[DSE-Dev] Bug#823287: selinux-basics: System cannot boot with SELinux enabled after upgrade

Laurent Bigonville bigon at debian.org
Tue May 3 17:10:24 UTC 2016 

On Mon, 02 May 2016 20:51:55 -0700 Jonathan Yu <jawnsy at cpan.org> wrote:
 >
 > Dear Maintainer,

Hello,

 >
 > Thank you for your work bringing SELinux to Debian!
 >
 > I regret that my knowledge of both SELinux and systemd is limited, so 
I do not
 > know what diagnostics to collect or how to collect it. That said, I can
 > reproduce this problem at will, and I'm happy to collect whatever 
diagnostics
 > you need.
 >
 > * What led up to the situation?
 >
 > I upgraded my system doing full-upgrade. My system is mainly 
'testing' with
 > some packages coming from 'unstable' (I tried updating to the newer
 > selinux-utils in unstable, but to no avail).
 >
 > Unfortunately there are not much diagnostics provided during boot, and I
 > could not find any trace of the failed boots in journalctl or in files
 > in /var/log, presumably because the problems occurred at such an early
 > stage of boot. I checked /var/log/syslog, but did not find much 
informative.
 >
 > * What exactly did you do (or not do) that was effective (or
 > ineffective)?
 > * What was the outcome of this action?
 >
 > Removing the "selinux=1 security=selinux" flags from grub allowed me 
to boot.
 > I then used "selinux-activate disabled" to disable SELinux while we sort
 > these issues out.
 >
 > I also tried running "selinux-activate disabled" and re-activating it 
again,
 > as it seems to do something with restorecond on first boot after 
activation.
 > Unfortunately this did not change anything :(
 >
 > * What outcome did you expect instead?
 >
 > I expected that my system could continue booting. I've never had 
significant
 > issues with Debian upgrades (thanks to careful maintainers like you 
:) and
 > guess that there must be something strange about the way my system is
 > configured.
 >
 > [...]
 > May  2 20:31:38 theory dbus-daemon[1183]: Failed to start message 
bus: Failed to open "/etc/selinux/default/contexts/dbus_contexts": No 
such file or directory
 > [...]
 > pn  selinux-policy-default        <none>

Do you have a policy installed on your machine?

The policy package currently in unstable is not compatible with the new 
userspace and needs to be adjusted, see bug #805492.

I've unfortunately not a lot of time for this. That means that if you 
want to use SELinux in debian, you'll have to compile/build your own policy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20160503/9748bb6a/attachment.html>

More information about the SELinux-devel mailing list