# selinux boot stuck and asking relabeling in Enforcement mode

I compiled reference policy and relabeled properly ,but when i'm in permissive mode there is no problem, only problem comes under enforcement mode . I tried so many ways disabling dont denials etc but i couldn't find the exact boot when it is enforcemnet mode . please find the below error.

 Error: [FAILED] Failed to start Create Volatile Files and Directories.
See 'systemctl status systemd-tmpfiles-setup.service' for details .
Starting Network Time Synchronization....
Starting Update UTMP about System Boot/Shutdown....
[ OK ] Started Update UTMP about System Boot/Shutdown..
[FAILED] Failed to start Network Time Synchronization..
See 'systemctl status systemd-timesyncd.service' for details..
[ OK ] Stopped Network Time Synchronization..
Starting Network Time Synchronization....
[FAILED] Failed to start Network Time Synchronization..
See 'systemctl status systemd-timesyncd.service' for details. [ OK ] Stopped Network Time Synchronization..
Starting Network Time Synchronization....
[FAILED] Failed to start Network Time Synchronization..
See 'systemctl status systemd-timesyncd.service' for details..
[ OK ] Stopped Network Time Synchronization..
Starting Network Time Synchronization....
[FAILED] Failed to start Network Time Synchronization..
See 'systemctl status systemd-timesyncd.service' for details..
[ OK ] Stopped Network Time Synchronization..
[ OK ] Started ntp-systemd-netif.service..
Starting Relabel all filesystems....
[ OK ] Reached target System Time Synchronized..

* Warning -- SELinux refpolicy policy relabel is required..
Relabeling could take a very long time, depending on file.
*
* system size and speed of hard drives..



edit retag close merge delete

@rammohanreddy, you say:

I compiled reference policy and relabeled properly

Am I getting this right, you've compiled new reference policy? Couldn't you just use default one that comes preinstalled with Fedora and ready to use?

( 2019-04-03 11:54:12 -0600 )edit

Okay , Can we compile and use this reference policy for debian (Ubuntu) distribution?

Thanks,

( 2019-04-03 12:13:24 -0600 )edit

I don't think that would be easy. Ubuntu/Debian don't use SELinux, they use another system that provides similar features (AppArmor, if I'm not mistaken, at least for Ubuntu). I'm quite sure it will be hard to force SELinux on a system that doesn't expect it -- and wasn't specifically taught to deal with it. I may be wrong, of course, I cant' say I understand SELinux that well -- just some of the user-facing basics.

What exactly do you want to achieve, maybe there are some other options than compiling your own SELinux policies and forcing it on Debian?

( 2019-04-04 01:44:46 -0600 )edit

I'm trying in Ubuntu machine .I installed apt-repository package of selinux default policy and its working fine but my goal is to compile reference policy and enforce rules.Here i succed compiling reference policy but enforcing rules i'm getting above problem...

( 2019-04-04 01:58:27 -0600 )edit

If you're doing this on an Ubuntu machine, you should be asking for help at the Ubuntu Forum, not here.

( 2019-04-04 02:19:29 -0600 )edit

Sort by » oldest newest most voted

When en permissive mode SELinux will not enforce security rules, therefore it will allow to work, it will only log all rules faults, so in permissive mode you can look into the log to correct your issues, it is not recommended to work in permissive mode. When set to enforce it ask for relabel means that some how your OS has change the SELinux settings, and since you work under permissive mode you may be doing to changed your system. What you need to do is create file call .autorelabel file on the / folder to do so you do touch /.autorelabel do this change your SELinux to enforce and reboot the machine, this will set the SELinux rules on your system and after that you can always work with SELinux enabled. If for some reason something do not work after that check you log files and use SELinux tools to fix the issue.

more

Thanks for your reply , I tried all whatever you suggestion but that error i couldn't solve .If i create /.autorelabel also that relabeling happen ...Any otherways shall i do?

( 2019-04-03 11:12:56 -0600 )edit

The autorelable must happen and you need to finish on the next reboot so it can fix your issues. After it has completed the re lable it should not ask for it on the next reboot. After it finish and is rebooted you could remove the autorelabel file and it should work.

( 2019-04-03 20:49:04 -0600 )edit