After re-enabling selinux on my fcos41 system not able to login due to: ‘A valid context for core could not be obtained’.
This is the sequence of event:
perfectly working system, disabled selinux for some reason
rpm-ostree install vim and re-enabled selinux
after rebooting found myself locked out of system due to ‘A valid context for core could not be obtained’
fortunately from grub screen I could boot with previous deploy where selinux is disabled
rpm-ostree rollback; this is current status:
-deploy 0: SELINUX=disabled: good
-deploy 1: SELINUX=enforcing: bad
Need help to re-enable selinux. I am thinking of the following plan:
a) create a new deploy based on current deploy 0 but with SELINUX=permissive → deploy a
b) boot from deploy a, troubleshoot, create deploy b with SELINUX=enforcing
c) boot from deploy c, if ok done, if nok go back to b
Question: how to create a new deploy where the only change is toggle selinux?
We don’t support a system going back to SELinux enabled once disabled. You will likely have to re-install it.
If you need to disable SELinux temporarily for a daemon, you should use permissive domains (search the tracker for examples) or full permissive mode (setenforce 0, not recommended but simpler).
You might want to try booting single user and create a file in the root “/” of the fs called .autorelabel ( /.autorelabel) …
When you disable selinux and then set it back to enforcing, you must do a relable or everything breaks …
When anyone disables selinux, the virtual filesystem that holds the labels of the OS are non existent. When you turn selinux back on, labels on the readonly mounts (/ostree /usr) from the system will get an default_t label, which will cause the system to act incorrectly.
/sysroot (as mentioned above)
I have suggested modifying the selinux policy to exclude the relabeling of /sysroot. At that time, I don’t know if I was misunderstood, or that it’s current approach was better, but I abandoned that idea because by making the policy not label /sysroot/* or by there suggestion of making the mount readonly yield the same results when selinux is disabled, including wiping /ostree labels.
Thoughts:
Since these ostree OS’s are a bunch of mounts and symlinks, labels are correctly applied to the whole system including /sysroot. Some labels in /ostree are not relabeled correctly because they are not declared in the selinux policy and may cause some hiccups. But once your system is running again, a simple rpm-ostree upgrade or rpm-ostree rebase would correct /ostree labels.
Opinion:
You have to relabel the whole filesystem. The easiest way I have found to relabel an ostree system is to temporary add autorelabel=1 from your grub commandline before starting the OS because of it’s readonly mounts that block relabeling.