Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
SELinux: Unable to switch to permissive mode
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
vyedmic
n00b
n00b


Joined: 02 Dec 2010
Posts: 47

PostPosted: Mon Dec 16, 2024 1:50 pm    Post subject: SELinux: Unable to switch to permissive mode Reply with quote

Hello,

I have followed the SELinux installation guide and have now multiple times selected SELinux profile and then de-selected it, rebuilt world and depcleaned all selinux remnants but I always hit this same problem. It does not matter whether SELINUX=permissive is set or whether enforcing=0 is passed to kernel. This error always stops init from running.

Code:
SELinux: Unable to switch to permissive mode: Invalid argument


https://paste.pics/SIYEG
Back to top
View user's profile Send private message
sMueggli
Guru
Guru


Joined: 03 Sep 2022
Posts: 513

PostPosted: Mon Dec 16, 2024 3:26 pm    Post subject: Reply with quote

How or where did you set it?

Does the kernel boot if you pass (ad-hoc) "selinux=0" to the kernel parameters?
Back to top
View user's profile Send private message
vyedmic
n00b
n00b


Joined: 02 Dec 2010
Posts: 47

PostPosted: Mon Dec 16, 2024 3:27 pm    Post subject: Reply with quote

Yes, kernel boots without lsm=selinux

I set it in /etc/selinux/config and I also tried passing enforcing=0 to kernel
Back to top
View user's profile Send private message
sMueggli
Guru
Guru


Joined: 03 Sep 2022
Posts: 513

PostPosted: Mon Dec 16, 2024 3:45 pm    Post subject: Reply with quote

Can you please share your complete /etc/selinux/config?

And also the kernel parameters, that you pass to the kernel?
Back to top
View user's profile Send private message
vyedmic
n00b
n00b


Joined: 02 Dec 2010
Posts: 47

PostPosted: Mon Dec 16, 2024 3:59 pm    Post subject: Reply with quote

Kernel parameters

Code:
root=PARTUUID=my-root-part-uuid ro lsm=selinux


/etc/selinux/config is standard, unchanged from the install.

Code:
# This file controls the state of SELinux on the system on boot.

# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive

# SELINUXTYPE can take one of these four values:
#       targeted - Only targeted network daemons are protected.
#       strict   - Full SELinux protection.
#       mls      - Full SELinux protection with Multi-Level Security
#       mcs      - Full SELinux protection with Multi-Category Security
#                  (mls, but only one sensitivity level)
SELINUXTYPE=strict


I am at the point of SELinux installation guide where I am supposed to reboot to label my system.
Back to top
View user's profile Send private message
nicop
Tux's lil' helper
Tux's lil' helper


Joined: 10 Apr 2014
Posts: 103

PostPosted: Tue Dec 17, 2024 9:04 am    Post subject: Reply with quote

Did you set CONFIG_SECURITY_SELINUX_BOOTPARAM=y ?
Back to top
View user's profile Send private message
vyedmic
n00b
n00b


Joined: 02 Dec 2010
Posts: 47

PostPosted: Tue Dec 17, 2024 11:10 am    Post subject: Reply with quote

Yes I did.

Since I am in such an early stage I am considering nuking the install and start again.

Unless it would be useful to investigate further?
Back to top
View user's profile Send private message
nicop
Tux's lil' helper
Tux's lil' helper


Joined: 10 Apr 2014
Posts: 103

PostPosted: Tue Dec 17, 2024 2:10 pm    Post subject: Reply with quote

I also see 'unlabeled_t', something has to be solved.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22848

PostPosted: Tue Dec 17, 2024 2:53 pm    Post subject: Reply with quote

Starting over is rarely helpful. If you do not understand how you got into the bad situation this time, how will you avoid doing it wrong again next time?
Back to top
View user's profile Send private message
sMueggli
Guru
Guru


Joined: 03 Sep 2022
Posts: 513

PostPosted: Tue Dec 17, 2024 4:32 pm    Post subject: Reply with quote

Does adding "lsm.debug" to the kernel command line show more output?

Did you install from scratch or did you convert an existing installation?
Back to top
View user's profile Send private message
vyedmic
n00b
n00b


Joined: 02 Dec 2010
Posts: 47

PostPosted: Tue Dec 17, 2024 8:27 pm    Post subject: Reply with quote

Hu wrote:
Starting over is rarely helpful. If you do not understand how you got into the bad situation this time, how will you avoid doing it wrong again next time?


I think I know how I got into this situation. It is an edge case. I have labelled my system directories using file_contexts.local by being overzealous with tab. I didn't realise I need selinux-dbus to get the file_contexts as I don't want dbus on my system. Should it still prevent me from booting even after switching to non-selinux profile, depcleaning and manually deleting all selinux remnants?

I had hoped someone has encountered something similar.

Can I nuke it and be a good person and install selinux-dbus and see how far I can get before inevitably breaking it again?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum