View previous topic :: View next topic |
Author |
Message |
vyedmic n00b
Joined: 02 Dec 2010 Posts: 51
|
Posted: Mon Dec 16, 2024 1:50 pm Post subject: SELinux: Unable to switch to permissive mode |
|
|
Hello,
I have followed the SELinux installation guide and have now multiple times selected SELinux profile and then de-selected it, rebuilt world and depcleaned all selinux remnants but I always hit this same problem. It does not matter whether SELINUX=permissive is set or whether enforcing=0 is passed to kernel. This error always stops init from running.
Code: | SELinux: Unable to switch to permissive mode: Invalid argument |
https://paste.pics/SIYEG |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 514
|
Posted: Mon Dec 16, 2024 3:26 pm Post subject: |
|
|
How or where did you set it?
Does the kernel boot if you pass (ad-hoc) "selinux=0" to the kernel parameters? |
|
Back to top |
|
|
vyedmic n00b
Joined: 02 Dec 2010 Posts: 51
|
Posted: Mon Dec 16, 2024 3:27 pm Post subject: |
|
|
Yes, kernel boots without lsm=selinux
I set it in /etc/selinux/config and I also tried passing enforcing=0 to kernel |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 514
|
Posted: Mon Dec 16, 2024 3:45 pm Post subject: |
|
|
Can you please share your complete /etc/selinux/config?
And also the kernel parameters, that you pass to the kernel? |
|
Back to top |
|
|
vyedmic n00b
Joined: 02 Dec 2010 Posts: 51
|
Posted: Mon Dec 16, 2024 3:59 pm Post subject: |
|
|
Kernel parameters
Code: | root=PARTUUID=my-root-part-uuid ro lsm=selinux |
/etc/selinux/config is standard, unchanged from the install.
Code: | # This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level)
SELINUXTYPE=strict
|
I am at the point of SELinux installation guide where I am supposed to reboot to label my system. |
|
Back to top |
|
|
nicop Tux's lil' helper
Joined: 10 Apr 2014 Posts: 103
|
Posted: Tue Dec 17, 2024 9:04 am Post subject: |
|
|
Did you set CONFIG_SECURITY_SELINUX_BOOTPARAM=y ? |
|
Back to top |
|
|
vyedmic n00b
Joined: 02 Dec 2010 Posts: 51
|
Posted: Tue Dec 17, 2024 11:10 am Post subject: |
|
|
Yes I did.
Since I am in such an early stage I am considering nuking the install and start again.
Unless it would be useful to investigate further? |
|
Back to top |
|
|
nicop Tux's lil' helper
Joined: 10 Apr 2014 Posts: 103
|
Posted: Tue Dec 17, 2024 2:10 pm Post subject: |
|
|
I also see 'unlabeled_t', something has to be solved. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22887
|
Posted: Tue Dec 17, 2024 2:53 pm Post subject: |
|
|
Starting over is rarely helpful. If you do not understand how you got into the bad situation this time, how will you avoid doing it wrong again next time? |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 514
|
Posted: Tue Dec 17, 2024 4:32 pm Post subject: |
|
|
Does adding "lsm.debug" to the kernel command line show more output?
Did you install from scratch or did you convert an existing installation? |
|
Back to top |
|
|
vyedmic n00b
Joined: 02 Dec 2010 Posts: 51
|
Posted: Tue Dec 17, 2024 8:27 pm Post subject: |
|
|
Hu wrote: | Starting over is rarely helpful. If you do not understand how you got into the bad situation this time, how will you avoid doing it wrong again next time? |
I think I know how I got into this situation. It is an edge case. I have labelled my system directories using file_contexts.local by being overzealous with tab. I didn't realise I need selinux-dbus to get the file_contexts as I don't want dbus on my system. Should it still prevent me from booting even after switching to non-selinux profile, depcleaning and manually deleting all selinux remnants?
I had hoped someone has encountered something similar.
Can I nuke it and be a good person and install selinux-dbus and see how far I can get before inevitably breaking it again? |
|
Back to top |
|
|
vyedmic n00b
Joined: 02 Dec 2010 Posts: 51
|
Posted: Sat Dec 21, 2024 10:20 am Post subject: |
|
|
Formatted /, followed handbook up until I booted in. Installed only app-misc/screen and then followed SELinux Installation guide. I am at exactly the same spot. Only thing that did not change is the kernel.
Did I make a mistake by using H/SElinux stage3?
lsm.debug does not add anything
Can I dump kernel config here or is there a preferred way? |
|
Back to top |
|
|
grknight Retired Dev
Joined: 20 Feb 2015 Posts: 1965
|
Posted: Sat Dec 21, 2024 2:02 pm Post subject: |
|
|
vyedmic wrote: | Formatted /, followed handbook up until I booted in. Installed only app-misc/screen and then followed SELinux Installation guide. I am at exactly the same spot. Only thing that did not change is the kernel. |
Do you mean https://wiki.gentoo.org/wiki/SELinux/Installation ? If so, this guide is for an existing install that did not include an SELinux stage3 originally. The stage3 includes all of those listed steps.
From that link: Code: | This document assumes the reader starts with an existing Gentoo Linux system which needs to be converted to Gentoo with SELinux. It is possible to make the right decisions during a Gentoo installation to immediately start with an SELinux system. However, this article is focusing on a conversion of an existing system as that is the most common approach. |
|
|
Back to top |
|
|
vyedmic n00b
Joined: 02 Dec 2010 Posts: 51
|
Posted: Sat Dec 21, 2024 3:05 pm Post subject: |
|
|
Thanks. I'll try again. |
|
Back to top |
|
|
vyedmic n00b
Joined: 02 Dec 2010 Posts: 51
|
Posted: Sun Dec 22, 2024 9:51 pm Post subject: |
|
|
I formatted again and followed the guide to the letter using Hardened stage 3 and then converting it to SELinux. I get exactly the same result as in the screenshot in the first post. So it does not seem to be anything I did wrong after all...
Code: | SELinux: Unable to switch to permissive mode: Invalid argument |
I tried following the below from https://wiki.gentoo.org/wiki/SELinux/Installation using the H/SELinux stage 3
Code: | SELinux stage3 tarballs are also available and supported - this is significantly easier than performing the steps below. The tarballs can be simply unpacked onto a target system, relabel the entire system, add the initial user to the administration SELinux user and reboot. |
This is the result when I try relabelling as the above suggests
Code: | localhost / # rlpkg -a
Relabeling filesystem types: btrfs encfs ext2 ext3 ext4 ext4dev f2fs gfs gfs2 gpfs jffs2 jfs lustre xfs zfs
Running /sbin/setfiles /etc/selinux/strict/contexts/files/file_contexts /
/etc/selinux/strict/contexts/files/file_contexts: No such file or directory
Scanning for shared libraries with text relocations...
/usr/lib/python3.12/subprocess.py:1016: RuntimeWarning: line buffering (buffering=1) isn't supported in binary mode, the default buffer size will be used
self.stdout = io.open(c2pread, 'rb', bufsize)
0 libraries with text relocations, 0 not relabeled.
Scanning for PIE binaries with text relocations...
0 binaries with text relocations detected.
localhost / # ls -Z /etc/portage/make.conf
? /etc/portage/make.conf
localhost / # semanage login -a -s staff_u admin
libsemanage.semanage_read_policydb: Could not open kernel policy /var/lib/selinux/strict/active/policy.kern for reading. (No such file or directory).
FileNotFoundError: No such file or directory
|
I am really trying to decipher these guides but they are proving to be full of catch 22s. How am I supposed to relabel a system when no file_contexts exists? Is it even possible to assign a user to staff_u while being booted into a Live CD kernel? |
|
Back to top |
|
|
vyedmic n00b
Joined: 02 Dec 2010 Posts: 51
|
Posted: Sun Dec 29, 2024 5:17 pm Post subject: |
|
|
So finally success with new-from-scratch kernel, H/SELinux stage3 onto which selinux-dbus and selinux-policykit need to be emerged first before attempting to relabel and adding user to staff_u. |
|
Back to top |
|
|
|