selinux-policy setup error with SLES15 SP2

Hi ,

I am setting up selinux-policy on SLES 15 SP 2 and setup is failing to reboot after setup.

  1. zypper addrepo https://download.opensuse.org/repositories/security:SELinux/SLE_15_SP2/security:SELinux.repo
  2. zypper refresh
  3. zypper install selinux-policy
  4. zypper search -s selinux

S | Name | Type | Version | Arch | Repository
—±------------------------±-----------±--------------±-------±-------------------------------------
i | container-selinux | package | 2.154.0-11.3 | noarch | SELinux (SLE_15_SP1)
| container-selinux | srcpackage | 2.154.0-11.3 | noarch | SELinux (SLE_15_SP1)
| libselinux | srcpackage | 3.1-147.1 | noarch | SELinux (SLE_15_SP1)
| libselinux-bindings | srcpackage | 3.1-158.1 | noarch | SELinux (SLE_15_SP1)
i+ | libselinux-devel | package | 3.1-147.1 | x86_64 | SELinux (SLE_15_SP1)
v | libselinux-devel | package | 3.0-1.31 | x86_64 | SLE-Module-Basesystem15-SP2-Pool
| libselinux-devel-static | package | 3.1-147.1 | x86_64 | SELinux (SLE_15_SP1)
i+ | libselinux1 | package | 3.1-147.1 | x86_64 | SELinux (SLE_15_SP1)
v | libselinux1 | package | 3.0-1.31 | x86_64 | SLE-Module-Basesystem15-SP2-Pool
i+ | libselinux1-32bit | package | 3.0-1.31 | x86_64 | SLE-Module-Basesystem15-SP2-Pool
i+ | python3-selinux | package | 3.1-158.1 | x86_64 | SELinux (SLE_15_SP1)
v | python3-selinux | package | 3.0-1.20 | x86_64 | SLE-Module-Basesystem15-SP2-Pool
| ruby-selinux | package | 3.1-158.1 | x86_64 | SELinux (SLE_15_SP1)
| ruby-selinux | package | 3.0-bp152.1.6 | x86_64 | SUSE-PackageHub-15-SP2-Backports-Pool
i | selinux-autorelabel | package | 3.1-6.1 | noarch | SELinux (SLE_15_SP1)
| selinux-autorelabel | srcpackage | 3.1-6.1 | noarch | SELinux (SLE_15_SP1)
i | selinux-policy | package | 20210111-85.2 | noarch | SELinux (SLE_15_SP1)
** | selinux-policy | srcpackage | 20210111-85.2 | noarch | SELinux (SLE_15_SP1)**
** | selinux-policy-devel | package | 20210111-85.2 | noarch | SELinux (SLE_15_SP1)**
** | selinux-policy-doc | package | 20210111-85.2 | noarch | SELinux (SLE_15_SP1)**
** | selinux-policy-minimum | package | 20210111-85.2 | noarch | SELinux (SLE_15_SP1)**
** | selinux-policy-mls | package | 20210111-85.2 | noarch | SELinux (SLE_15_SP1)**
** | selinux-policy-sandbox | package | 20210111-85.2 | noarch | SELinux (SLE_15_SP1)**
i+ | selinux-policy-targeted | package | 20210111-85.2 | noarch | SELinux (SLE_15_SP1)
v | selinux-tools | package | 3.1-147.1 | x86_64 | SELinux (SLE_15_SP1)
i+ | selinux-tools | package | 3.0-1.31 | x86_64 | SLE-Module-Basesystem15-SP2-Pool

  1. selinux-ready
    Start checking your system if it is selinux-ready or not:
    check_dir: OK. /selinux exists.
    check_filesystem: OK. Filesystem ‘securityfs’ exists.
    ** check_filesystem: ERR. Filesystem ‘selinuxfs’ is missing. Please enable SELinux while compiling the kernel.**
    check_boot: Assuming GRUB2 as bootloader.
    check_boot: OK. Current kernel ‘vmlinuz-4.12.14-195-default’ has boot-parameters ‘security=selinux selinux=1’
    check_boot: OK. Other kernels with correct parameters: vmlinuz-4.12.14-195-default
    check_mkinitrd: OK. Your initrd seems to be correct.
    check_packages: OK. All essential packages are installed
    check_config: OK. Config file seems to be there.
    check_config: OK. SELINUX is set to ‘permissive’.
    check_pam: OK. Your PAM configuration seems to be correct.
    check_runlevel: OK. restorecond is enabled on your system
  2. Add following parameters to “/etc/default/grub”
    **security=selinux selinux=1 enforcing=0
  3. Reboot hangs

**Any help here would be greatly appreciated.

Thanks

Sorry, but these are the openSUSE forums, not the SLES/SLED forums.

They are at http://forums.suse.com/
Same username/password as here.

[Ashish]: My query is related to opensuse selinux policy. Basically selinux-policy that is now available on OpenSUSE is failing.

I am not sure: shouldn’t you prove that on openSUSE instead of SLES?

In any case, there will not be many people reading the forums that have experience with SLED/SLES, that is why I am asking if this is your best place to find help.

Oh and BTW regarding you posting computer code:

There is an important, but not easy to find feature on the forums.

Please in the future use CODE tags around copied/pasted computer text in a post. It is the # button in the tool bar of the post editor. When applicable copy/paste complete, that is including the prompt, the command, the output and the next prompt.

An example is here: Using CODE tags Around your paste.

This seems to be strange

Yes, this is confusing …

  • Maybe an openSUSE Bug Report requesting clarity with respect to SLE 15 SELinux packages being available from the openSUSE repositories …

Hi
Many SLE packages are developed on the build service, nothing unusual, supported if installed on a SLE system, that would be a no :wink:

Meaning, the packages are being built on OBS (with OpenQA) but, despite being “published” on the openSUSE servers, they’re not supported by SUSE if they’re installed from the openSUSE repositories – If they’re to be (SLE) supported, they have to be installed from the SUSE servers …

  • Or, am I misinterpreting you answer?

Hi
Correct, the vendor is SUSE if from officially subscribed repositories… for security, compliance reasons etc, must be built/rebuilt on the SUSE private build system :wink:

Regarding the actual problem…
As the error says, you haven’t modified your GRUB boot entry as required yet.

You’ll find that same requirement in the openSUSE documentation for setting up SElinux…

https://doc.opensuse.org/documentation/leap/security/html/book-security/cha-selinux.html

TSU