Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Dracut cannot boot with "selinux" dracutmodule
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
FlyingBullets
n00b
n00b


Joined: 19 Mar 2024
Posts: 5

PostPosted: Sat Mar 23, 2024 7:26 pm    Post subject: Dracut cannot boot with "selinux" dracutmodule Reply with quote

Hello, I'm trying to boot into an SELinux installation, but it won't boot when SELinux is in enforcing mode; I have to keep it in permissive. I get the following dmesg every time it boots (in permissive). I tried using audit2allow for the AVC errors and installing the new policies, but I ended up doing that 3 times before running into mlsconstrain errors. I also tried enabling SELinux booleans named, "init_*" but it still won't boot. I followed the SELinux/Installation guide with an SELinux stage3.

I *can* boot with SELinux in enforcing mode if I remove "selinux" from dracutmodules, but I still get the errors at boot. Do I even need the "selinux" module in dracut?

Thank you for your consideration.

stage3
Code:
amd64-hardened-nomultilib-selinux-openrc


/etc/portage/make.conf
Code:
POLICY_TYPES="mls"
USE="... ubac -unconfined ..."


/etc/dracut.conf
Code:
dracutmodules+=" selinux crypt dm rootfs-block lvm drm qemu "
kernel_cmdline+=" rd.luks.uuid=0aa88d14-609b-4418-9690-e9eaf431c2a1 rd.lvm.vg=vg0 root=/dev/mapper/vg0-root rd.luks.allow-discards "
install_items="/lib64/elogind/elogind-uaccess-command /etc/crypttab"
early_microcode="yes"
hostonly="yes"
compress="cat"


/etc/crypttab
Code:
sda2_crypt /dev/sda2 none


/etc/selinux/config
Code:
SELINUX=permissive
SELINUXTYPE=mls


/etc/fstab
Code:
/dev/sda1               /boot   vfat    defaults,noatime,discard    1 2
/dev/mapper/vg0-swap    none    swap    sw                          0 0
/dev/mapper/vg0-root    /       ext4    defaults,noatime,discard    0 1


lsblk output
Code:
NAME            MOUNTPOINTS TYPE
sda                         disk
|-sda1          /boot       part
`-sda2                      part
  `-sda2_crypt              crypt
    |-vg0-root  /           lvm
    `-vg0-swap  [SWAP]      lvm


/var/log/dmesg
Code:
...
[    0.108655] LSM: initializing lsm=lockdown,capability,selinux,integrity
[    0.108684] SELinux:  Initializing.
...
[    0.787366] dracut: Gentoo-2.14
...
[    1.365978] dracut: luksOpen /dev/sda2 sda2_crypt none
[   12.049841] dracut: Scanning devices dm-0  for LVM logical volumes vg0/root
[   12.049881] vg0/swap
[   12.076058] dracut:   vg0/root linear
[   12.076097]   vg0/swap linear
[   12.218296] dracut: Scanning devices dm-0  for LVM volume groups vg0
[   12.247719] dracut: Found volume group "vg0" using metadata type lvm2
[   12.281616] dracut: 2 logical volume(s) in volume group "vg0" now active
[   12.383193] EXT4-fs (dm-1): mounted filesystem 333b3a9d-002d-4f10-b736-ab8093f20d43 ro with ordered data mode. Quota mode: disabled.
[   12.435822] EXT4-fs (dm-1): unmounting filesystem 333b3a9d-002d-4f10-b736-ab8093f20d43.
[   12.451461] dracut: Checking ext4: /dev/dm-1
[   12.451791] dracut: issuing e2fsck -a /dev/dm-1
[   12.471565] dracut: ROOT_0: clean, 421328/6553600 files, 4455966/26214400 blocks
[   12.476622] dracut: Mounting /dev/mapper/vg0-root with -o rw,noatime,seclabel,discard,ro
[   12.486301] EXT4-fs (dm-1): mounted filesystem 333b3a9d-002d-4f10-b736-ab8093f20d43 ro with ordered data mode. Quota mode: disabled.
[   12.515818] dracut: Mounted root filesystem /dev/mapper/vg0-root
[   12.531473] dracut: Loading SELinux policy
[   12.594246] SELinux:  policy capability network_peer_controls=1
[   12.594275] SELinux:  policy capability open_perms=1
[   12.594288] SELinux:  policy capability extended_socket_class=1
[   12.594301] SELinux:  policy capability always_check_network=0
[   12.594315] SELinux:  policy capability cgroup_seclabel=1
[   12.594327] SELinux:  policy capability nnp_nosuid_transition=1
[   12.594341] SELinux:  policy capability genfs_seclabel_symlinks=0
[   12.594354] SELinux:  policy capability ioctl_skip_cloexec=0
[   12.611182] audit: type=1403 audit(1710952495.782:2): auid=4294967295 ses=4294967295 lsm=selinux res=1
[   12.616112] dracut:
[   12.684279] dracut: Switching root
[   12.689196] audit: type=1400 audit(1710952495.859:3): avc:  denied  { mounton } for  pid=1 comm="init" path="/proc" dev="proc" ino=1 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=dir permissive=1
[   12.689290] audit: type=1400 audit(1710952495.859:4): avc:  denied  { mount } for  pid=1 comm="init" name="/" dev="proc" ino=1 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
[   12.689367] audit: type=1400 audit(1710952495.859:5): avc:  denied  { mounton } for  pid=1 comm="init" path="/sys" dev="sysfs" ino=1 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
[   12.691135] audit: type=1400 audit(1710952495.859:6): avc:  denied  { mount } for  pid=1 comm="init" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=1
[   12.694624] audit: type=1400 audit(1710952495.859:7): avc:  denied  { mount } for  pid=1 comm="init" name="/" dev="selinuxfs" ino=1 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem permissive=1
[   12.697476] audit: type=1400 audit(1710952495.859:8): avc:  denied  { unmount } for  pid=1 comm="init" scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
[   12.698843] audit: type=1400 audit(1710952495.867:9): avc:  denied  { search } for  pid=1 comm="init" name="policy" dev="dm-1" ino=344185 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:policy_config_t:s15:c0.c1023 tclass=dir permissive=1
[   12.701187] audit: type=1400 audit(1710952495.867:10): avc:  denied  { read } for  pid=1 comm="init" name="policy.33" dev="dm-1" ino=263670 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=flyingbullets_u:object_r:policy_config_t:s0 tclass=file permissive=1
[   12.703533] audit: type=1400 audit(1710952495.867:11): avc:  denied  { open } for  pid=1 comm="init" path="/etc/selinux/mls/policy/policy.33" dev="dm-1" ino=263670 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=flyingbullets_u:object_r:policy_config_t:s0 tclass=file permissive=1
[   12.703896] SELinux:  Converting 37 SID table entries...
[   12.711301] SELinux:  policy capability network_peer_controls=1
[   12.712436] SELinux:  policy capability open_perms=1
[   12.713562] SELinux:  policy capability extended_socket_class=1
[   12.714706] SELinux:  policy capability always_check_network=0
[   12.715824] SELinux:  policy capability cgroup_seclabel=1
[   12.716956] SELinux:  policy capability nnp_nosuid_transition=1
[   12.718103] SELinux:  policy capability genfs_seclabel_symlinks=0
[   12.719222] SELinux:  policy capability ioctl_skip_cloexec=0
...
Back to top
View user's profile Send private message
deagol
n00b
n00b


Joined: 12 Jul 2014
Posts: 62

PostPosted: Mon Mar 25, 2024 1:42 pm    Post subject: Reply with quote

This reminds me of the console messages I gut while debugging my issue here: https://forums.gentoo.org/viewtopic-t-1168024.html.
Now I'm not using a initrd, so your setup for sure is more complicated and may have other issues...

But can you please run "ps -efZ | grep init" and paste the result when in permissive mode?

And what profile are you using?
The question basically is, if you have a merge-usr or split-usr installation. Since it looks like gentoo selinux can only work with split-usr for me.

You may also check out "ls -lZ /sbin/openrc".
It the type is bin_t you have next to be sure the same issue.
Back to top
View user's profile Send private message
FlyingBullets
n00b
n00b


Joined: 19 Mar 2024
Posts: 5

PostPosted: Fri Mar 29, 2024 5:41 pm    Post subject: Reply with quote

I did a reinstall of Gentoo and had to debug some issues in my install script.

Quote:
This reminds me of the console messages I gut while debugging my issue here: https://forums.gentoo.org/viewtopic-t-1168024.html

That links to this post.

Code:
$ ps -efZ | grep init
system_u:system_r:init_t:s0-s15:c0.c1023 root 1 0 0 Mar27 ? 00:00:00 init [3]


Quote:
And what profile are you using?

default/linux/amd64/17.1/no-multilib/hardened/selinux

Code:
$ ls -lZ /sbin/openrc
-rwxr-xr-x. 1 root root system_u:object_r:rc_exec_t:s0 55344 Mar 24 17:03 /sbin/openrc
Back to top
View user's profile Send private message
FlyingBullets
n00b
n00b


Joined: 19 Mar 2024
Posts: 5

PostPosted: Thu Aug 08, 2024 6:17 pm    Post subject: Reply with quote

Update:
I've re-installed Gentoo (currently on 23.0 profiles) and selected the 'mcs' policy (one of the officially supported policies). The issue still exists where the selinux dracutmodule causes a kernel panic when SELinux is set to enforcing. I even tried the 'strict' policy, it still failed.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum