dnf history shows you what you made with dnf
1 Like
Ok thanks I guess Iāll be able to restore which groups and things like that Iāve enabled
1 Like
I would just try:
sudo dnf reinstall selinux-*
which re-installs `selinux-policy selinux-policy-targeted
The first time time I removed, reinstalled and rebooted I didnāt have any issues. The second time I had to do a restorecon for /etc/selinux. So Iām removing that recommendation.
2 Likes
I just tried it and rebooted, I still have the problemā¦
1 Like
Hi, could you please share output of the following commands?
# sudo semodule -lfull
# sudo semanage export
# sudo semodule -B
All of them are completely safe to run (first two just list all your policy modules and selinux customizations and the last rebuilds the system security policy).
Also, did you notice any warnings/errors when reinstalling selinux-policy and selinux-policy-targeted? Reinstallation of those two packages followed by full filesystem relabel (sudo touch /.autorelabel ; reboot) should have resolved the issue, so there is probably something blocking them from installing properly (the actual policy installation is performed in %post/%posttrans scriptlets).
Hi! Thaks for your reply!
Hereās the output of the first command (plese note that Iāve set SElinux to permissive (to avoid the overflow of errors), if I need to put it back like before for running the commands just tell me):
400 my-abrtdumpjourn pp
400 my-systemdjournal pp
300 my-ModemManager pp
300 my-NetworkManager pp
300 my-Watchsh pp
300 my-accountsdaemon pp
300 my-alsactl pp
300 my-awqt pp
300 my-ecblp pp
300 my-gdkpixbufthum pp
300 my-irqbalance pp
300 my-pklacheckauth pp
300 my-polkitd pp
300 my-qemusystemx86 pp
300 my-smartd pp
300 my-systemdhostnam pp
300 my-systemdlogind pp
200 flatpak pp
200 smartmon pp
200 snappy pp
200 swtpm pp
200 swtpm_svirt pp
100 abrt pp
100 accountsd pp
100 acct pp
100 afs pp
100 aiccu pp
100 aide pp
100 ajaxterm pp
100 alsa pp
100 amanda pp
100 amtu pp
100 anaconda pp
100 antivirus pp
100 apache pp
100 apcupsd pp
100 apm pp
100 application pp
100 arpwatch pp
100 asterisk pp
100 auditadm pp
100 authconfig pp
100 authlogin pp
100 automount pp
100 avahi pp
100 awstats pp
100 bacula pp
100 base pp
100 bcfg2 pp
100 bind pp
100 bitlbee pp
100 blkmapd pp
100 blueman pp
100 bluetooth pp
100 boinc pp
100 boltd pp
100 bootloader pp
100 brctl pp
100 brltty pp
100 bugzilla pp
100 bumblebee pp
100 cachefilesd pp
100 calamaris pp
100 callweaver pp
100 canna pp
100 ccs pp
100 cdrecord pp
100 certmaster pp
100 certmonger pp
100 certwatch pp
100 cfengine pp
100 cgroup pp
100 chrome pp
100 chronyd pp
100 cinder pp
100 cipe pp
100 clock pp
100 clogd pp
100 cloudform pp
100 cmirrord pp
100 cobbler pp
100 cockpit pp
100 collectd pp
100 colord pp
100 comsat pp
100 condor pp
100 conman pp
100 conntrackd pp
100 consolekit pp
100 couchdb pp
100 courier pp
100 cpucontrol pp
100 cpufreqselector pp
100 cpuplug pp
100 cron pp
100 ctdb pp
100 cups pp
100 cvs pp
100 cyphesis pp
100 cyrus pp
100 daemontools pp
100 dbadm pp
100 dbskk pp
100 dbus pp
100 dcc pp
100 ddclient pp
100 denyhosts pp
100 devicekit pp
100 dhcp pp
100 dictd pp
100 dirsrv pp
100 dirsrv-admin pp
100 dmesg pp
100 dmidecode pp
100 dnsmasq pp
100 dnssec pp
100 dovecot pp
100 drbd pp
100 dspam pp
100 entropyd pp
100 exim pp
100 fail2ban pp
100 fcoe pp
100 fedoratp pp
100 fetchmail pp
100 finger pp
100 firewalld pp
100 firewallgui pp
100 firstboot pp
100 fprintd pp
100 freeipmi pp
100 freqset pp
100 fstools pp
100 ftp pp
100 fwupd pp
100 games pp
100 gdomap pp
100 geoclue pp
100 getty pp
100 git pp
100 gitosis pp
100 glance pp
100 glusterd pp
100 gnome pp
100 gpg pp
100 gpm pp
100 gpsd pp
100 gssproxy pp
100 guest pp
100 hddtemp pp
100 hostapd pp
100 hostname pp
100 hsqldb pp
100 hwloc pp
100 hypervkvp pp
100 ibacm pp
100 ica pp
100 icecast pp
100 inetd pp
100 init pp
100 inn pp
100 insights_client pp
100 iodine pp
100 iotop pp
100 ipa pp
100 ipmievd pp
100 ipsec pp
100 iptables pp
100 irc pp
100 irqbalance pp
100 iscsi pp
100 isns pp
100 jabber pp
100 jetty pp
100 jockey pp
100 journalctl pp
100 kdump pp
100 kdumpgui pp
100 keepalived pp
100 kerberos pp
100 keyboardd pp
100 keystone pp
100 kismet pp
100 kmscon pp
100 kpatch pp
100 ksmtuned pp
100 ktalk pp
100 l2tp pp
100 ldap pp
100 libraries pp
100 likewise pp
100 linuxptp pp
100 lircd pp
100 livecd pp
100 lldpad pp
100 loadkeys pp
100 locallogin pp
100 lockdev pp
100 logadm pp
100 logging pp
100 logrotate pp
100 logwatch pp
100 lpd pp
100 lsm pp
100 lttng-tools pp
100 lvm pp
100 mailman pp
100 mailscanner pp
100 man2html pp
100 mandb pp
100 mcelog pp
100 mediawiki pp
100 memcached pp
100 milter pp
100 minidlna pp
100 minissdpd pp
100 mip6d pp
100 mirrormanager pp
100 miscfiles pp
100 mock pp
100 modemmanager pp
100 modutils pp
100 mojomojo pp
100 mon_statd pp
100 mongodb pp
100 motion pp
100 mount pp
100 mozilla pp
100 mpd pp
100 mplayer pp
100 mrtg pp
100 mta pp
100 munin pp
100 mysql pp
100 mythtv pp
100 naemon pp
100 nagios pp
100 namespace pp
100 ncftool pp
100 netlabel pp
100 netutils pp
100 networkmanager pp
100 ninfod pp
100 nis pp
100 nova pp
100 nscd pp
100 nsd pp
100 nslcd pp
100 ntop pp
100 ntp pp
100 numad pp
100 nut pp
100 nx pp
100 obex pp
100 oddjob pp
100 opafm pp
100 openct pp
100 opendnssec pp
100 openfortivpn pp
100 openhpid pp
100 openshift pp
100 openshift-origin pp
100 opensm pp
100 openvpn pp
100 openvswitch pp
100 openwsman pp
100 oracleasm pp
100 osad pp
100 pads pp
100 passenger pp
100 pcmcia pp
100 pcp pp
100 pcscd pp
100 pdns pp
100 pegasus pp
100 permissivedomains cil
100 pesign pp
100 pingd pp
100 piranha pp
100 pkcs pp
100 pkcs11proxyd pp
100 pki pp
100 plymouthd pp
100 podsleuth pp
100 policykit pp
100 polipo pp
100 portmap pp
100 portreserve pp
100 postfix pp
100 postgresql pp
100 postgrey pp
100 ppp pp
100 prelink pp
100 prelude pp
100 privoxy pp
100 procmail pp
100 prosody pp
100 psad pp
100 ptchown pp
100 publicfile pp
100 pulseaudio pp
100 puppet pp
100 pwauth pp
100 qmail pp
100 qpid pp
100 quantum pp
100 quota pp
100 rabbitmq pp
100 radius pp
100 radvd pp
100 raid pp
100 rasdaemon pp
100 rdisc pp
100 readahead pp
100 realmd pp
100 redis pp
100 remotelogin pp
100 rhcs pp
100 rhev pp
100 rhgb pp
100 rhnsd pp
100 rhsmcertd pp
100 ricci pp
100 rkhunter pp
100 rkt pp
100 rlogin pp
100 rngd pp
100 rolekit pp
100 roundup pp
100 rpc pp
100 rpcbind pp
100 rpm pp
100 rrdcached pp
100 rshd pp
100 rssh pp
100 rsync pp
100 rtas pp
100 rtkit pp
100 rwho pp
100 samba pp
100 sambagui pp
100 sandboxX pp
100 sanlock pp
100 sasl pp
100 sbd pp
100 sblim pp
100 screen pp
100 secadm pp
100 sectoolm pp
100 selinuxutil pp
100 sendmail pp
100 sensord pp
100 setrans pp
100 setroubleshoot pp
100 seunshare pp
100 sge pp
100 shorewall pp
100 slocate pp
100 slpd pp
100 smartmon pp
100 smokeping pp
100 smoltclient pp
100 smsd pp
100 snapper pp
100 snmp pp
100 snort pp
100 sosreport pp
100 soundserver pp
100 spamassassin pp
100 speech-dispatcher pp
100 squid pp
100 ssh pp
100 sslh pp
100 sssd pp
100 staff pp
100 stalld pp
100 stapserver pp
100 stratisd pp
100 stunnel pp
100 su pp
100 sudo pp
100 svnserve pp
100 swift pp
100 sysadm pp
100 sysadm_secadm pp
100 sysnetwork pp
100 sysstat pp
100 systemd pp
100 tangd pp
100 targetd pp
100 tcpd pp
100 tcsd pp
100 telepathy pp
100 telnet pp
100 tftp pp
100 tgtd pp
100 thin pp
100 thumb pp
100 timedatex pp
100 tlp pp
100 tmpreaper pp
100 tomcat pp
100 tor pp
100 tuned pp
100 tvtime pp
100 udev pp
100 ulogd pp
100 uml pp
100 unconfined pp
100 unconfineduser pp
100 unlabelednet pp
100 unprivuser pp
100 updfstab pp
100 usbmodules pp
100 usbmuxd pp
100 userdomain pp
100 userhelper pp
100 usermanage pp
100 usernetctl pp
100 uucp pp
100 uuidd pp
100 varnishd pp
100 vdagent pp
100 vhostmd pp
100 virt pp
100 vlock pp
100 vmtools pp
100 vmware pp
100 vnstatd pp
100 vpn pp
100 w3c pp
100 watchdog pp
100 wdmd pp
100 webadm pp
100 webalizer pp
100 wine pp
100 wireshark pp
100 xen pp
100 xguest pp
100 xserver pp
100 zabbix pp
100 zarafa pp
100 zebra pp
100 zoneminder pp
100 zosremote pp
The second:
boolean -D
login -D
interface -D
user -D
port -D
node -D
fcontext -D
module -D
ibendport -D
ibpkey -D
permissive -D
port -a -t ipp_port_t -r 's0' -p udp 22161
fcontext -a -f a -t virt_image_t -r 's0' '/mnt/6070F97B70F957EC/VM/win10.qcow2'
fcontext -a -f a -t rpm_exec_t -r 's0' '/usr/share/dnfdaemon/dnfdaemon-system'
And the third command doesnāt output anythingā¦ and is rather quick.
As for the errors I canāt remember. If I remember correctly there was one concerning a timeout about what is shown above, ā/mnt/blahblah/ā, which seems to correspond to a virtual machine of windows I have on my system. Maybe some after that but it reboots right after. Iāll run it again to be sure.
sudo restorecon -rv / does an error, restorecon: Could not stat /run/user/1000/doc: Permission denied, not sure if itās relevant.
Ok so Iāve run sudo touch /.autorelabel ; reboot again, after it reboots it shows the message relabeling ... followed by the drives, then thereās no message for a long time, two lines about that /mnt/..../ drive timing out, then no message for a long time then I get a glimpse of about half a screen of messages and it reboots immediately. But I had the time to see that some of these lines contained ERRORS and some coded strings.
Are there any logs I should look to provide you those messages I do not have the time to see?
Well I found where the logs are, these are the messages printed I described in my previous message:
May 18 21:13:27 localhost.localdomain audit[1620]: FS_RELABEL pid=1620 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=mass relabel exe="/usr/sbin/setfiles" hostname=? addr=? terminal=? res=success'
May 18 21:13:27 localhost.localdomain kernel: audit: type=2309 audit(1652901207.565:1181): pid=1620 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=mass relabel exe="/usr/sbin/setfiles" hostname=? addr=? terminal=? res=success'
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1620]: Warning no default label for /dev/mqueue
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1260]: Cleaning up labels on /tmp
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1647]: ERROR: src/skipcpio/skipcpio.c:91:main(): Cannot open file '/boot/b5aecdd710d14ca682224c6ca7250831/5.12.9-300.fc34.x86_64/initrd'
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1648]: cpio: premature end of archive
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1649]: ERROR: src/skipcpio/skipcpio.c:91:main(): Cannot open file '/boot/b5aecdd710d14ca682224c6ca7250831/5.12.9-300.fc34.x86_64/initrd'
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1650]: gzip: stdin: unexpected end of file
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1651]: cpio: premature end of archive
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1652]: ERROR: src/skipcpio/skipcpio.c:91:main(): Cannot open file '/boot/b5aecdd710d14ca682224c6ca7250831/5.12.9-300.fc34.x86_64/initrd'
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1653]: bzcat: Compressed file ends unexpectedly;
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1653]: perhaps it is corrupted? *Possible* reason follows.
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1653]: bzcat: Inappropriate ioctl for device
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1653]: Input file = (stdin), output file = (stdout)
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1653]: It is possible that the compressed file(s) have become corrupted.
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1653]: You can use the -tvv option to test integrity of such files.
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1653]: You can use the `bzip2recover' program to attempt to recover
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1653]: data from undamaged sections of corrupted files.
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1654]: cpio: premature end of archive
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1655]: ERROR: src/skipcpio/skipcpio.c:91:main(): Cannot open file '/boot/b5aecdd710d14ca682224c6ca7250831/5.12.9-300.fc34.x86_64/initrd'
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1656]: xzcat: (stdin): File format not recognized
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1657]: cpio: premature end of archive
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1659]: /usr/lib/dracut/dracut-initramfs-restore: line 58: lz4: command not found
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1658]: ERROR: src/skipcpio/skipcpio.c:91:main(): Cannot open file '/boot/b5aecdd710d14ca682224c6ca7250831/5.12.9-300.fc34.x86_64/initrd'
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1660]: cpio: premature end of archive
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1661]: ERROR: src/skipcpio/skipcpio.c:91:main(): Cannot open file '/boot/b5aecdd710d14ca682224c6ca7250831/5.12.9-300.fc34.x86_64/initrd'
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1662]: lzop: <stdin>: not a lzop file
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1663]: cpio: premature end of archive
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1664]: ERROR: src/skipcpio/skipcpio.c:91:main(): Cannot open file '/boot/b5aecdd710d14ca682224c6ca7250831/5.12.9-300.fc34.x86_64/initrd'
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1665]: zstd: /*stdin*\: unexpected end of file
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1666]: cpio: premature end of archive
May 18 21:13:27 localhost.localdomain selinux-autorelabel[1644]: Unpacking of /boot/b5aecdd710d14ca682224c6ca7250831/5.12.9-300.fc34.x86_64/initrd to /run/initramfs failed
May 18 21:13:27 localhost.localdomain systemd[1]: Shutting down.
Interresting. Could you please check that your system is really in permissive mode (sestatus would show āCurrent mode: permissiveā)? Permissive mode doesnāt stop AVCs (selinux denial logs) from appearing, it usually does the opposite since in this mode SELinux does not enforce the policy (everything is allowed), but any transgressions against the policy are logged. So if you are not receiving new AVCs, your problem could already be fixed.
Based on the custom modules it seems like the AVCs you were receiving were from all over the place. Would you mind sharing your audit.log (or just the AVCs ā sudo ausearch -m AVC,USER_AVC,SELINUX_ERR)?
I set SElinux to permissive everytime I turn on my computer, by typing sudo setenforce 0. Before I have the time, my system has the time to spam me a bit with those alerts, if I open SETroubleshoot it reports a bunch of them as ālast seenā just before I entered the command. So Iām not sure the problem is already solvedā¦ unless the ālast seenā time doesnāt correspond to the original alert, I donāt know.
Hereās the output of sestatus:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
As for sudo ausearch -m AVC,USER_AVC,SELINUX_ERR, if I put the output of this command in a file with >, I get a 434172 lines 45.3MB file. So Iām not going to be able to paste it here entirely, but hereās a bit of the end of the file if thatās what you need:
time->Thu May 19 17:29:13 2022
type=AVC msg=audit(1652974153.864:101221): avc: denied { confidentiality } for pid=13580 comm="04-iscsi" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:13 2022
type=AVC msg=audit(1652974153.877:101222): avc: denied { confidentiality } for pid=13583 comm="11-dhclient" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:13 2022
type=AVC msg=audit(1652974153.881:101223): avc: denied { confidentiality } for pid=13584 comm="20-chrony-dhcp" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:13 2022
type=AVC msg=audit(1652974153.900:101224): avc: denied { confidentiality } for pid=13594 comm="chronyc" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:13 2022
type=AVC msg=audit(1652974153.902:101225): avc: denied { confidentiality } for pid=1530 comm="chronyd" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:14 2022
type=PROCTITLE msg=audit(1652974154.191:101235): proctitle="/usr/lib/systemd/systemd-resolved"
type=PATH msg=audit(1652974154.191:101235): item=1 name="/run/systemd/resolve/netif/.#9Qu7z3W" inode=2637 dev=00:1a mode=0100600 ouid=193 ogid=193 rdev=00:00 obj=system_u:object_r:systemd_resolved_var_run_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1652974154.191:101235): item=0 name="/run/systemd/resolve/netif/" inode=2272 dev=00:1a mode=040700 ouid=193 ogid=193 rdev=00:00 obj=system_u:object_r:systemd_resolved_var_run_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1652974154.191:101235): cwd="/"
type=SYSCALL msg=audit(1652974154.191:101235): arch=c000003e syscall=257 success=yes exit=39 a0=ffffff9c a1=55667288cc10 a2=800c2 a3=180 items=2 ppid=1 pid=1316 auid=4294967295 uid=193 gid=193 euid=193 suid=193 fsuid=193 egid=193 sgid=193 fsgid=193 tty=(none) ses=4294967295 comm="systemd-resolve" exe="/usr/lib/systemd/systemd-resolved" subj=system_u:system_r:systemd_resolved_t:s0 key=(null)
type=AVC msg=audit(1652974154.191:101235): avc: denied { confidentiality } for pid=1316 comm="systemd-resolve" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:systemd_resolved_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:14 2022
type=AVC msg=audit(1652974154.198:101236): avc: denied { confidentiality } for pid=1377 comm="rtkit-daemon" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:14 2022
type=AVC msg=audit(1652974154.212:101237): avc: denied { confidentiality } for pid=1530 comm="chronyd" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:14 2022
type=AVC msg=audit(1652974154.297:101238): avc: denied { confidentiality } for pid=13268 comm="nm-dispatcher" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:14 2022
type=AVC msg=audit(1652974154.344:101245): avc: denied { confidentiality } for pid=13707 comm="04-iscsi" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:14 2022
type=AVC msg=audit(1652974154.347:101246): avc: denied { confidentiality } for pid=13708 comm="11-dhclient" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_dhclient_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:14 2022
type=AVC msg=audit(1652974154.350:101247): avc: denied { confidentiality } for pid=13709 comm="20-chrony-dhcp" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:14 2022
type=AVC msg=audit(1652974154.353:101248): avc: denied { confidentiality } for pid=13712 comm="chronyc" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:14 2022
type=AVC msg=audit(1652974154.953:101252): avc: denied { confidentiality } for pid=1513 comm="setroubleshootd" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:15 2022
type=AVC msg=audit(1652974155.079:101256): avc: denied { confidentiality } for pid=1377 comm="rtkit-daemon" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:rtkit_daemon_t:s0 tcontext=system_u:system_r:rtkit_daemon_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:15 2022
type=AVC msg=audit(1652974155.506:101263): avc: denied { confidentiality } for pid=13532 comm="pcscd" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:15 2022
type=AVC msg=audit(1652974155.733:101267): avc: denied { confidentiality } for pid=11449 comm="sssd_kcm" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:22 2022
type=AVC msg=audit(1652974162.750:101277): avc: denied { confidentiality } for pid=1563 comm="cupsd" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:29 2022
type=AVC msg=audit(1652974169.839:101289): avc: denied { confidentiality } for pid=13532 comm="pcscd" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:system_r:pcscd_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:34 2022
type=AVC msg=audit(1652974174.810:101290): avc: denied { confidentiality } for pid=1341 comm="dbus-broker" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=lockdown permissive=1
----
time->Thu May 19 17:29:49 2022
type=AVC msg=audit(1652974189.147:101292): avc: denied { confidentiality } for pid=1513 comm="setroubleshootd" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=lockdown permissive=1
----
time->Thu May 19 17:30:05 2022
type=AVC msg=audit(1652974205.733:101296): avc: denied { confidentiality } for pid=11449 comm="sssd_kcm" lockdown_reason="use of bpf to read kernel RAM" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=lockdown permissive=1
You could set the mode in /etc/selinux/config to permissive which would stop the blast of errors at boot and allow things to work normally. Your output shows it as currently set to enforcing.
It does not fix the problem but does mitigate the logged error surge at boot time. You can then continue to track and hopefully fix the actual cause without the spam of errors interfering with normal work.
Ok
It doesnāt help much but I wonāt be bothered at boot indeed.
By the way in the log I posted in my last message on the 18th of May (message NĀ°27), there are some errors concerning 5.12.9-300.fc34.x86_64, and Iām pretty sure this is a driver-kernel-nvidia thing I manually uninstalled a while ago (I was running Fedora 35 and didnāt understand why there was both the fedora 35 and the fedora 34 of the thing, maybe it was foolish to do so but I did it). Ever since the kernel complains about not finding a nvidia thing on boot, and switches to nouveau.
Do you think this is preventing SElinux from applying a new policy / cleaning its policy or is this irrelevant?
The lockdown class checks were removed from kernel v5.16. The related permission will be removed from selinux-policy soon, too. To avoid from errors like these please update the kernel.
Oh ok. I do upgrades regularly with sudo dnf upgrade --refresh, but according to uname -r my kernel is still 5.12.9-300.fc34.x86_64 apparently! Despite the fact that I upgraded to F35 then F36 when these versions came outā¦
Any tips on how to force my kernel to update? Perhaps it got stuck when the Nvidia driver installation broke?
According to dnf list installed | grep kernel, the last kernel is hereā¦
abrt-addon-kerneloops.x86_64 2.15.1-1.fc36 @fedora
kernel.x86_64 5.12.9-300.fc34 @updates
kernel.x86_64 5.17.7-300.fc36 @updates
kernel.x86_64 5.17.8-300.fc36 @updates
kernel-core.x86_64 5.12.9-300.fc34 @updates
kernel-core.x86_64 5.17.7-300.fc36 @updates
kernel-core.x86_64 5.17.8-300.fc36 @updates
kernel-devel.x86_64 5.12.9-300.fc34 @updates
kernel-devel.x86_64 5.17.7-300.fc36 @updates
kernel-devel.x86_64 5.17.8-300.fc36 @updates
kernel-devel-matched.x86_64 5.17.8-300.fc36 @updates
kernel-headers.x86_64 5.17.6-300.fc36 @updates
kernel-modules.x86_64 5.12.9-300.fc34 @updates
kernel-modules.x86_64 5.17.7-300.fc36 @updates
kernel-modules.x86_64 5.17.8-300.fc36 @updates
kernel-modules-extra.x86_64 5.12.9-300.fc34 @updates
kernel-modules-extra.x86_64 5.17.7-300.fc36 @updates
kernel-modules-extra.x86_64 5.17.8-300.fc36 @updates
kernel-srpm-macros.noarch 1.0-14.fc36 @fedora
libreport-plugin-kerneloops.x86_64 2.17.1-1.fc36 @fedora
texlive-l3kernel.noarch 9:svn59118-55.fc36 @fedora
Some people have seen problems with installing/upgrading fedora 36 and the system not properly placing the files in /boot.
Could you please post the output of ls /boot and ls /boot/efi
The threads related show that the initramfs and vmlinuz files that should be in /boot for the fedora 36 kernels were placed in /boot/efi/xxxxxx (where the xxxxxx is a long number representing the machine ID). Thus grub is not properly seeing the kernel updates and newer kernels are unusable.
The apparent fix so far has been to completely remove the directory /boot/efi/xxxxxx with sudo rm -rf /boot/efi/xxxxxxx then sudo reinstall kernel* so the new files are properly placed and grub updates the kernel list properly.
This is one related thread. https://discussion.fedoraproject.org/t/f36-kernel-wont-install-due-to-running-out-of-space-in-boot-efi/73070 and here is another https://discussion.fedoraproject.org/t/f36-new-kernels-not-found-in-bootloader/64601
touch /.autorelabel ; reboot was the last command, I could run on my just upgraded system.
Since then I canāt login anymore.
Symptom After a correct attempt to login (Gui), the the system asks immediately again for the login. With a wrong pw, the system asks for the correct pw.
Trying to boot the rescue system, the boot process fails. It canāt perform a āsuloginā
Question Could this be a consequence of restorecon and autorelabel?
Question2 Unfortunately Iāve removed old kernels and sysmlinks, like described in DNF System Upgrade :: Fedora Docs . I canāt guaranty, that I had verified this with an own reboot. Should I start a own thread for this?
Yes. This is worth a dedicated thread. When opening a new thread, add the information if you saw the autorelabel (so, after the reboot, did you see that the autorelabel took place?). Also, did you first upgrade, and after the upgrade and its reboot, you did autorelabel? So, Fedora 36 worked after the upgradeās reboot & before autorelabel?
Concerning the old kernels and symlinks, you should always reboot and test if the new system boots and works properly before deleting obsolete/old things.
Also, there is a paragraph in the Quick Docs page (so, the DNF upgrade page you mentioned) about SELinux issues: paragraph āRelabel files with the latest SELinux policyā. You may check this first.
Btw, you could also add some logs including from the moments you unsuccessfully tried to log in.
Supplement: If SELinux is the issue, you can find out and make your system let you login again by changing the file /etc/selinux/config ā within the file, change SELINUX=enforcing to SELINUX=permissive
You can do the modification by using a live system or so. Be aware that this disables SELinux and is only intended to enable us to repair the system. It is not a good idea to keep SELinux disabled because it is an important & critical element of Fedoraās security architecture. If your system still does not allow you to log in after you changed the config + then reboot, the origin is not SELinux.
These are the files in boot:
config-5.17.7-300.fc36.x86_64
config-5.17.8-300.fc36.x86_64
efi
elf-memtest86+-5.31
extlinux
grub2
initramfs-0-rescue-b5aecdd710d14ca682224c6ca7250831.img
initramfs-5.17.7-300.fc36.x86_64.img
initramfs-5.17.8-300.fc36.x86_64.img
loader
memtest86+-5.31
symvers-5.17.7-300.fc36.x86_64.gz
symvers-5.17.8-300.fc36.x86_64.gz
System.map-5.17.7-300.fc36.x86_64
System.map-5.17.8-300.fc36.x86_64
vmlinuz-0-rescue-b5aecdd710d14ca682224c6ca7250831
vmlinuz-5.17.7-300.fc36.x86_64
vmlinuz-5.17.8-300.fc36.x86_64
and in /boot/efi:
$RECYCLE.BIN
EFI
mach_kernel
Recovery
Recovery.txt
System
System Volume Information
What do you think? I find it weird that Iām stuck with a F34 kernel if the problem came when upgrading from F35 to F36
Iām waiting to see what you think of the files shown above before running the two commands you recommand, they look a bit dangerous ;- ) (even if I have recent backups)