SELinux initial steps failing (?)

gskillas · May 24, 2026, 9:25am

Dear all,

after upgrading from 15.6 to 16.0 and installing and activating SELinux as described in Portal:SELinux/Setup I have an issue that after touch /.autorelabel

(1) On every boot SELinux: relabeling root filesystem is running, throwing three /sbin/setfiles: conflicting specifications all of them on hard links (files have the same inode)

(2) After boot /sbin/restorecon is running in the background.

(3) while for some boots the command

ausearch -m avc,user_avc,selinux_err,user_selinux_err -ts boot

returned nothing, now i am getting

type=AVC msg=audit(1779561826.073:38): avc:  denied  { sys_admin } for  pid=1580 comm="switcheroo-cont" capability=21  scontext=system_u:system_r:switcheroo_control_t:s0 tcontext=system_u:system_r:switcheroo_control_t:s0 tclass=capability permissive=1

which is strange, as the system has only one graphics card.

Is this how relabeling should work? My understanding was that this is a one-time procedure. What am I doing wrong and how can I resolve the “conflicting specifications” messages?
Also what should I do about the AVC message? Create a module to allow it, or just ignore it since I do not realy need switcheroo in this installation?

Best regards,

George

Sauerland · May 24, 2026, 10:32am

Deinstall switcheroo and taboo it:

 LANG=C zypper ll

# | Name                 | Type    | Repository | Comment
--+----------------------+---------+------------+--------
1 | ^openSUSE-repos-Lea* | package | (any)      | 
2 | ^switchero*          | package | (any)      | 
3 | switcheroo-control   | package | (any)      |

gskillas · May 24, 2026, 11:22am

Hello Stephan

# zypper se switcheroo
Refreshing service 'NVIDIA'.
Refreshing service 'openSUSE'.
Loading repository data...
Reading installed packages...

S  | Name                   | Summary                                              | Type
---+------------------------+------------------------------------------------------+-----------
   | switcheroo             | Convert and manipulate images                        | srcpackage
   | switcheroo             | Convert and manipulate images                        | package
   | switcheroo-control     | D-Bus service to check the availability of dual GPUs | srcpackage
i  | switcheroo-control     | D-Bus service to check the availability of dual GPUs | package
   | switcheroo-control-doc | Documentation for switcheroo-control                 | package
   | switcheroo-lang        | Translations for package switcheroo                  | package

so the problem is caused by switcheroo-control, which seems to be legitimate.

Best regards,

George

gogalthorp · May 24, 2026, 11:34am

Only need switcheroo if you have more then one GPU’s

Sauerland · May 24, 2026, 11:58am

As root:
deinstall:

zypper rm switcheroo-control

now block it (set a lock on it):

zypper al switcheroo-control

See now

zypper ll

gskillas · May 24, 2026, 2:09pm

It is locked


# | Name               | Type    | Repository | Comment
--+--------------------+---------+------------+--------
1 | switcheroo-control | package | (any)      |

gskillas · May 24, 2026, 2:31pm

It is locked


# | Name               | Type    | Repository | Comment
--+--------------------+---------+------------+--------
1 | switcheroo-control | package | (any)      |

I rebooted and

# ausearch -m avc,user_avc,selinux_err,user_selinux_err -ts boot
<no matches>

so the switcheroo-control issue has gone. This did not change the scanning of / as part of dracut-pre-pivot:

May 24 16:19:56 hostname systemd[1]: Starting dracut pre-pivot and cleanup hook...
May 24 16:19:56 hostname dracut-pre-pivot[903]: SELinux: relabeling root filesystem
May 24 16:19:56 hostname dracut-pre-pivot[903]: SELinux: mount root read-write and relabel
May 24 16:20:04 hostname dracut-pre-pivot[926]: /sbin/setfiles: conflicting specifications for /usr/lib64/FreeCAD/Mod/CAM/Path/Post/scripts/__init__.py and /usr/lib64/FreeCAD/Mod/Assembly/AssemblyTests/__init__.py, using system_u:object_r:lib_t:s0.
May 24 16:20:10 hostname dracut-pre-pivot[926]: /sbin/setfiles: conflicting specifications for /usr/bin/blender-thumbnailer and /usr/bin/blender-thumbnailer-4.5, using system_u:object_r:bin_t:s0.
May 24 16:21:28 hostname dracut-pre-pivot[926]: /sbin/setfiles: conflicting specifications for /usr/share/sgml/docbook/dsssl-stylesheets-1.79/doc/lib/ChangeLog and /usr/share/sgml/docbook/dsssl-stylesheets-1.79/docsrc/htmlpr/ChangeLog, using system_u:object_r:usr_t:s0.
May 24 16:22:09 hostname systemd[1]: Finished dracut pre-pivot and cleanup hook.
May 24 16:22:09 hostname systemd[1]: dracut-pre-pivot.service: Deactivated successfully.
May 24 16:22:09 hostname systemd[1]: Stopped dracut pre-pivot and cleanup hook.

which takes 2:13 to complete. And after login I can observe restorecon running for a while:

    PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                                                                                                                                                                                
   1754 root      20   0 1136260 195012   7976 S 40.87 0.148   5:00.80 restorecon                                                                                                                                                                                             
   2046 root      20   0  289320   5884   3700 S 4.652 0.004   0:35.57 rsyslogd                                                                                                                                                                                               
   1190 root      20   0  291872 230400 228584 S 4.319 0.175   0:39.26 systemd-journal

Best regards,

George