subject:"Bug#823287\: selinux\-basics\: System cannot boot with SELinux enabled after upgrade"

Bug#823287: selinux-basics: System cannot boot with SELinux enabled after upgrade

2016-05-03 Thread Jonathan Yu

On Tue, May 3, 2016 at 10:10 AM, Laurent Bigonville 
wrote:
>
>
> Do you have a policy installed on your machine?
>

I do not - I was unable to install the latest selinux-policy-default
package from unstable due to dependency problems that I was unable to
resolve.

The following packages have unmet dependencies:
 selinux-policy-default : Depends: policycoreutils (>= 2.2.1) but it is not
going to be installed
 udev : Depends: libblkid1 (>= 2.19.1) but it is not going to be installed
Depends: adduser but it is not going to be installed
Depends: util-linux (>= 2.27.1)
Depends: procps

> The policy package currently in unstable is not compatible with the new
> userspace and needs to be adjusted, see bug #805492.
>

Ah, it does look like the same problem. However, I expected some sort of
safeguard that would prevent me from breaking my system -- i.e. a check in
selinux-activate that ensured that a policy was available, if that is
required to boot. Making my system unbootable is not desired behaviour.

> I've unfortunately not a lot of time for this. That means that if you want
> to use SELinux in debian, you'll have to compile/build your own policy.
>

I can understand that. I have some experience with Debian packaging, but
little with SELinux or advanced things like maintainer scripts, however I'd
be happy to spend a few weekends hacking on this if you can give me some
direction. I'll read through #805492 this weekend and come back to you with
questions.

Thanks again for all your contributions to Debian :)

Bug#823287: selinux-basics: System cannot boot with SELinux enabled after upgrade

2016-05-03 Thread Laurent Bigonville


On Mon, 02 May 2016 20:51:55 -0700 Jonathan Yu  wrote:
>
> Dear Maintainer,

Hello,

>
> Thank you for your work bringing SELinux to Debian!
>
> I regret that my knowledge of both SELinux and systemd is limited, so 
I do not

> know what diagnostics to collect or how to collect it. That said, I can
> reproduce this problem at will, and I'm happy to collect whatever 
diagnostics

> you need.
>
> * What led up to the situation?
>
> I upgraded my system doing full-upgrade. My system is mainly 
'testing' with

> some packages coming from 'unstable' (I tried updating to the newer
> selinux-utils in unstable, but to no avail).
>
> Unfortunately there are not much diagnostics provided during boot, and I
> could not find any trace of the failed boots in journalctl or in files
> in /var/log, presumably because the problems occurred at such an early
> stage of boot. I checked /var/log/syslog, but did not find much 
informative.

>
> * What exactly did you do (or not do) that was effective (or
> ineffective)?
> * What was the outcome of this action?
>
> Removing the "selinux=1 security=selinux" flags from grub allowed me 
to boot.

> I then used "selinux-activate disabled" to disable SELinux while we sort
> these issues out.
>
> I also tried running "selinux-activate disabled" and re-activating it 
again,
> as it seems to do something with restorecond on first boot after 
activation.

> Unfortunately this did not change anything :(
>
> * What outcome did you expect instead?
>
> I expected that my system could continue booting. I've never had 
significant
> issues with Debian upgrades (thanks to careful maintainers like you 
:) and

> guess that there must be something strange about the way my system is
> configured.
>
> [...]
> May  2 20:31:38 theory dbus-daemon[1183]: Failed to start message 
bus: Failed to open "/etc/selinux/default/contexts/dbus_contexts": No 
such file or directory

> [...]
> pn  selinux-policy-default

Do you have a policy installed on your machine?

The policy package currently in unstable is not compatible with the new 
userspace and needs to be adjusted, see bug #805492.


I've unfortunately not a lot of time for this. That means that if you 
want to use SELinux in debian, you'll have to compile/build your own policy.

Bug#823287: selinux-basics: System cannot boot with SELinux enabled after upgrade

2016-05-02 Thread Jonathan Yu

Package: selinux-basics
Version: 0.5.4
Severity: grave
Justification: renders package unusable

Dear Maintainer,

Thank you for your work bringing SELinux to Debian!

I regret that my knowledge of both SELinux and systemd is limited, so I do not
know what diagnostics to collect or how to collect it.  That said, I can
reproduce this problem at will, and I'm happy to collect whatever diagnostics
you need.

   * What led up to the situation?

I upgraded my system doing full-upgrade. My system is mainly 'testing' with
some packages coming from 'unstable' (I tried updating to the newer
selinux-utils in unstable, but to no avail).

Unfortunately there are not much diagnostics provided during boot, and I
could not find any trace of the failed boots in journalctl or in files
in /var/log, presumably because the problems occurred at such an early
stage of boot. I checked /var/log/syslog, but did not find much informative.

   * What exactly did you do (or not do) that was effective (or
 ineffective)?
   * What was the outcome of this action?

Removing the "selinux=1 security=selinux" flags from grub allowed me to boot.
I then used "selinux-activate disabled" to disable SELinux while we sort
these issues out.

I also tried running "selinux-activate disabled" and re-activating it again,
as it seems to do something with restorecond on first boot after activation.
Unfortunately this did not change anything :(

   * What outcome did you expect instead?

I expected that my system could continue booting. I've never had significant
issues with Debian upgrades (thanks to careful maintainers like you :) and
guess that there must be something strange about the way my system is
configured.

There was some interesting-looking output in /var/log/audit; here's a
section:

May  2 20:31:38 theory systemd[1]: Listening on CUPS Scheduler.
May  2 20:31:38 theory systemd[1]: Listening on D-Bus System Message Bus Socket.
May  2 20:31:38 theory systemd[1]: apt-daily.timer: Adding 7h 21min 31.345143s 
random time.
May  2 20:31:38 theory systemd[1]: Started Daily apt activities.
May  2 20:31:38 theory systemd[1]: Started Daily Cleanup of Temporary 
Directories.
May  2 20:31:38 theory systemd[1]: Reached target Timers.
May  2 20:31:38 theory systemd[1]: Started CUPS Scheduler.
May  2 20:31:38 theory systemd[1]: Reached target Paths.
May  2 20:31:38 theory systemd[1]: Listening on Virtual machine lock manager 
socket.
May  2 20:31:38 theory systemd[1]: Listening on mpd.socket.
May  2 20:31:38 theory systemd[1]: Listening on Virtual machine log manager 
socket.
May  2 20:31:38 theory systemd[1]: Reached target Sockets.
May  2 20:31:38 theory systemd[1]: Reached target Basic System.
May  2 20:31:38 theory systemd[1]: Started Run anacron jobs.
May  2 20:31:38 theory systemd[1]: Starting Accounts Service...
May  2 20:31:38 theory systemd[1]: Starting IIO Sensor Proxy service...
May  2 20:31:38 theory systemd[1]: Starting Restore /etc/resolv.conf if the 
system crashed before the ppp link was shut down...
May  2 20:31:38 theory systemd[1]: Starting Thermal Daemon Service...
May  2 20:31:38 theory systemd[1]: Starting Modem Manager...
May  2 20:31:38 theory systemd[1]: Started CUPS Scheduler.
May  2 20:31:38 theory systemd[1]: Started D-Bus System Message Bus.
May  2 20:31:38 theory ModemManager[1176]:   ModemManager (version 
1.4.14) starting in system bus...
May  2 20:31:38 theory dbus-daemon[1183]: Failed to start message bus: Failed 
to open "/etc/selinux/default/contexts/dbus_contexts": No such file or directory
May  2 20:31:38 theory systemd-udevd[823]: Process '/usr/sbin/alsactl -E 
HOME=/run/alsa restore 2' failed with exit code 99.
May  2 20:31:38 theory systemd[1]: Failed to subscribe to NameOwnerChanged 
signal for 'org.freedesktop.thermald': Connection timed out
May  2 20:31:38 theory systemd[1]: Failed to subscribe to NameOwnerChanged 
signal for 'org.freedesktop.ModemManager1': Connection timed out
May  2 20:31:38 theory systemd[1]: Failed to subscribe to NameOwnerChanged 
signal for 'net.hadess.SensorProxy': Connection timed out
May  2 20:31:38 theory systemd[1]: Failed to subscribe to NameOwnerChanged 
signal for 'org.freedesktop.NetworkManager': Connection timed out
May  2 20:31:38 theory systemd[1]: Failed to subscribe to NameOwnerChanged 
signal for 'org.freedesktop.login1': Connection timed out
May  2 20:31:38 theory systemd[1]: Failed to subscribe to NameOwnerChanged 
signal for 'org.freedesktop.Accounts': Connection timed out
May  2 20:31:38 theory systemd[1]: Failed to subscribe to activation signal: 
Connection timed out
May  2 20:31:38 theory systemd[1]: Failed to register name: Connection timed out
May  2 20:31:38 theory systemd[1]: Failed to set up API bus: Connection timed 
out
May  2 20:31:38 theory systemd[1]: Starting Network Manager...
May  2 20:31:38 theory systemd[1]: Starting LSB: Start the GNUstep distributed 
object mapper...
May  2 20:31:38 theory systemd[1]: Started Regular background program 
processing

Bug#823287: selinux-basics: System cannot boot with SELinux enabled after upgrade

Bug#823287: selinux-basics: System cannot boot with SELinux enabled after upgrade

Bug#823287: selinux-basics: System cannot boot with SELinux enabled after upgrade

3 matches

Site Navigation

Mail list logo

Footer information