Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
SELinux: Unable to switch to permissive mode
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
vyedmic
n00b
n00b


Joined: 02 Dec 2010
Posts: 51

PostPosted: Mon Dec 16, 2024 1:50 pm    Post subject: SELinux: Unable to switch to permissive mode Reply with quote

Hello,

I have followed the SELinux installation guide and have now multiple times selected SELinux profile and then de-selected it, rebuilt world and depcleaned all selinux remnants but I always hit this same problem. It does not matter whether SELINUX=permissive is set or whether enforcing=0 is passed to kernel. This error always stops init from running.

Code:
SELinux: Unable to switch to permissive mode: Invalid argument


https://paste.pics/SIYEG
Back to top
View user's profile Send private message
sMueggli
Guru
Guru


Joined: 03 Sep 2022
Posts: 514

PostPosted: Mon Dec 16, 2024 3:26 pm    Post subject: Reply with quote

How or where did you set it?

Does the kernel boot if you pass (ad-hoc) "selinux=0" to the kernel parameters?
Back to top
View user's profile Send private message
vyedmic
n00b
n00b


Joined: 02 Dec 2010
Posts: 51

PostPosted: Mon Dec 16, 2024 3:27 pm    Post subject: Reply with quote

Yes, kernel boots without lsm=selinux

I set it in /etc/selinux/config and I also tried passing enforcing=0 to kernel
Back to top
View user's profile Send private message
sMueggli
Guru
Guru


Joined: 03 Sep 2022
Posts: 514

PostPosted: Mon Dec 16, 2024 3:45 pm    Post subject: Reply with quote

Can you please share your complete /etc/selinux/config?

And also the kernel parameters, that you pass to the kernel?
Back to top
View user's profile Send private message
vyedmic
n00b
n00b


Joined: 02 Dec 2010
Posts: 51

PostPosted: Mon Dec 16, 2024 3:59 pm    Post subject: Reply with quote

Kernel parameters

Code:
root=PARTUUID=my-root-part-uuid ro lsm=selinux


/etc/selinux/config is standard, unchanged from the install.

Code:
# This file controls the state of SELinux on the system on boot.

# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive

# SELINUXTYPE can take one of these four values:
#       targeted - Only targeted network daemons are protected.
#       strict   - Full SELinux protection.
#       mls      - Full SELinux protection with Multi-Level Security
#       mcs      - Full SELinux protection with Multi-Category Security
#                  (mls, but only one sensitivity level)
SELINUXTYPE=strict


I am at the point of SELinux installation guide where I am supposed to reboot to label my system.
Back to top
View user's profile Send private message
nicop
Tux's lil' helper
Tux's lil' helper


Joined: 10 Apr 2014
Posts: 103

PostPosted: Tue Dec 17, 2024 9:04 am    Post subject: Reply with quote

Did you set CONFIG_SECURITY_SELINUX_BOOTPARAM=y ?
Back to top
View user's profile Send private message
vyedmic
n00b
n00b


Joined: 02 Dec 2010
Posts: 51

PostPosted: Tue Dec 17, 2024 11:10 am    Post subject: Reply with quote

Yes I did.

Since I am in such an early stage I am considering nuking the install and start again.

Unless it would be useful to investigate further?
Back to top
View user's profile Send private message
nicop
Tux's lil' helper
Tux's lil' helper


Joined: 10 Apr 2014
Posts: 103

PostPosted: Tue Dec 17, 2024 2:10 pm    Post subject: Reply with quote

I also see 'unlabeled_t', something has to be solved.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22887

PostPosted: Tue Dec 17, 2024 2:53 pm    Post subject: Reply with quote

Starting over is rarely helpful. If you do not understand how you got into the bad situation this time, how will you avoid doing it wrong again next time?
Back to top
View user's profile Send private message
sMueggli
Guru
Guru


Joined: 03 Sep 2022
Posts: 514

PostPosted: Tue Dec 17, 2024 4:32 pm    Post subject: Reply with quote

Does adding "lsm.debug" to the kernel command line show more output?

Did you install from scratch or did you convert an existing installation?
Back to top
View user's profile Send private message
vyedmic
n00b
n00b


Joined: 02 Dec 2010
Posts: 51

PostPosted: Tue Dec 17, 2024 8:27 pm    Post subject: Reply with quote

Hu wrote:
Starting over is rarely helpful. If you do not understand how you got into the bad situation this time, how will you avoid doing it wrong again next time?


I think I know how I got into this situation. It is an edge case. I have labelled my system directories using file_contexts.local by being overzealous with tab. I didn't realise I need selinux-dbus to get the file_contexts as I don't want dbus on my system. Should it still prevent me from booting even after switching to non-selinux profile, depcleaning and manually deleting all selinux remnants?

I had hoped someone has encountered something similar.

Can I nuke it and be a good person and install selinux-dbus and see how far I can get before inevitably breaking it again?
Back to top
View user's profile Send private message
vyedmic
n00b
n00b


Joined: 02 Dec 2010
Posts: 51

PostPosted: Sat Dec 21, 2024 10:20 am    Post subject: Reply with quote

Formatted /, followed handbook up until I booted in. Installed only app-misc/screen and then followed SELinux Installation guide. I am at exactly the same spot. Only thing that did not change is the kernel.

Did I make a mistake by using H/SElinux stage3?

lsm.debug does not add anything

Can I dump kernel config here or is there a preferred way?
Back to top
View user's profile Send private message
grknight
Retired Dev
Retired Dev


Joined: 20 Feb 2015
Posts: 1965

PostPosted: Sat Dec 21, 2024 2:02 pm    Post subject: Reply with quote

vyedmic wrote:
Formatted /, followed handbook up until I booted in. Installed only app-misc/screen and then followed SELinux Installation guide. I am at exactly the same spot. Only thing that did not change is the kernel.

Do you mean https://wiki.gentoo.org/wiki/SELinux/Installation ? If so, this guide is for an existing install that did not include an SELinux stage3 originally. The stage3 includes all of those listed steps.
From that link:
Code:
This document assumes the reader starts with an existing Gentoo Linux system which needs to be converted to Gentoo with SELinux. It is possible to make the right decisions during a Gentoo installation to immediately start with an SELinux system. However, this article is focusing on a conversion of an existing system as that is the most common approach.
Back to top
View user's profile Send private message
vyedmic
n00b
n00b


Joined: 02 Dec 2010
Posts: 51

PostPosted: Sat Dec 21, 2024 3:05 pm    Post subject: Reply with quote

Thanks. I'll try again.
Back to top
View user's profile Send private message
vyedmic
n00b
n00b


Joined: 02 Dec 2010
Posts: 51

PostPosted: Sun Dec 22, 2024 9:51 pm    Post subject: Reply with quote

I formatted again and followed the guide to the letter using Hardened stage 3 and then converting it to SELinux. I get exactly the same result as in the screenshot in the first post. So it does not seem to be anything I did wrong after all...

Code:
SELinux: Unable to switch to permissive mode: Invalid argument


I tried following the below from https://wiki.gentoo.org/wiki/SELinux/Installation using the H/SELinux stage 3

Code:
SELinux stage3 tarballs are also available and supported - this is significantly easier than performing the steps below. The tarballs can be simply unpacked onto a target system, relabel the entire system, add the initial user to the administration SELinux user and reboot.


This is the result when I try relabelling as the above suggests

Code:
localhost / # rlpkg -a
Relabeling filesystem types: btrfs encfs ext2 ext3 ext4 ext4dev f2fs gfs gfs2 gpfs jffs2 jfs lustre xfs zfs
Running /sbin/setfiles /etc/selinux/strict/contexts/files/file_contexts /
/etc/selinux/strict/contexts/files/file_contexts: No such file or directory
Scanning for shared libraries with text relocations...
/usr/lib/python3.12/subprocess.py:1016: RuntimeWarning: line buffering (buffering=1) isn't supported in binary mode, the default buffer size will be used
  self.stdout = io.open(c2pread, 'rb', bufsize)
0 libraries with text relocations, 0 not relabeled.
Scanning for PIE binaries with text relocations...
0 binaries with text relocations detected.

localhost / # ls -Z /etc/portage/make.conf
? /etc/portage/make.conf

localhost / # semanage login -a -s staff_u admin
libsemanage.semanage_read_policydb: Could not open kernel policy /var/lib/selinux/strict/active/policy.kern for reading. (No such file or directory).
FileNotFoundError: No such file or directory


I am really trying to decipher these guides but they are proving to be full of catch 22s. How am I supposed to relabel a system when no file_contexts exists? Is it even possible to assign a user to staff_u while being booted into a Live CD kernel?
Back to top
View user's profile Send private message
vyedmic
n00b
n00b


Joined: 02 Dec 2010
Posts: 51

PostPosted: Sun Dec 29, 2024 5:17 pm    Post subject: Reply with quote

So finally success with new-from-scratch kernel, H/SELinux stage3 onto which selinux-dbus and selinux-policykit need to be emerged first before attempting to relabel and adding user to staff_u.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum