[ 1.510532] audit: type=1404 audit(1505894636.317:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
[ 1.601491] audit: type=1403 audit(1505894636.408:3): policy loaded auid=4294967295 ses=4294967295
[ 1.605815] systemd[1]: Successfully loaded SELinux policy in 95.611ms.
[ 1.617897] systemd[1]: Failed to mount tmpfs at /run: Permission denied
[.[0;1;31m!!!!!!.[0m] Failed to mount API filesystems, freezing.
[ 1.621206] systemd[1]: Freezing execution.
I had it enabled in fedora 24 but after upgrading failed
I create a new template (f25 and f25-minimal) with same effect.
I have tried to reset SELinux to its initial state:
yum remove selinux-policy
rm -rf /etc/selinux
yum install selinux-policy-targeted
fixfiles -f -F relabel
reboot
Any ideas?
Thank you very much
Best Regards
When googling this error seems people have same issue when running docker. And you have to set seccomp to unconfined.
Thank you cooloutac
-Is this a vm
It happens in Templates and VMs.
-Is this a vm, if so do we really care if systemd is running in it?
The problem is when i enable SELINUX VMs/templates doesn't "boot" or fail to start.
If I disable SELINUX, the templates/VMs start whithout problems and systemd is activated.
-You sure thats selinux?
Yes i'm pretty sure, it's exactly the same config that i had in fedora24.
In dom0
qvm-prefs -s fedora-25 kernelopts "nopat security=selinux selinux=1"
and in VMs/Templats
/etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted
Default selinux config
-what does sestatus say?
I can't execute anything in template/VMs
in dom0:
qvm-run fedora-25 --nogui -pass-io -u root "sestatus"
Error(fedora-25): Domain 'fedora-25':qreexec not connected
-When googling this error seems people have same issue when running docker. And you have to set seccomp to unconfined
Yes, i've read it, but i don't know how disable seccomp and the consequences...
Could you make me a big favour and try to activate SELINUX?
Thank you very much
Best regards
Looks like a tmpfs cannot be mounted at boot. In actual fact: these default policies are never in a "ready to deploy" state. You have to run the policy in permissive mode - throughout the normal boot process, and typical use of the confined binaries. Once you have built a log of fired rules then you have to go back and tweak the policy. There are, shockingly, no good tools to parse selinux audit logs outwith a couple of hard to get tools - distributed in the redhat repos. I think there is a Gentoo overlay that you can reverse engineer, or maybe you can find a working tool. But once you have ironed out all the policy violations,and you can boot without firing anything of concern, then you are ready for enforcing mode.
Here are some good primers on the subject. The first video, in particular, shows how to effectively parse audit logs - with the aforementioned redhat tool:
Thank you jkitt for the videos, i'm going to investigate.
Probably only useful in the template vm. But still not sure how beneficial it would be was my point though. Its probably not compatible with qubes, sounds like it breaks qrexec, maybe not worth the headache man.
If they exploiting xen already I don't think it really matters at that point. But i'm far from an expert.
I'm sorry for spam, but wanted to add an alternative option is use multiple template vms for installing diff untrusted software, of course this requires more resources, but Qubes in general requires more resources and specific capable hardware for best compatibility.
Thank you cooloutac. Probably not a big deal, i'm not going to spent a lot of time, but i'd like to know why works in fedora 24 and not in fedora 25. If I find the solution i'll posted. Probaly i can't find the solution, because my knowledge is limited.
Thank you again.
Thank you very much Steve Coleman.