Ask Your Question
2

How do you debug selinux boot interruptions?

asked 2013-09-16 14:29:38 -0600

gusennan gravatar image

updated 2013-09-24 12:37:38 -0600

Today I updated packages and after a reboot fedora hung after grub2-efi launched while the fedora logo was filling up on the screen. After removing the kernel parameters "quiet" and "rgbh" I saw that there was an selinux message and a SIGTERM that caused the kernel initialization to freeze. I googled a bit and experimented with disabling selinux via a kernel parameter and this allowed fedora and the gnome shell to launch. Searching for what may have caused selinux to interrupt the kernel initialization process, I searched through /var/log/messages for "avc" but did not find any.

Right now, the only way that the kernel and gnome are loading is when I'm passing "selinux=0" as a kernel parameter upon boot. I'd prefer not to do this as I like to have a secure system. How does one go about finding more information about what could be causing this problem and how to address it so I can re-enable selinux?

Update 1: Thank for you for the idea about journalctl and other suggestions. Below is the result of searching the audit.log and journalctl. Is there anything here that stands out?

sudo cat /var/log/audit/audit.log | ack -i selinux
type=USER_CMD msg=audit(1379357266.845:447): pid=2265 uid=1000 auid=1000 ses=1  msg='cwd="/etc/selinux" cmd=76696D20636F6E666967 terminal=pts/0 res=success'
type=USER_CMD msg=audit(1379357279.232:452): pid=2273 uid=1000 auid=1000 ses=1  msg='cwd="/etc/selinux" cmd="reboot" terminal=pts/0 res=success'
type=USER_CMD msg=audit(1379942915.981:668): pid=6594 uid=1000 auid=1000 ses=1  subj=kernel msg='cwd="/etc/selinux" cmd=677265702053454C696E75782069732070726576656E74696E67202F7661722F6C6F672F6D65737361676573 terminal=pts/0 res=success'

Below are some logs that I ran over journalctl with the following command for the current day. I turned SELINUX off and booted, turned it on and tried to boot (unsuccessfully), and turned it back off to run this command:

 journalctl | ack -i selinux
9月 23 15:25:31 localhost.localdomain /usr/bin/sealert[6439]: SELinux not enabled, sealert will not run on non SELinux systems
9月 23 15:28:35 localhost.localdomain sudo[6594]: dufu : TTY=pts/0 ; PWD=/etc/selinux ; USER=root ; COMMAND=/bin/grep SELinux is preventing /var/log/messages
9月 23 15:29:43 localhost.localdomain kernel: SELinux:  Initializing.
9月 23 15:29:43 localhost.localdomain kernel: SELinux:  Starting in permissive mode
9月 23 15:29:43 localhost.localdomain kernel: SELinux:  Registering netfilter hooks
9月 23 15:29:43 localhost.localdomain systemd[1]: systemd 204 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ)
9月 23 15:29:46 localhost.localdomain systemd[1]: systemd 204 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ)
9月 23 15:29:58 localhost.localdomain gnome-session[1178]: SELinux Troubleshooter: Applet requires SELinux be enabled to run.
9月 23 15:30:45 localhost.localdomain sudo[2238]: dufu : TTY=pts/0 ; PWD=/home/dufu ; USER=root ; COMMAND=/bin ...
(more)
edit retag flag offensive close merge delete

Comments

1

Just for the comfort until it is solved... Add "selinux=0" to your /etc/default/grub : GRUB_CMLINE_LINUX="...." and let rebuild grub.cfg Or try: setenforce Permissive

sea gravatar imagesea ( 2013-09-16 16:43:28 -0600 )edit

Thanks, by changing /etc/selinux/config's "setenfore" to permissive I don't need to pass a kernel parameter, which does ease in usage until I figure out what the root problem is.

gusennan gravatar imagegusennan ( 2013-09-17 02:48:13 -0600 )edit
1

Once you're logged in, run the SELinux Troubleshooter and see what, if anything, it reports.

sideburns gravatar imagesideburns ( 2013-09-22 19:38:54 -0600 )edit

Does SELinux need to be on to run the SELinux troubleshooter? Unfortunately I can't boot into the system with SELinux on.

gusennan gravatar imagegusennan ( 2013-09-23 08:49:26 -0600 )edit

Once you're logged in with it turned off, try setting it to permissive mode by editing /etc/selinux/config as root, then reboot. That will make sure that you get the alerts you need without actually stopping anything.

sideburns gravatar imagesideburns ( 2013-09-23 12:24:59 -0600 )edit

3 Answers

Sort by » oldest newest most voted
2

answered 2013-09-24 03:30:54 -0600

polarfish gravatar image

All what I know about configuring SELinux policies, I have gotten from this video and till now it was enough for me. Maybe it could be helpful for you too.

PS Length: 52mins, Title: 2012 Red Hat Summit: SELinux For Mere Mortals

edit flag offensive delete link more
2

answered 2013-09-30 04:42:10 -0600

none gravatar image

I think, the problem is related to initrd, but I can be wrong, so. Get ride of selinux=0 and use enforcing=0. This will turn on SELinux, but in permissive mode. Next you should be ably to login, and then try this: ausearch -m avc | tail -20 and show us this errors.

As other suggest, you coudld try: touch /.autorelabel; reboot - this will fix all SELinux problems, related to file contexts.

I think, that there are some problems in initrd, that prevent SELinux to load policy. I would reccomend you to reinstall kernel package, or at least rebuild initrd: mkinitrd.

edit flag offensive delete link more

Comments

1

Good advice, Artur - but we have dracut now :)

randomuser gravatar imagerandomuser ( 2013-10-01 00:51:23 -0600 )edit
1

answered 2013-09-23 01:54:36 -0600

A couple points that should help:

  • look in /var/log/audit/audit.log for SELinux messages.
  • touch /.autorelabel will fix SELinux contexts according to the current policy. A good place to start.
  • journalctl is worth looking at, too. It has everything from /var/log/messages and more, with filtering options. journalctl -b will give messages starting with the current boot, for example.
edit flag offensive delete link more

Comments

Thank you. I ran these commands and posted the output in another question. Do you see anything that stands out?

gusennan gravatar imagegusennan ( 2013-09-23 08:51:25 -0600 )edit

No, nothing stands out. There might be some hint, but you only show lines matching "selinux". SELinux messages are in /var/log/audit/audit.log . also, please update your question instead of posting an answer

randomuser gravatar imagerandomuser ( 2013-09-23 14:14:43 -0600 )edit

Thanks for the suggestion about updating the question, that is a better idea.

gusennan gravatar imagegusennan ( 2013-09-23 14:21:00 -0600 )edit

Question Tools

Stats

Asked: 2013-09-16 14:29:38 -0600

Seen: 1,598 times

Last updated: Sep 30 '13