Bug#823287: selinux-basics: System cannot boot with SELinux enabled after upgrade
On Tue, May 3, 2016 at 10:10 AM, Laurent Bigonvillewrote: > > > Do you have a policy installed on your machine? > I do not - I was unable to install the latest selinux-policy-default package from unstable due to dependency problems that I was unable to resolve. The following packages have unmet dependencies: selinux-policy-default : Depends: policycoreutils (>= 2.2.1) but it is not going to be installed udev : Depends: libblkid1 (>= 2.19.1) but it is not going to be installed Depends: adduser but it is not going to be installed Depends: util-linux (>= 2.27.1) Depends: procps > The policy package currently in unstable is not compatible with the new > userspace and needs to be adjusted, see bug #805492. > Ah, it does look like the same problem. However, I expected some sort of safeguard that would prevent me from breaking my system -- i.e. a check in selinux-activate that ensured that a policy was available, if that is required to boot. Making my system unbootable is not desired behaviour. > I've unfortunately not a lot of time for this. That means that if you want > to use SELinux in debian, you'll have to compile/build your own policy. > I can understand that. I have some experience with Debian packaging, but little with SELinux or advanced things like maintainer scripts, however I'd be happy to spend a few weekends hacking on this if you can give me some direction. I'll read through #805492 this weekend and come back to you with questions. Thanks again for all your contributions to Debian :)
Bug#823287: selinux-basics: System cannot boot with SELinux enabled after upgrade
On Mon, 02 May 2016 20:51:55 -0700 Jonathan Yuwrote: > > Dear Maintainer, Hello, > > Thank you for your work bringing SELinux to Debian! > > I regret that my knowledge of both SELinux and systemd is limited, so I do not > know what diagnostics to collect or how to collect it. That said, I can > reproduce this problem at will, and I'm happy to collect whatever diagnostics > you need. > > * What led up to the situation? > > I upgraded my system doing full-upgrade. My system is mainly 'testing' with > some packages coming from 'unstable' (I tried updating to the newer > selinux-utils in unstable, but to no avail). > > Unfortunately there are not much diagnostics provided during boot, and I > could not find any trace of the failed boots in journalctl or in files > in /var/log, presumably because the problems occurred at such an early > stage of boot. I checked /var/log/syslog, but did not find much informative. > > * What exactly did you do (or not do) that was effective (or > ineffective)? > * What was the outcome of this action? > > Removing the "selinux=1 security=selinux" flags from grub allowed me to boot. > I then used "selinux-activate disabled" to disable SELinux while we sort > these issues out. > > I also tried running "selinux-activate disabled" and re-activating it again, > as it seems to do something with restorecond on first boot after activation. > Unfortunately this did not change anything :( > > * What outcome did you expect instead? > > I expected that my system could continue booting. I've never had significant > issues with Debian upgrades (thanks to careful maintainers like you :) and > guess that there must be something strange about the way my system is > configured. > > [...] > May 2 20:31:38 theory dbus-daemon[1183]: Failed to start message bus: Failed to open "/etc/selinux/default/contexts/dbus_contexts": No such file or directory > [...] > pn selinux-policy-default Do you have a policy installed on your machine? The policy package currently in unstable is not compatible with the new userspace and needs to be adjusted, see bug #805492. I've unfortunately not a lot of time for this. That means that if you want to use SELinux in debian, you'll have to compile/build your own policy.
Bug#823287: selinux-basics: System cannot boot with SELinux enabled after upgrade
Package: selinux-basics Version: 0.5.4 Severity: grave Justification: renders package unusable Dear Maintainer, Thank you for your work bringing SELinux to Debian! I regret that my knowledge of both SELinux and systemd is limited, so I do not know what diagnostics to collect or how to collect it. That said, I can reproduce this problem at will, and I'm happy to collect whatever diagnostics you need. * What led up to the situation? I upgraded my system doing full-upgrade. My system is mainly 'testing' with some packages coming from 'unstable' (I tried updating to the newer selinux-utils in unstable, but to no avail). Unfortunately there are not much diagnostics provided during boot, and I could not find any trace of the failed boots in journalctl or in files in /var/log, presumably because the problems occurred at such an early stage of boot. I checked /var/log/syslog, but did not find much informative. * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? Removing the "selinux=1 security=selinux" flags from grub allowed me to boot. I then used "selinux-activate disabled" to disable SELinux while we sort these issues out. I also tried running "selinux-activate disabled" and re-activating it again, as it seems to do something with restorecond on first boot after activation. Unfortunately this did not change anything :( * What outcome did you expect instead? I expected that my system could continue booting. I've never had significant issues with Debian upgrades (thanks to careful maintainers like you :) and guess that there must be something strange about the way my system is configured. There was some interesting-looking output in /var/log/audit; here's a section: May 2 20:31:38 theory systemd[1]: Listening on CUPS Scheduler. May 2 20:31:38 theory systemd[1]: Listening on D-Bus System Message Bus Socket. May 2 20:31:38 theory systemd[1]: apt-daily.timer: Adding 7h 21min 31.345143s random time. May 2 20:31:38 theory systemd[1]: Started Daily apt activities. May 2 20:31:38 theory systemd[1]: Started Daily Cleanup of Temporary Directories. May 2 20:31:38 theory systemd[1]: Reached target Timers. May 2 20:31:38 theory systemd[1]: Started CUPS Scheduler. May 2 20:31:38 theory systemd[1]: Reached target Paths. May 2 20:31:38 theory systemd[1]: Listening on Virtual machine lock manager socket. May 2 20:31:38 theory systemd[1]: Listening on mpd.socket. May 2 20:31:38 theory systemd[1]: Listening on Virtual machine log manager socket. May 2 20:31:38 theory systemd[1]: Reached target Sockets. May 2 20:31:38 theory systemd[1]: Reached target Basic System. May 2 20:31:38 theory systemd[1]: Started Run anacron jobs. May 2 20:31:38 theory systemd[1]: Starting Accounts Service... May 2 20:31:38 theory systemd[1]: Starting IIO Sensor Proxy service... May 2 20:31:38 theory systemd[1]: Starting Restore /etc/resolv.conf if the system crashed before the ppp link was shut down... May 2 20:31:38 theory systemd[1]: Starting Thermal Daemon Service... May 2 20:31:38 theory systemd[1]: Starting Modem Manager... May 2 20:31:38 theory systemd[1]: Started CUPS Scheduler. May 2 20:31:38 theory systemd[1]: Started D-Bus System Message Bus. May 2 20:31:38 theory ModemManager[1176]: ModemManager (version 1.4.14) starting in system bus... May 2 20:31:38 theory dbus-daemon[1183]: Failed to start message bus: Failed to open "/etc/selinux/default/contexts/dbus_contexts": No such file or directory May 2 20:31:38 theory systemd-udevd[823]: Process '/usr/sbin/alsactl -E HOME=/run/alsa restore 2' failed with exit code 99. May 2 20:31:38 theory systemd[1]: Failed to subscribe to NameOwnerChanged signal for 'org.freedesktop.thermald': Connection timed out May 2 20:31:38 theory systemd[1]: Failed to subscribe to NameOwnerChanged signal for 'org.freedesktop.ModemManager1': Connection timed out May 2 20:31:38 theory systemd[1]: Failed to subscribe to NameOwnerChanged signal for 'net.hadess.SensorProxy': Connection timed out May 2 20:31:38 theory systemd[1]: Failed to subscribe to NameOwnerChanged signal for 'org.freedesktop.NetworkManager': Connection timed out May 2 20:31:38 theory systemd[1]: Failed to subscribe to NameOwnerChanged signal for 'org.freedesktop.login1': Connection timed out May 2 20:31:38 theory systemd[1]: Failed to subscribe to NameOwnerChanged signal for 'org.freedesktop.Accounts': Connection timed out May 2 20:31:38 theory systemd[1]: Failed to subscribe to activation signal: Connection timed out May 2 20:31:38 theory systemd[1]: Failed to register name: Connection timed out May 2 20:31:38 theory systemd[1]: Failed to set up API bus: Connection timed out May 2 20:31:38 theory systemd[1]: Starting Network Manager... May 2 20:31:38 theory systemd[1]: Starting LSB: Start the GNUstep distributed object mapper... May 2 20:31:38 theory systemd[1]: Started Regular background program processing