I am using selinux with mcs policy. I orginally had 6.4.3-gentoo kernel installed but when it was switched to enforcing, kmod-static-nodes failed and the kernel locked up. Downgrading to the newest stable kernel fixed that problem. Now when i switch to enforcing, I get several errors:
ln: failed to create symbolic link '/etc/mtab': Permission denied
Could not clean up underlying /run on /
ERROR: systemd-tmpfiles-setup failed to start
Hyprland window manager also will not start. I'm dont know if its because of these issues during boot or not. My user is in the input group. Everything works fine in permissive with no errors or warnings. I'm running a musl-llvm-hardened system with selinux installed.
Selinux problems when set to 'enforcing'
Message
- Pipeartist
- n00b
- Posts: 12
- Joined: Sun Feb 12, 2023 2:55 pm
- rab0171610
- l33t
- Posts: 721
- Joined: Sat Dec 24, 2022 1:41 am
https://wiki.gentoo.org/wiki/SELinux/In ... on#Relabel
Is it possible this applies to you?
Is it possible this applies to you?
- Pipeartist
- n00b
- Posts: 12
- Joined: Sun Feb 12, 2023 2:55 pm
- rab0171610
- l33t
- Posts: 721
- Joined: Sat Dec 24, 2022 1:41 am
I am do not have a lot of experience in this area, but you could try restoring the default context. 'restorecon' is provided by sys-apps/
policycoreutils.
https://man7.org/linux/man-pages/man8/restorecon.8.html
The -nv option will only show you what might be changed:
It might be insightful and should be harmless.
You would have to do your own research on this. It may or may not be necessary or even help.
I would post the relevant dmesg output in the meantime so that someone skilled in this area can better help you.
policycoreutils.
https://man7.org/linux/man-pages/man8/restorecon.8.html
Code: Select all
restorecon -Rvn /The -nv option will only show you what might be changed:
-n don't change any file labels (passive check). To display
the files whose labels would be changed, add -v.
It might be insightful and should be harmless.
You would have to do your own research on this. It may or may not be necessary or even help.
I would post the relevant dmesg output in the meantime so that someone skilled in this area can better help you.
- Pipeartist
- n00b
- Posts: 12
- Joined: Sun Feb 12, 2023 2:55 pm
Here is the selinux related feedback in dmesg:
Code: Select all
[ 2.130659] SELinux: Permission cmd in class io_uring not defined in policy.
[ 2.131041] SELinux: the above unknown classes and permissions will be allowed
[ 2.132208] SELinux: policy capability network_peer_controls=1
[ 2.132572] SELinux: policy capability open_perms=1
[ 2.132933] SELinux: policy capability extended_socket_class=1
[ 2.133295] SELinux: policy capability always_check_network=0
[ 2.133653] SELinux: policy capability cgroup_seclabel=1
[ 2.134011] SELinux: policy capability nnp_nosuid_transition=1
[ 2.134371] SELinux: policy capability genfs_seclabel_symlinks=0
[ 2.134729] SELinux: policy capability ioctl_skip_cloexec=0
[ 2.158295] audit: type=1403 audit(1689726177.276:2): auid=4294967295 ses=4294967295 lsm=selinux res=1
[ 2.159612] audit: type=1400 audit(1689726177.277:3): avc: denied { create } for pid=1 comm="init" name="initctl" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=fifo_file permissive=1
[ 2.159998] audit: type=1400 audit(1689726177.277:4): avc: denied { read write } for pid=1 comm="init" name="initctl" dev="tmpfs" ino=363 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=fifo_file permissive=1
[ 2.159999] audit: type=1400 audit(1689726177.277:5): avc: denied { open } for pid=1 comm="init" path="/run/initctl" dev="tmpfs" ino=363 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=fifo_file permissive=1
[ 2.159999] audit: type=1400 audit(1689726177.277:6): avc: denied { getattr } for pid=1 comm="init" path="/run/initctl" dev="tmpfs" ino=363 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=fifo_file permissive=1
[ 2.188081] init-early.sh (564) used greatest stack depth: 11576 bytes left
[ 2.512056] audit: type=1400 audit(1689726177.629:7): avc: denied { sys_resource } for pid=975 comm="systemd-tmpfile" capability=24 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability permissive=1
[ 2.512067] audit: type=1400 audit(1689726177.629:8): avc: denied { setrlimit } for pid=975 comm="systemd-tmpfile" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process permissive=1
[ 2.530153] audit: type=1400 audit(1689726177.647:9): avc: denied { getattr } for pid=1008 comm="start-stop-daem" path="pid:[4026531836]" dev="nsfs" ino=4026531836 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1- rab0171610
- l33t
- Posts: 721
- Joined: Sat Dec 24, 2022 1:41 am
I do not know whether any of those are significant or not. If you think that you have everything installed and set up correctly, then it is safe to run:
and possibly:
and analyze the output.
see:
https://wiki.gentoo.org/wiki/SELinux/Tu ... s_on_files
Notice the boxes designated 'Important' and 'Note'.
Code: Select all
restorecon -Rvn / Code: Select all
restorecon -FRvn / see:
https://wiki.gentoo.org/wiki/SELinux/Tu ... s_on_files
Notice the boxes designated 'Important' and 'Note'.