selinux won't allow system services to start

PejmanR · September 23, 2019, 6:15pm

i have selinux enabled on my system, installed all needed pkgs, policy and …

in the boot process i get some messages about selinux avc denied for systemd-udevd and e.g.

this happens in enforcing mode. whay should i do? i just don’t want to solve this by disabling selinux because i need it.
thanks

tsu2 · September 23, 2019, 7:17pm

You’ll have to describe exactly what you did to switch from AppArmor to SElinux (you can’t have both running same time) and the guide you’re following to do the switchover, setup and configuration.

Have you run your system in “complain” mode?
You’re supposed to do that to identify your problems and test fixes before you set “Enforce” mode.

TSU

arvidjaar · September 23, 2019, 7:24pm

You may work together with others to provide working policy or wait until someone does it.

https://marc.info/?l=opensuse-factory&m=156560202401790&w=2

PejmanR · September 23, 2019, 7:42pm

there are some policies in security:/selinux repo.

dcurtisfra · September 24, 2019, 12:58pm

We have to assume that you’ve read this: <https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.selinux.html>.

Please note that, either the less complete and less complex alternative, AppArmor
can be used or, SELinux can be used but, not both …

And, that you’ve taken notice of the following text:

This means that on a system that has SELinux enabled and nothing else configured, nothing will work. To allow your system to do anything, as an administrator you will need to write rules and put them in a policy.

And, that you’ve taken notice of this: <https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.selinux.html#sec.selinux.compilepolicy>.

The minimum openSUSE SELinux reference policy …

You should also take note of the output of “sudo sestatus -v” to verify that, you’ve at least got to the point where your system is running in “permissive” mode.
[HR][/HR]Once you’ve got your openSUSE SELinux system up and running in the “permissive” mode, you’re on your own.

Security at SELinux level is very much a per-system issue and, there ain’t any universal solutions …

[HR][/HR]SELinux schooling:

There’s this Reddit area: <https://www.reddit.com/r/selinux/>.
O’Reilly offered this online training session but, it took place on August the 29th 2019 – maybe it’ll run again: <https://learning.oreilly.com/live-training/courses/mastering-selinux/0636920286813/>.
Udemy is offering some SELinux training sessions: <https://www.udemy.com/topic/selinux/>.

PejmanR · September 25, 2019, 6:03pm

dcurtisfra:

We have to assume that you’ve read this: <https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.selinux.html>.

Please note that, either the less complete and less complex alternative, AppArmor
can be used or, SELinux can be used but, not both …

And, that you’ve taken notice of the following text:

And, that you’ve taken notice of this: <https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.selinux.html#sec.selinux.compilepolicy>.

The minimum openSUSE SELinux reference policy …

You should also take note of the output of “sudo sestatus -v” to verify that, you’ve at least got to the point where your system is running in “permissive” mode.
[HR][/HR]Once you’ve got your openSUSE SELinux system up and running in the “permissive” mode, you’re on your own.

Security at SELinux level is very much a per-system issue and, there ain’t any universal solutions …

[HR][/HR]SELinux schooling:

There’s this Reddit area: <https://www.reddit.com/r/selinux/>.

O’Reilly offered this online training session but, it took place on August the 29th 2019 – maybe it’ll run again: <https://learning.oreilly.com/live-training/courses/mastering-selinux/0636920286813/>.

Udemy is offering some SELinux training sessions: <https://www.udemy.com/topic/selinux/>.

do you see anything wrong in these two? what does “*unconfined” *mean? how to correct it? and i can’t correct labels for /proc and /selinux. see these please.

https://paste.opensuse.org/39245687

https://paste.opensuse.org/34669363

thanks

tsu2 · September 25, 2019, 6:40pm

unconfined_u is a user class or classification, it’s not necessarily a problem but intended to be informative

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files

You might also find this helpful

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-troubleshooting-top_three_causes_of_problems

TSU

dcurtisfra · September 25, 2019, 7:14pm

Seems to be OK for the case of an initial “permissive” system.

You now have to define which security you need and then, apply the appropriate configuration rules.
Please be aware that, SELinux is not forgiving – any mistakes made, may well lead to a system which can not be accessed in any way at all …