How do you debug selinux boot interruptions?
Today I updated packages and after a reboot fedora hung after grub2-efi launched while the fedora logo was filling up on the screen. After removing the kernel parameters "quiet" and "rgbh" I saw that there was an selinux message and a SIGTERM that caused the kernel initialization to freeze. I googled a bit and experimented with disabling selinux via a kernel parameter and this allowed fedora and the gnome shell to launch. Searching for what may have caused selinux to interrupt the kernel initialization process, I searched through /var/log/messages for "avc" but did not find any.
Right now, the only way that the kernel and gnome are loading is when I'm passing "selinux=0" as a kernel parameter upon boot. I'd prefer not to do this as I like to have a secure system. How does one go about finding more information about what could be causing this problem and how to address it so I can re-enable selinux?
Update 1: Thank for you for the idea about journalctl and other suggestions. Below is the result of searching the audit.log and journalctl. Is there anything here that stands out?
sudo cat /var/log/audit/audit.log | ack -i selinux
type=USER_CMD msg=audit(1379357266.845:447): pid=2265 uid=1000 auid=1000 ses=1 msg='cwd="/etc/selinux" cmd=76696D20636F6E666967 terminal=pts/0 res=success'
type=USER_CMD msg=audit(1379357279.232:452): pid=2273 uid=1000 auid=1000 ses=1 msg='cwd="/etc/selinux" cmd="reboot" terminal=pts/0 res=success'
type=USER_CMD msg=audit(1379942915.981:668): pid=6594 uid=1000 auid=1000 ses=1 subj=kernel msg='cwd="/etc/selinux" cmd=677265702053454C696E75782069732070726576656E74696E67202F7661722F6C6F672F6D65737361676573 terminal=pts/0 res=success'
Below are some logs that I ran over journalctl with the following command for the current day. I turned SELINUX off and booted, turned it on and tried to boot (unsuccessfully), and turned it back off to run this command:
journalctl | ack -i selinux
9月 23 15:25:31 localhost.localdomain /usr/bin/sealert[6439]: SELinux not enabled, sealert will not run on non SELinux systems
9月 23 15:28:35 localhost.localdomain sudo[6594]: dufu : TTY=pts/0 ; PWD=/etc/selinux ; USER=root ; COMMAND=/bin/grep SELinux is preventing /var/log/messages
9月 23 15:29:43 localhost.localdomain kernel: SELinux: Initializing.
9月 23 15:29:43 localhost.localdomain kernel: SELinux: Starting in permissive mode
9月 23 15:29:43 localhost.localdomain kernel: SELinux: Registering netfilter hooks
9月 23 15:29:43 localhost.localdomain systemd[1]: systemd 204 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ)
9月 23 15:29:46 localhost.localdomain systemd[1]: systemd 204 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ)
9月 23 15:29:58 localhost.localdomain gnome-session[1178]: SELinux Troubleshooter: Applet requires SELinux be enabled to run.
9月 23 15:30:45 localhost.localdomain sudo[2238]: dufu : TTY=pts/0 ; PWD=/home/dufu ; USER=root ; COMMAND=/bin ...
Just for the comfort until it is solved... Add "selinux=0" to your /etc/default/grub : GRUB_CMLINE_LINUX="...." and let rebuild grub.cfg Or try: setenforce Permissive
Thanks, by changing /etc/selinux/config's "setenfore" to permissive I don't need to pass a kernel parameter, which does ease in usage until I figure out what the root problem is.
Once you're logged in, run the SELinux Troubleshooter and see what, if anything, it reports.
Does SELinux need to be on to run the SELinux troubleshooter? Unfortunately I can't boot into the system with SELinux on.
Once you're logged in with it turned off, try setting it to permissive mode by editing /etc/selinux/config as root, then reboot. That will make sure that you get the alerts you need without actually stopping anything.