View previous topic :: View next topic |
Author |
Message |
vyedmic n00b
Joined: 02 Dec 2010 Posts: 49
|
Posted: Mon Dec 16, 2024 1:50 pm Post subject: SELinux: Unable to switch to permissive mode |
|
|
Hello,
I have followed the SELinux installation guide and have now multiple times selected SELinux profile and then de-selected it, rebuilt world and depcleaned all selinux remnants but I always hit this same problem. It does not matter whether SELINUX=permissive is set or whether enforcing=0 is passed to kernel. This error always stops init from running.
Code: | SELinux: Unable to switch to permissive mode: Invalid argument |
https://paste.pics/SIYEG |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 513
|
Posted: Mon Dec 16, 2024 3:26 pm Post subject: |
|
|
How or where did you set it?
Does the kernel boot if you pass (ad-hoc) "selinux=0" to the kernel parameters? |
|
Back to top |
|
|
vyedmic n00b
Joined: 02 Dec 2010 Posts: 49
|
Posted: Mon Dec 16, 2024 3:27 pm Post subject: |
|
|
Yes, kernel boots without lsm=selinux
I set it in /etc/selinux/config and I also tried passing enforcing=0 to kernel |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 513
|
Posted: Mon Dec 16, 2024 3:45 pm Post subject: |
|
|
Can you please share your complete /etc/selinux/config?
And also the kernel parameters, that you pass to the kernel? |
|
Back to top |
|
|
vyedmic n00b
Joined: 02 Dec 2010 Posts: 49
|
Posted: Mon Dec 16, 2024 3:59 pm Post subject: |
|
|
Kernel parameters
Code: | root=PARTUUID=my-root-part-uuid ro lsm=selinux |
/etc/selinux/config is standard, unchanged from the install.
Code: | # This file controls the state of SELinux on the system on boot.
# SELINUX can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE can take one of these four values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
# mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level)
SELINUXTYPE=strict
|
I am at the point of SELinux installation guide where I am supposed to reboot to label my system. |
|
Back to top |
|
|
nicop Tux's lil' helper
Joined: 10 Apr 2014 Posts: 103
|
Posted: Tue Dec 17, 2024 9:04 am Post subject: |
|
|
Did you set CONFIG_SECURITY_SELINUX_BOOTPARAM=y ? |
|
Back to top |
|
|
vyedmic n00b
Joined: 02 Dec 2010 Posts: 49
|
Posted: Tue Dec 17, 2024 11:10 am Post subject: |
|
|
Yes I did.
Since I am in such an early stage I am considering nuking the install and start again.
Unless it would be useful to investigate further? |
|
Back to top |
|
|
nicop Tux's lil' helper
Joined: 10 Apr 2014 Posts: 103
|
Posted: Tue Dec 17, 2024 2:10 pm Post subject: |
|
|
I also see 'unlabeled_t', something has to be solved. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22853
|
Posted: Tue Dec 17, 2024 2:53 pm Post subject: |
|
|
Starting over is rarely helpful. If you do not understand how you got into the bad situation this time, how will you avoid doing it wrong again next time? |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 513
|
Posted: Tue Dec 17, 2024 4:32 pm Post subject: |
|
|
Does adding "lsm.debug" to the kernel command line show more output?
Did you install from scratch or did you convert an existing installation? |
|
Back to top |
|
|
vyedmic n00b
Joined: 02 Dec 2010 Posts: 49
|
Posted: Tue Dec 17, 2024 8:27 pm Post subject: |
|
|
Hu wrote: | Starting over is rarely helpful. If you do not understand how you got into the bad situation this time, how will you avoid doing it wrong again next time? |
I think I know how I got into this situation. It is an edge case. I have labelled my system directories using file_contexts.local by being overzealous with tab. I didn't realise I need selinux-dbus to get the file_contexts as I don't want dbus on my system. Should it still prevent me from booting even after switching to non-selinux profile, depcleaning and manually deleting all selinux remnants?
I had hoped someone has encountered something similar.
Can I nuke it and be a good person and install selinux-dbus and see how far I can get before inevitably breaking it again? |
|
Back to top |
|
|
vyedmic n00b
Joined: 02 Dec 2010 Posts: 49
|
Posted: Sat Dec 21, 2024 10:20 am Post subject: |
|
|
Formatted /, followed handbook up until I booted in. Installed only app-misc/screen and then followed SELinux Installation guide. I am at exactly the same spot. Only thing that did not change is the kernel.
Did I make a mistake by using H/SElinux stage3?
lsm.debug does not add anything
Can I dump kernel config here or is there a preferred way? |
|
Back to top |
|
|
grknight Retired Dev
Joined: 20 Feb 2015 Posts: 1960
|
Posted: Sat Dec 21, 2024 2:02 pm Post subject: |
|
|
vyedmic wrote: | Formatted /, followed handbook up until I booted in. Installed only app-misc/screen and then followed SELinux Installation guide. I am at exactly the same spot. Only thing that did not change is the kernel. |
Do you mean https://wiki.gentoo.org/wiki/SELinux/Installation ? If so, this guide is for an existing install that did not include an SELinux stage3 originally. The stage3 includes all of those listed steps.
From that link: Code: | This document assumes the reader starts with an existing Gentoo Linux system which needs to be converted to Gentoo with SELinux. It is possible to make the right decisions during a Gentoo installation to immediately start with an SELinux system. However, this article is focusing on a conversion of an existing system as that is the most common approach. |
|
|
Back to top |
|
|
vyedmic n00b
Joined: 02 Dec 2010 Posts: 49
|
Posted: Sat Dec 21, 2024 3:05 pm Post subject: |
|
|
Thanks. I'll try again. |
|
Back to top |
|
|
|