Boot errors Setup SELinux on existing Tumbleweed

kabamaru3 · October 3, 2025, 1:45pm

Hi All,

I have an existing Tumbleweed installation with apparmor. I wanted to setup SELinux instead of apparmor, so I followed this guide to the letter.

At step #8 (i.e. the first boot with SELinux enabled where the system will (re-)label all files in the file system), I get errors and it fails to boot. After the errors, I had to revert back all my SELinux changes.

I get some “Failed to start Relabel […mountpoint…]” from systemd.

|03/10/2025 10:56|systemd|home-user-Virtualization-incus-disks-relabel.service: Main process exited, code=exited, status=255/EXCEPTION|
|---|---|---|
|03/10/2025 10:56|systemd|home-user-Virtualization-incus-disks-relabel.service: Failed with result 'exit-code'.|
|03/10/2025 10:56|systemd|Failed to start Relabel /home/user/Virtualization/incus/disks.|
|03/10/2025 10:56|systemd|Dependency failed for Mark autorelabel as done.|
|03/10/2025 10:56|systemd|mark-autorelabel-done.service: Job mark-autorelabel-done.service/start failed with result 'dependency'.|
|03/10/2025 10:56|systemd|home-user-Virtualization-incus-disks-relabel.service: Consumed 11.112s CPU time.|
|03/10/2025 10:56|systemd|home-relabel.service: Main process exited, code=exited, status=255/EXCEPTION|
|03/10/2025 10:56|systemd|home-relabel.service: Failed with result 'exit-code'.|
|03/10/2025 10:56|systemd|Failed to start Relabel /home.|
|03/10/2025 10:56|systemd|home-relabel.service: Consumed 1min 6.563s CPU time.|
|03/10/2025 10:56|systemd|Finished Relabel /timeshift.|
|03/10/2025 11:03|systemd|timeshift-relabel.service: Deactivated successfully.|
|03/10/2025 11:03|systemd|Stopped Relabel /timeshift.|
|03/10/2025 11:03|kernel|audit: type=1131 audit(1759482189.903:15): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=timeshift-relabel comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=success'|
|03/10/2025 11:03|dracut-pre-pivot|//lib/dracut/hooks/pre-pivot/50-selinux-microos-relabel.sh: line 125: /sysroot/etc/selinux/.autorelabel: Read-only file system|

From the boot.log I can only see that all disks/mountpoints get correctly decrypted and mounted but then the “relabel” fails:

[e[0;32m  OK  e[0m] Mounted e[0;1;39m/boot/efie[0m.
[e[0;32m  OK  e[0m] Mounted e[0;1;39m/homee[0m.
         Starting e[0;1;39mRelabel /homee[0m...
[e[0;32m  OK  e[0m] Mounted e[0;1;39m/timeshifte[0m.
[e[0;32m  OK  e[0m] Mounted e[0;1;39m/home/user/Virtualization/incus/diskse[0m.

         Starting e[0;1;39mRelabel /home/user/Virtualization/incus/diskse[0m...

         Starting e[0;1;39mRelabel /timeshifte[0m...
[e[0;1;31mFAILEDe[0m] Failed to start e[0;1;39mRelabel /home/user/Virtualization/incus/diskse[0m.

See 'systemctl status home-user-Virtualization-incus-disks-relabel.service' for details.

[e[0;1;38:5:185mDEPENDe[0m] Dependency failed for e[0;1;39mLocal File Systemse[0m.

[e[0;1;38:5:185mDEPENDe[0m] Dependency failed for e[0;1;39mMark autorelabel as donee[0m.

And FYI:

user@laptop:~$ sudo cat /etc/fstab 
[sudo] password for root: 
LABEL=root       /           ext4   defaults           0  1
LABEL=home       /home       ext4   data=ordered       0  0
LABEL=timeshift  /timeshift  btrfs  compress=zstd:8    0  0
LABEL=EFI        /boot/efi   vfat   utf8               0  2
LABEL=swap       swap        swap   defaults           0  0
LABEL=incus      /home/user/Virtualization/incus/disks  btrfs  user,nofail,users  0  0
user@laptop:~$ sudo ausearch -m avc,user_avc,selinux_err,user_selinux_err -ts boot
<no matches>
user@laptop:~$ sudo cat /etc/default/grub
GRUB_DISTRIBUTOR=
GRUB_DEFAULT=saved
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=8
GRUB_CMDLINE_LINUX_DEFAULT="splash=silent resume=/dev/mapper/cr_swap quiet security=selinux selinux=1 mitigations=auto"
GRUB_CMDLINE_LINUX=""
GRUB_TERMINAL="gfxterm"
GRUB_GFXMODE="auto"
GRUB_BACKGROUND=
GRUB_THEME=/boot/grub2/themes/openSUSE/theme.txt
SUSE_BTRFS_SNAPSHOT_BOOTING="true"
GRUB_USE_LINUXEFI="true"
GRUB_DISABLE_OS_PROBER="false"
GRUB_ENABLE_CRYPTODISK="y"
GRUB_CMDLINE_XEN_DEFAULT="vga=gfx-1024x768x16"
user@laptop:~$

Any ideas very much appreciated!

arvidjaar · October 3, 2025, 1:53pm

Do you have read-only btrfs subvolumes anywhere?

kabamaru3 · October 3, 2025, 4:42pm

You were right, there was this readonly btrfs subvolme that I don’t remember creating.

In any case, after I deleted that, the relabeling worked and the machine booted!

Now I am step 9 and I am getting a 9 SELinux alerts/errors for iptables, xtables-legacy, ip6tables and portmaster-core. And all of them suggest a solution to report them as bugs, so I have some work to do before hitting “SELINUX=enforcing”.

user@laptop:~$ sudo ausearch -m avc,user_avc,selinux_err,user_selinux_err -ts boot
[sudo] password for root: 
----
time->Fri Oct  3 18:18:34 2025
type=AVC msg=audit(1759508314.881:83): avc:  denied  { nnp_transition } for  pid=1952 comm="iptables" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=1
----
time->Fri Oct  3 18:18:34 2025
type=AVC msg=audit(1759508314.951:119): avc:  denied  { nnp_transition } for  pid=2009 comm="xtables-legacy-" scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:kmod_t:s0 tclass=process2 permissive=1
----
time->Fri Oct  3 18:18:34 2025
type=AVC msg=audit(1759508314.958:122): avc:  denied  { nnp_transition } for  pid=2011 comm="ip6tables" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process2 permissive=1
----
time->Fri Oct  3 18:18:44 2025
type=AVC msg=audit(1759508324.197:175): avc:  denied  { name_connect } for  pid=1686 comm="portmaster-core" dest=80 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1
----
time->Fri Oct  3 18:18:49 2025
type=AVC msg=audit(1759508329.554:199): avc:  denied  { name_connect } for  pid=1686 comm="portmaster-core" dest=443 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1
----
time->Fri Oct  3 18:18:59 2025
type=AVC msg=audit(1759508339.197:231): avc:  denied  { create } for  pid=1686 comm="portmaster-core" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=rawip_socket permissive=1
----
time->Fri Oct  3 18:18:59 2025
type=AVC msg=audit(1759508339.197:232): avc:  denied  { setopt } for  pid=1686 comm="portmaster-core" lport=61 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=rawip_socket permissive=1
----
time->Fri Oct  3 18:18:59 2025
type=AVC msg=audit(1759508339.198:233): avc:  denied  { connect } for  pid=1686 comm="portmaster-core" lport=61 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=rawip_socket permissive=1
----
time->Fri Oct  3 18:18:59 2025
type=AVC msg=audit(1759508339.198:234): avc:  denied  { getattr } for  pid=1686 comm="portmaster-core" laddr=127.0.0.1 lport=61 faddr=127.65.67.75 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=rawip_socket permissive=1
----
time->Fri Oct  3 18:19:01 2025
type=AVC msg=audit(1759508341.446:236): avc:  denied  { name_connect } for  pid=1686 comm="portmaster-core" dest=80 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=1

arvidjaar · October 3, 2025, 5:30pm

For both problems open bug reports (two bug reports, because they are different and independent).

Read-only subvolumes is not new, but so far it was “fixed” by adding exceptions for the specific filesystems and snapshot locations. This whack a mole does not scale obviously. Some more generic solution is needed.

https://en.opensuse.org/openSUSE:Bugreport_SELinux

kabamaru3 · October 4, 2025, 10:16am

FYI, for the read-only subvolume I reported my issue under a similar bugreport here.

arvidjaar · October 4, 2025, 11:07am

That is exactly this whack-a-mole I meant.

system · October 11, 2025, 11:08am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.