1226937 – [docs]: change repository for SELinux policy in documentation for 15.6

Bug 1226937 - [docs]: change repository for SELinux policy in documentation for 15.6

Summary: [docs]: change repository for SELinux policy in documentation for 15.6

Status:	RESOLVED FIXED

Alias:	None

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Documentation (show other bugs)
Version:	Leap 15.6
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Amrita Sakthivel
QA Contact:	Frank Sundermeyer

URL:
Whiteboard:	https://jira.suse.com/browse/DOCTEAM-...
Keywords:

Depends on:
Blocks:	1227282
	Show dependency tree / graph

Clone This Bug

Reported:	2024-06-25 08:04 UTC by Cathy Hu
Modified:	2024-07-08 10:08 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
dmesg (73.38 KB, text/plain) 2024-07-02 09:19 UTC, Felix Niederwanger	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Cathy Hu 2024-06-25 08:04:05 UTC

The Leap 15.6 documentation links to the SELinux_legacy repo for testing purposes here:

https://doc.opensuse.org/documentation/leap/security/html/book-security/cha-selinux.html#sec-selinux-getpolicy

For 15.6 this repository is linked in the documentation, which is wrong: https://download.opensuse.org/repositories/security:/SELinux_legacy/15.6/ 

The correct repository is:
https://download.opensuse.org/repositories/security:/SELinux/15.6/

Could you update it? Thanks :)

Comment 1 Felix Niederwanger 2024-07-01 13:39:37 UTC

Hey Cathy! Is this correct? https://download.opensuse.org/repositories/security:/SELinux/15.6/ contains updates to the toolchain, but the (outdated) link to https://download.opensuse.org/repositories/security:/SELinux_legacy/ contains the SELinux policy.

I cannot find any policies in https://download.opensuse.org/repositories/security:/SELinux/15.6/, so the new link provides something different than the documentation says it would.

Comment 2 Felix Niederwanger 2024-07-01 13:41:04 UTC

See https://doc.opensuse.org/documentation/leap/security/html/book-security/cha-selinux.html#sec-selinux-getpolicy for more information. There it explicitly states it would be the repository for the policy, even suggests to install it via 

> sudo zypper in selinux-policy-targeted selinux-policy-devel

Those packages are not present AFAICS in https://download.opensuse.org/repositories/security:/SELinux/15.6/, so something looks wrong here.

Comment 3 Cathy Hu 2024-07-02 06:32:37 UTC

Hi Felix,

I am not sure what you mean, the policy is in there as well, see for example:
https://download.opensuse.org/repositories/security:/SELinux/15.6/noarch/selinux-policy-targeted-20240617-150600.237.2.noarch.rpm

security:SELinux contains the toolchain and the policy

Please let me know if I am misunderstanding, thanks :)

Comment 4 Felix Niederwanger 2024-07-02 08:48:00 UTC

(In reply to Cathy Hu from comment #3)
> Hi Felix,
> 
> I am not sure what you mean, the policy is in there as well, see for example:
> https://download.opensuse.org/repositories/security:/SELinux/15.6/noarch/
> selinux-policy-targeted-20240617-150600.237.2.noarch.rpm
> 
> security:SELinux contains the toolchain and the policy
> 
> Please let me know if I am misunderstanding, thanks :)

Thank you for the useful hint! You are right. It is in the noarch folder, therefore I missed it. I'm back to testing if this works now and will report back.

Comment 5 Felix Niederwanger 2024-07-02 09:19:30 UTC

I'm trying to setup SELinux following the steps from the documentation and using the new repository https://download.opensuse.org/repositories/security:/SELinux/15.6/ but it results in a borked system.

## Reproducer

Install the SElinux toolchain and default policy (targeted):

> # zypper ar -p 10 https://download.opensuse.org/repositories/security:/SELinux/15.6/ SELinux
> # zypper ref
> # zypper in --allow-vendor-change restorecond policycoreutils setools-console selinux-policy-targeted selinux-policy-devel

Check if SELinux is in permissive mode, and if the right policy is set

> # cat /etc/selinux/config
> ...
> SELINUX=permissive
> SELINUXTYPE=targeted
> ...

Add SELinux to the kernel parameters (adding "security=selinux selinux=1" to GRUB_CMDLINE_LINUX_DEFAULT):

> # vim /etc/default/grub
> ...
> # old value: GRUB_CMDLINE_LINUX_DEFAULT="preempt=full mitigations=auto quiet security=apparmor console=ttyS0"
> GRUB_CMDLINE_LINUX_DEFAULT="preempt=full mitigations=auto security=selinux selinux=1 console=ttyS0"
> ...

Then update the grub configuration

> # update-bootloader

I'm also putting the autorelabel file there, but that doesn't seem to have any effect: 

> # touch /.autorelabel

Reboot the system:

> # reboot

With those steps I end up in an emergency shell because systemd gets a SIGTERM. Find attached the full dmesg log, but the important messages are coming from Switch Root:

> Starting Switch Root...
> [    3.325002][  T187] systemd-journald[187]: Received SIGTERM from PID 1 (systemd).
> [    3.406337][    T1] SELinux:  policy capability network_peer_controls=1
> [    3.407332][    T1] SELinux:  policy capability open_perms=1
> [    3.408284][    T1] SELinux:  policy capability extended_socket_class=1
> [    3.409868][    T1] SELinux:  policy capability always_check_network=0
> [    3.410543][    T1] SELinux:  policy capability cgroup_seclabel=1
> [    3.411176][    T1] SELinux:  policy capability nnp_nosuid_transition=1
> [    3.411875][    T1] SELinux:  policy capability genfs_seclabel_symlinks=1
> [    3.412600][    T1] SELinux:  policy capability ioctl_skip_cloexec=0
> [    3.469440][   T30] audit: type=1403 audit(1719911454.692:4): auid=4294967295 ses=4294967295 lsm=selinux res=1
> [    3.470858][    T1] systemd[1]: Failed to compute init label, ignoring.
> [    3.472421][    T1] systemd[1]: Successfully loaded SELinux policy in 98.150ms.
> [    3.540672][    T1] systemd[1]: Relabeled /dev, /dev/shm, /run, /sys/fs/cgroup in 23.695ms.
> [    3.541949][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:device_t:s0 for /dev/core: Invalid argument
> [    3.543604][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:device_t:s0 for /dev/fd: Invalid argument
> [    3.545244][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:device_t:s0 for /dev/stdin: Invalid argument
> [    3.546898][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:device_t:s0 for /dev/stdout: Invalid argument
> [    3.548544][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:device_t:s0 for /dev/stderr: Invalid argument
> [    3.550014][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd: Invalid argument
> [    3.551481][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_unit_file_t:s0 for /run/systemd/system: Invalid argument
> [    3.552990][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/mount-rootfs: Invalid argument
> [    3.554577][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:var_run_t:s0 for /run/credentials: Invalid argument
> [    3.555985][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible: Invalid argument
> [    3.557511][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible/reg: Invalid argument
> [    3.559026][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible/dir: Invalid argument
> [    3.560483][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible/fifo: Invalid argument
> [    3.562018][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible/sock: Invalid argument
> [    3.563497][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible/chr: Invalid argument
> [    3.565174][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/inaccessible/blk: Invalid argument
> [    3.568442][    T1] systemd[1]: systemd 254.13+suse.89.ga8a3a9567d running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
> [    3.572478][    T1] systemd[1]: Detected virtualization kvm.
> [    3.573086][    T1] systemd[1]: Detected architecture x86-64.
> 
> Welcome to openSUSE Leap 15.6!
> 
> [    3.575453][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:init_var_run_t:s0 for /run/systemd/propagate/.os-release-stage/os-release: Invalid argument
> [    3.968451][    T1] systemd[1]: bpf-lsm: LSM BPF program attached
> [    3.973575][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_unit_file_t:s0 for /run/systemd/units: Invalid argument
> [    3.986780][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_unit_file_t:s0 for /run/systemd/generator: Invalid argument
> [    3.995861][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_unit_file_t:s0 for /run/systemd/generator.early: Invalid argument
> [    4.003085][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_unit_file_t:s0 for /run/systemd/generator.late: Invalid argument
> [    4.065846][   T30] audit: type=1400 audit(1719911455.288:5): avc:  denied  { read } for  pid=522 comm="grep" name="cmdline" dev="proc" ino=4026532015 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
> [    4.069101][   T30] audit: type=1400 audit(1719911455.288:6): avc:  denied  { open } for  pid=522 comm="grep" path="/proc/cmdline" dev="proc" ino=4026532015 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
> [    4.072239][   T30] audit: type=1400 audit(1719911455.288:7): avc:  denied  { getattr } for  pid=522 comm="grep" path="/proc/cmdline" dev="proc" ino=4026532015 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
> [    4.135495][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_userdbd_runtime_t:s0 for /run/systemd/userdb: Invalid argument
> [    4.281057][    T1] systemd[1]: initrd-switch-root.service: Deactivated successfully.
> [    4.296435][    T1] systemd[1]: Stopped Switch Root.
> [    4.297447][    T1] systemd[1]: Failed to set SELinux security context system_u:object_r:systemd_passwd_var_run_t:s0 for /run/systemd/ask-password: Invalid argument
> [  OK  ] Stopped Switch Root.

What am I doing wrong?

Comment 6 Felix Niederwanger 2024-07-02 09:19:44 UTC

Created attachment 875825 [details]
dmesg

Comment 7 Cathy Hu 2024-07-02 10:48:50 UTC

@Felix, thanks for testing, will have a look. lets discuss this in the cloned bug bsc#1227282 and leave this one for changes for the docs team

Comment 8 Felix Niederwanger 2024-07-02 13:00:37 UTC

(In reply to Cathy Hu from comment #7)
> @Felix, thanks for testing, will have a look. lets discuss this in the
> cloned bug bsc#1227282 and leave this one for changes for the docs team

Good idea. We will report back here, once we know which changes are needed in the documentation.

Comment 9 Tomáš Bažant 2024-07-04 08:07:16 UTC

Thank you for reporting this bug!
It is being tracked and processed as part of our queue.

Comment 10 Amrita Sakthivel 2024-07-05 11:05:34 UTC

Hi Cathy,
I have noticed this link (https://download.opensuse.org/repositories/security:/SELinux_legacy/15.6/) is there from 15.6-15.2 , can you please confirm if this repo link is applicable to the mentioned versions.

Thanks
Amrita

Comment 11 Cathy Hu 2024-07-08 07:49:57 UTC

the link is applicable for the versions <15.6, so the currents docs are correct for these versions. from 15.6 on we should use this link:

https://download.opensuse.org/repositories/security:/SELinux/15.6/

Comment 12 Amrita Sakthivel 2024-07-08 10:08:45 UTC

Merged .