Results 1 to 8 of 8

Thread: selinux won't allow system services to start

  1. #1

    Default selinux won't allow system services to start

    i have selinux enabled on my system, installed all needed pkgs, policy and ...

    in the boot process i get some messages about selinux avc denied for systemd-udevd and e.g.

    this happens in enforcing mode. whay should i do? i just don't want to solve this by disabling selinux because i need it.
    thanks

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    12,036
    Blog Entries
    2

    Default Re: selinux won't allow system services to start

    You'll have to describe exactly what you did to switch from AppArmor to SElinux (you can't have both running same time) and the guide you're following to do the switchover, setup and configuration.

    Have you run your system in "complain" mode?
    You're supposed to do that to identify your problems and test fixes before you set "Enforce" mode.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #3
    Join Date
    Sep 2012
    Posts
    5,367

    Default Re: selinux won't allow system services to start

    Quote Originally Posted by PejmanR View Post
    whay should i do? i just don't want to solve this by disabling selinux because i need it.
    You may work together with others to provide working policy or wait until someone does it.

    https://marc.info/?l=opensuse-factor...0202401790&w=2

  4. #4

    Default Re: selinux won't allow system services to start

    Quote Originally Posted by arvidjaar View Post
    You may work together with others to provide working policy or wait until someone does it.

    https://marc.info/?l=opensuse-factor...0202401790&w=2

    there are some policies in security:/selinux repo.

  5. #5
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    2,852

    Default Re: selinux won't allow system services to start

    Quote Originally Posted by PejmanR View Post
    i have selinux enabled on my system, installed all needed pkgs, policy and ...
    We have to assume that you've read this: <https://doc.opensuse.org/documentati...a.selinux.html>.
    • Please note that, either the less complete and less complex alternative, AppArmor can be used or, SELinux can be used but, not both

    And, that you've taken notice of the following text:
    This means that on a system that has SELinux enabled and nothing else configured, nothing will work. To allow your system to do anything, as an administrator you will need to write rules and put them in a policy.
    And, that you've taken notice of this: <https://doc.opensuse.org/documentati....compilepolicy>.
    • The minimum openSUSE SELinux reference policy …

    You should also take note of the output of “sudo sestatus -v” to verify that, you've at least got to the point where your system is running in “permissive” mode.

    Once you've got your openSUSE SELinux system up and running in the “permissive” mode, you're on your own.
    • Security at SELinux level is very much a per-system issue and, there ain't any universal solutions …


    SELinux schooling:


  6. #6

    Default Re: selinux won't allow system services to start

    Quote Originally Posted by dcurtisfra View Post
    We have to assume that you've read this: <https://doc.opensuse.org/documentati...a.selinux.html>.
    • Please note that, either the less complete and less complex alternative, AppArmor can be used or, SELinux can be used but, not both

    And, that you've taken notice of the following text:

    And, that you've taken notice of this: <https://doc.opensuse.org/documentati....compilepolicy>.
    • The minimum openSUSE SELinux reference policy …

    You should also take note of the output of “sudo sestatus -v” to verify that, you've at least got to the point where your system is running in “permissive” mode.

    Once you've got your openSUSE SELinux system up and running in the “permissive” mode, you're on your own.
    • Security at SELinux level is very much a per-system issue and, there ain't any universal solutions …


    SELinux schooling:


    do you see anything wrong in these two? what does "unconfined" mean? how to correct it? and i can't correct labels for /proc and /selinux. see these please.

    https://paste.opensuse.org/39245687

    https://paste.opensuse.org/34669363


    thanks

  7. #7
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    12,036
    Blog Entries
    2

    Default Re: selinux won't allow system services to start

    unconfined_u is a user class or classification, it's not necessarily a problem but intended to be informative

    https://access.redhat.com/documentat...labeling_files


    You might also find this helpful

    https://access.redhat.com/documentat...es_of_problems


    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  8. #8
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    2,852

    Default Re: selinux won't allow system services to start

    Quote Originally Posted by PejmanR View Post
    do you see anything wrong in these two?
    Seems to be OK for the case of an initial “permissive” system.
    • You now have to define which security you need and then, apply the appropriate configuration rules.
    • Please be aware that, SELinux is not forgiving – any mistakes made, may well lead to a system which can not be accessed in any way at all …

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •