Hello, Forgotten, welcome. I doubt the problem you are experiencing is that mentioned in the post you mention, but I don’t have many clues to go on.
First thing to try is sudo restorecon which will relabel the security context for your system. That will take a while to run. See if that eliminates or greatly reduces the Selinux issues.
After that, we can look at specific remaining issues.
Hello Dave, thanks for the reply !
I remember when I upgraded to fedora 35 I used a command which fixed all the problems I had with SElinux, but I can’t remember if it was restorecon or another one…
But anyway I just tried it and It seems something’s wrong, it only outputs
sudo restorecon -rv /
which will restore the proper selinux context to everything on the file system interactively (or at least displaying the actions as it progresses).
sudo touch /.autorelabel followed by a reboot.
This one will do the same thing at the next reboot but is not interactive and may delay boot for some time as it finishes the task before booting completes.
Once the selinux context has been properly adjusted it should halt most of those errors.
Thanks, @computersavvy Jeff, I should have been more specific and provided the arguments to restorecon. Yes, @forgottenmacaroni, Jeff’s first method is the one I was trying to suggest.
Thanks @computersavvy and @mhdave , I tried the first command rebooted, tried the second one rebooted, the first one again and rebooted one last time but I’m still bombed by these alerts. I just typed a fix command suggested by SETroubleshoot Alert list to fix the alert with the most occurences (>75000) (though it’s hard to because I can barely click because of the incoming alerts and the interface keeps crashing because of the alert overflow).
Should I try to fix all these one by one (which is going to be painful) or do you have other ideas?
Since you are getting an immense number of Selinux alerts, you may want to temporarily disable Selinux with sudo setenforce 0. Before you do, please see if you can capture the current status using sestatus and paste in this thread. See for example this article for more information: How to Disable SELinux Temporarily or Permanently
@computersavvy I’m curious where you saw my kernel on the above screenshot but anyway I just did a sudo dnf upgrade --refresh followed by a reboot, no improvements.
I have a ~6years old Nvidia Gpu, but I think my driver installation is broken on this side (I tried to uninstall the proprietary drivers a while ago and since then I’m having complaint errors on bootup)
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
I already tried and I don’t know why but sudo setenforce 0 does not stop the massive flow of alerts
Actually it takes a lot of time for the flow to stop because they happen faster than they can be displayed or so it seems
I’ve started to try fixing the errors one by one using the commands suggested by SElinux alert browser, but somehow it doesn’t work for (at least)iptables, firewalld and dbus-broker (I’ve done the two commands (ausearch -c 'firewalld' --raw | audit2allow -M blahblah and semodule -X 300 -i blahblah.pp), but the warnings keep going for at least these (thousands of them), and if I try to type them again I’m getting a Nothing to do and failed respectivally.)
What should I do? Reinstall the system? Disable SElinux permenatenly?
Ah, I bet Jeff was responding to a different thread. Happens when you are multitasking across all the issues in this group
So, did the Selinux notices eventually stop, are you able to use the command line now? sestatus should now show disabled, but setenforce 0 is temporary so it will pop back to enabled when you reboot. The article I linked shows how to make the change permanent (edit /etc/selinux/config and change mode from enforcing to disabled), but of course disabling security checking permanently is like running with scissors.
Personally I’d be inclined to either disable Selinux or reinstall. Reinstall is time consuming, but your current Selinux issues are also time consuming. Getting a good backup of both your home directory and any customized system configuration files is pretty quick; prepare a list of software you’ve manually installed; rebuild. Frustrating, though, can’t think of what would cause this scenario.
Yeah that’s what I was thinking too but I thought maybe he figured something out!..
The Selinux notices almost stop, after the flow finishes some keep popping from time to time, despite Selinux being disabled. I’m able to correct some errors (but correcting them all like that one by one doesn’t feel like the right solution) with the CLI but like I said some remain unaffected and I’ve completely no idea why.
I know I can disable SElinux definitively but yeah that’s not a good solution for me…
and any customized system configuration files
Do you know (apart from those in /home/) where I must look for these files?
If you did any changes there, you would likely know it. That would be where you edited some *.conf file in /etc, for example. Not likely for most users, unless they received guidance on resolving some other issue. Or if you did a dnf install of some module or group.
Here’s a reference document you can read, with information on how to go from Selinux disabled to permissive to enabled. You might try the permissive option that promises to only log each issue once. Changing SELinux states and modes :: Fedora Docs
