not seem to be anything I did wrong after all...

Code: Select all

SELinux: Unable to switch to permissive mode: Invalid argument

I tried following the below from https://wiki.gentoo.org/wiki/SELinux/Installation using the H/SELinux stage 3

Code: Select all

SELinux stage3 tarballs are also available and supported - this is significantly easier than performing the steps below. The tarballs can be simply unpacked onto a target system, relabel the entire system, add the initial user to the administration SELinux user and reboot.

This is the result when I try relabelling as the above suggests

Code: Select all

localhost / # rlpkg -a
Relabeling filesystem types: btrfs encfs ext2 ext3 ext4 ext4dev f2fs gfs gfs2 gpfs jffs2 jfs lustre xfs zfs
Running /sbin/setfiles /etc/selinux/strict/contexts/files/file_contexts /
/etc/selinux/strict/contexts/files/file_contexts: No such file or directory
Scanning for shared libraries with text relocations...
/usr/lib/python3.12/subprocess.py:1016: RuntimeWarning: line buffering (buffering=1) isn't supported in binary mode, the default buffer size will be used
  self.stdout = io.open(c2pread, 'rb', bufsize)
0 libraries with text relocations, 0 not relabeled.
Scanning for PIE binaries with text relocations...
0 binaries with text relocations detected.

localhost / # ls -Z /etc/portage/make.conf 
? /etc/portage/make.conf

localhost / # semanage login -a -s staff_u admin
libsemanage.semanage_read_policydb: Could not open kernel policy /var/lib/selinux/strict/active/policy.kern for reading. (No such file or directory).
FileNotFoundError: No such file or directory

I am really trying to decipher these guides but they are proving to be full of catch 22s. How am I supposed to relabel a system when no file_contexts exists? Is it even possible to assign a user to staff_u while being booted into a Live CD kernel?

[vyedmic]

So finally success with new-from-scratch kernel, H/SELinux stage3 onto which selinux-dbus and selinux-policykit need to be emerged first before attempting to relabel and adding user to staff_u.

[nicop]

Too bad that it affects the installation media ...
I had encountered the same bug recently : https://bugs.gentoo.org/941785

authlogin.pp (sec-policy/selinux-base-policy) does not install without selinux-dbus but it doesn’t interrupt emerge.

[salam]

Had the same mess with authlogin, I decided to get rid of that manually

Code: Select all

# cat /etc/portage/patches/sec-policy/selinux-base-policy/make-authlogin-systemd-optional.patch
--- a/refpolicy/policy/modules/system/authlogin.te      2024-09-16 19:52:00.000000000 +0200
+++ b/refpolicy/policy/modules/system/authlogin2.te     2024-10-02 09:37:34.511501889 +0200
@@ -142,7 +142,10 @@

 auth_read_shadow_history(chkpwd_t)
 auth_use_nsswitch(chkpwd_t)
-auth_use_pam_systemd(chkpwd_t)
+
+ifdef(`init_systemd',`
+       auth_use_pam_systemd(chkpwd_t)
+')

 logging_send_audit_msgs(chkpwd_t)
 logging_send_syslog_msg(chkpwd_t)