On Sunday, September 24, 2017 at 12:17:33 PM UTC-4, cooloutac wrote: > On Sunday, September 24, 2017 at 12:16:34 PM UTC-4, cooloutac wrote: > > On Thursday, September 21, 2017 at 4:40:42 AM UTC-4, pels wrote: > > > On Wednesday, September 20, 2017 at 2:54:31 PM UTC+2, cooloutac wrote: > > > > On Wednesday, September 20, 2017 at 4:41:58 AM UTC-4, pels wrote: > > > > > I'd like to activate SELINUX(enforcing) in VMs (f25 and f25-minimal), > > > > > but fails: > > > > > > > > > > [ 1.510532] audit: type=1404 audit(1505894636.317:2): enforcing=1 > > > > > old_enforcing=0 auid=4294967295 ses=4294967295 > > > > > [ 1.601491] audit: type=1403 audit(1505894636.408:3): policy > > > > > loaded auid=4294967295 ses=4294967295 > > > > > [ 1.605815] systemd[1]: Successfully loaded SELinux policy in > > > > > 95.611ms. > > > > > [ 1.617897] systemd[1]: Failed to mount tmpfs at /run: Permission > > > > > denied > > > > > [.[0;1;31m!!!!!!.[0m] Failed to mount API filesystems, freezing. > > > > > [ 1.621206] systemd[1]: Freezing execution. > > > > > > > > > > I had it enabled in fedora 24 but after upgrading failed > > > > > I create a new template (f25 and f25-minimal) with same effect. > > > > > > > > > > I have tried to reset SELinux to its initial state: > > > > > yum remove selinux-policy > > > > > rm -rf /etc/selinux > > > > > yum install selinux-policy-targeted > > > > > fixfiles -f -F relabel > > > > > reboot > > > > > > > > > > Any ideas? > > > > > > > > > > Thank you very much > > > > > > > > > > Best Regards > > > > > > > > Is this a vm, if so do we really care if systemd is running in it? > > > > You sure thats selinux? what does sestatus say? > > > > > > > > When googling this error seems people have same issue when running > > > > docker. And you have to set seccomp to unconfined. > > > > > > Thank you cooloutac > > > > > > -Is this a vm > > > It happens in Templates and VMs. > > > > > > -Is this a vm, if so do we really care if systemd is running in it? > > > The problem is when i enable SELINUX VMs/templates doesn't "boot" or fail > > > to start. > > > If I disable SELINUX, the templates/VMs start whithout problems and > > > systemd is activated. > > > > > > -You sure thats selinux? > > > Yes i'm pretty sure, it's exactly the same config that i had in fedora24. > > > In dom0 > > > qvm-prefs -s fedora-25 kernelopts "nopat security=selinux selinux=1" > > > and in VMs/Templats > > > /etc/selinux/config > > > > > > SELINUX=enforcing > > > SELINUXTYPE=targeted > > > > > > Default selinux config > > > > > > -what does sestatus say? > > > I can't execute anything in template/VMs > > > in dom0: > > > qvm-run fedora-25 --nogui -pass-io -u root "sestatus" > > > Error(fedora-25): Domain 'fedora-25':qreexec not connected > > > > > > -When googling this error seems people have same issue when running > > > docker. And you have to set seccomp to unconfined > > > > > > Yes, i've read it, but i don't know how disable seccomp and the > > > consequences... > > > > > > > > > Could you make me a big favour and try to activate SELINUX? > > > > > > Thank you very much > > > > > > Best regards > > > > Probably only useful in the template vm. But still not sure how beneficial > > it would be was my point though. Its probably not compatible with qubes, > > sounds like it breaks qrexec, maybe not worth the headache man. > > If they exploiting xen already I don't think it really matters at that point. > But i'm far from an expert.
I'm sorry for spam, but wanted to add an alternative option is use multiple template vms for installing diff untrusted software, of course this requires more resources, but Qubes in general requires more resources and specific capable hardware for best compatibility. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/14d2a72a-cd51-43d8-87e9-cc8b14fee790%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
