High number of Selinux issues after upgrading to Fedora 36

Hello there,

I just upgraded to Fedora 36 and Selinux is bombing me with notifications about security alerts, as can be seen on this image (sorry for the link but I get an error when I try to upload an image), making my system pretty laggy.
I’ve seen this https://ask.fedoraproject.org/t/selinux-related-errors-when-updating-packages-or-using-certain-tools-after-upgrade-to-fedora-36/21867/1 and although I’m clearly not having the same issues I tried the proposed solution but It didn’t change anything (my system is still overflowing with these Selinux notifications after several reboot).

Does anyone know how to solve this ?

Hello, Forgotten, welcome. I doubt the problem you are experiencing is that mentioned in the post you mention, but I don’t have many clues to go on.
First thing to try is sudo restorecon which will relabel the security context for your system. That will take a while to run. See if that eliminates or greatly reduces the Selinux issues.
After that, we can look at specific remaining issues.

Hello Dave, thanks for the reply !
I remember when I upgraded to fedora 35 I used a command which fixed all the problems I had with SElinux, but I can’t remember if it was restorecon or another one…
But anyway I just tried it and It seems something’s wrong, it only outputs

usage:  restorecon [-iIDFmnprRv0xT] [-e excludedir] pathname...
usage:  restorecon [-iIDFmnprRv0xT] [-e excludedir] -f filename

and returns an exit code of 255. Is it normal? Any tips on the arguments I should give?

I know of 2 ways to potentially stop that.

  1. sudo restorecon -rv /
    which will restore the proper selinux context to everything on the file system interactively (or at least displaying the actions as it progresses).
  2. sudo touch /.autorelabel followed by a reboot.
    This one will do the same thing at the next reboot but is not interactive and may delay boot for some time as it finishes the task before booting completes.

Once the selinux context has been properly adjusted it should halt most of those errors.

2 Likes

Thanks, @computersavvy Jeff, I should have been more specific and provided the arguments to restorecon. Yes, @forgottenmacaroni, Jeff’s first method is the one I was trying to suggest.

Thanks @computersavvy and @mhdave , I tried the first command rebooted, tried the second one rebooted, the first one again and rebooted one last time but I’m still bombed by these alerts. I just typed a fix command suggested by SETroubleshoot Alert list to fix the alert with the most occurences (>75000) (though it’s hard to because I can barely click because of the incoming alerts and the interface keeps crashing because of the alert overflow).
Should I try to fix all these one by one (which is going to be painful) or do you have other ideas?

I see you have not done a new update in the last couple days.
The 5.17.5 kernel has been replace by 5.17.6 on F36.

Please do a cli update sudo dnf upgrade then reboot again.

I have to ask what you have as GPU? AMD, Intel, or Nvidia?

Since you are getting an immense number of Selinux alerts, you may want to temporarily disable Selinux with sudo setenforce 0. Before you do, please see if you can capture the current status using sestatus and paste in this thread. See for example this article for more information: How to Disable SELinux Temporarily or Permanently

@computersavvy I’m curious where you saw my kernel on the above screenshot but anyway I just did a sudo dnf upgrade --refresh followed by a reboot, no improvements.
I have a ~6years old Nvidia Gpu, but I think my driver installation is broken on this side (I tried to uninstall the proprietary drivers a while ago and since then I’m having complaint errors on bootup)

@mhdave here’s the output of sestatus:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

I already tried and I don’t know why but sudo setenforce 0 does not stop the massive flow of alerts
Actually it takes a lot of time for the flow to stop because they happen faster than they can be displayed or so it seems

I’ve started to try fixing the errors one by one using the commands suggested by SElinux alert browser, but somehow it doesn’t work for (at least)iptables, firewalld and dbus-broker (I’ve done the two commands (ausearch -c 'firewalld' --raw | audit2allow -M blahblah and semodule -X 300 -i blahblah.pp), but the warnings keep going for at least these (thousands of them), and if I try to type them again I’m getting a Nothing to do and failed respectivally.)

What should I do? Reinstall the system? Disable SElinux permenatenly?

1 Like

Ah, I bet Jeff was responding to a different thread. Happens when you are multitasking across all the issues in this group :grinning:
So, did the Selinux notices eventually stop, are you able to use the command line now? sestatus should now show disabled, but setenforce 0 is temporary so it will pop back to enabled when you reboot. The article I linked shows how to make the change permanent (edit /etc/selinux/config and change mode from enforcing to disabled), but of course disabling security checking permanently is like running with scissors.

Personally I’d be inclined to either disable Selinux or reinstall. Reinstall is time consuming, but your current Selinux issues are also time consuming. Getting a good backup of both your home directory and any customized system configuration files is pretty quick; prepare a list of software you’ve manually installed; rebuild. Frustrating, though, can’t think of what would cause this scenario.

Yeah that’s what I was thinking too but I thought maybe he figured something out!..
The Selinux notices almost stop, after the flow finishes some keep popping from time to time, despite Selinux being disabled. I’m able to correct some errors (but correcting them all like that one by one doesn’t feel like the right solution) with the CLI but like I said some remain unaffected and I’ve completely no idea why.
I know I can disable SElinux definitively but yeah that’s not a good solution for me…

and any customized system configuration files

Do you know (apart from those in /home/) where I must look for these files?

If you did any changes there, you would likely know it. That would be where you edited some *.conf file in /etc, for example. Not likely for most users, unless they received guidance on resolving some other issue. Or if you did a dnf install of some module or group.

1 Like

I’m afraid I did some of these things, but it’s going to be complicated to remember what and where…

Oh and by the way the 33 in Max kernel policy version isn’t the cause of the issue right?

I don’t think so, that’s not related to a Fedora version, it relates to system kernel and Selinux.

Here’s a reference document you can read, with information on how to go from Selinux disabled to permissive to enabled. You might try the permissive option that promises to only log each issue once. Changing SELinux states and modes :: Fedora Docs

Have you tried re-installing selinux-policy and selinux-policy-targeted?
sudo dnf reinstall selinux-*

You could also remove the files & directories under the /etc/selinux/ directory and then re-install selinux policy.
sudo dnf reinstall selinux-*

Edit: Do not remove the files thanks.

btw, if you have anything you want to keep on this machine I would back it up just in case.

Thanks

1 Like

Is it safe to delete all files in /etc/selinux/ ?..