Fedora 30 SELinux enabled - things fail status=226/NAMESPACE

I upgraded from 29 to 30 and it worked, but I had not network.

I found this bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1663040

I am not sure if this is the same problem or not?

And when I change /etc/selinux/config from SELINUX=enforcing to SELINUX=permissive everything seems to be fine. I have done a few updates and everything is current, but it I try to go back to enforcing I have failures.

boot.log has:

         Starting D-Bus System Message Bus...
[FAILED] Failed to start D-Bus System Message Bus.
See 'systemctl status dbus-broker.service' for details.
         Starting D-Bus System Message Bus...
[FAILED] Failed to start D-Bus System Message Bus.
See 'systemctl status dbus-broker.service' for details.
         Starting D-Bus System Message Bus...
[FAILED] Failed to start D-Bus System Message Bus.
See 'systemctl status dbus-broker.service' for details.
         Starting D-Bus System Message Bus...
[  OK  ] Started System Logging Service.
[FAILED] Failed to start D-Bus System Message Bus.
See 'systemctl status dbus-broker.service' for details.
         Starting D-Bus System Message Bus...
[FAILED] Failed to start D-Bus System Message Bus.
See 'systemctl status dbus-broker.service' for details.
[FAILED] Failed to start D-Bus System Message Bus.
See 'systemctl status dbus-broker.service' for details.
[  OK  ] Started Self Monitoring and Reporting Technology (SMART) Daemon.
[  OK  ] Started GSSAPI Proxy Daemon.
[  OK  ] Reached target NFS client services.
[FAILED] Failed to start Network Manager.
See 'systemctl status NetworkManager.service' for details.
[DEPEND] Dependency failed for Network Manager Wait Online.

/var/log/messages has:
May 20 20:30:55 dell780 systemd[1]: Starting D-Bus System Message Bus...
May 20 20:30:55 dell780 systemd[754]: dbus-broker.service: Failed to set up mount namespacing: Permission denied
May 20 20:30:55 dell780 systemd[754]: dbus-broker.service: Failed at step NAMESPACE spawning /usr/bin/dbus-broker-launch: Permission denied
May 20 20:30:55 dell780 systemd[1]: dbus-broker.service: Main process exited, code=exited, status=226/NAMESPACE
May 20 20:30:55 dell780 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-broker comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
May 20 20:30:55 dell780 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-broker comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

I would like to enable SELinux, but if I do then things like NetworkManager don’t start.

Thanks for any help or direction.

I dug through that bug report and found a linked blog post about an issue that I believe is the same as yours. The blog has a series of commands to tell if you are facing the same issue as well as a fix to get SELinux back in enforcing mode and a working Fedora system. I hope this helps.

This is what I have:

root@dell780:/tmp/foo
# ls -lZd /tmp/foo/*|grep unlabeled
drwxr-xr-x.   2 root root system_u:object_r:unlabeled_t:s0         6 Jun 10  2017 /tmp/foo/boot
drwxr-xr-x.  18 root root system_u:object_r:unlabeled_t:s0      4096 Jun 10  2017 /tmp/foo/dev
dr-xr-xr-x.   2 root root system_u:object_r:unlabeled_t:s0         6 Jun 10  2017 /tmp/foo/proc
drwxr-xr-x.   3 root root system_u:object_r:unlabeled_t:s0        18 Jun 10  2017 /tmp/foo/run
dr-xr-xr-x.   2 root root system_u:object_r:unlabeled_t:s0         6 Jun 10  2017 /tmp/foo/sys
drwxrwxrwt.   3 root root system_u:object_r:unlabeled_t:s0        34 Jun 10  2017 /tmp/foo/tmp

It looks like I need:

chcon -t device_t dev
chcon -t home_root_t home
chcon -t root_t proc sys
chcon -t var_run_t run
chcon -t tmp_t tmp
chcon -t boot_t boot

I have to get something to boot from to try it.
Since the old cd/usb don’t know about xfs.
I will update when I get a chance to try it.
Thanks!

It worked!
The only thing is /boot still shows unlabeled_t.
I am not sure if that needs to be fixed or that is just the way it is?
SELinux is now enforcing.
Thanks!

1 Like

You can usually do sudo touch /.autorelabel and reboot. With that, SELinux will go ahead with applying the proper label to everything in the entire filesystem. From man selinux:

The best way to relabel the file system is to create the flag file /.autorelabel and reboot. system-config-selinux, also has this capability. The restorecon/fix‐files commands are also available for relabeling files.

1 Like

I usually do

sudo restorecon -Rv /path/to/relabel

Path to relabel can be / for root filesystem.

It recursively changes SELinux labels to what they should be, and lists all the files/directories it relabeled. Listing can be useful for tracking, which files were labeled wrong, if you need it) Also you’ll clearly see when nothing gets relabeled.

Edit: As far as I understand it, @jdw, you can boot with SELinux in permissive mode, relabel your filesystems, then reboot with SELinux in enforcing mode.