15.3 PRC: SE Linux Policy loading failed

Thorsten Kukuk kukuk at suse.de
Sun May 16 16:25:12 UTC 2021 

On Sun, May 16, Bernd Eckenfels wrote:

> 
> > I assume you mean SLES 15 SP3 and not Leap 15.3?
> 
> Yes, this is the SLE mailing list.

But there is no SLE product with the version number 15.3!

> > In short: as documented since a long time, SLES does not come with a SELinux
> policy
> 
> The release notes only states that 15.3 does support SELinux, it should
> probably add a warning that it lacks default policies.

15.3 is openSUSE Leap.
 
# grep VERSION= /etc/os-release
# VERSION="15-SP3"

Is it so difficult to use the correct version number to not confuse
other people?           

I filled a bug for SLES 15 SP3 that the release notes are not correct.

> > I don't know why this option is visible in YaST, as only SLE Micro comes with
> full SELinux support.
> 
> What is SLE Micro?

https://www.suse.com/c/suse-linux-enterprise-micro-5-0-is-generally-available/

 Thorsten

> ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
> Von: sle-beta <sle-beta-bounces+ecki=zusammenkunft.net at lists.suse.com> im
> Auftrag von Thorsten Kukuk <kukuk at suse.de>
> Gesendet: Sunday, May 16, 2021 12:53:33 PM
> An: sle-beta at lists.suse.com <sle-beta at lists.suse.com>
> Betreff: Re: 15.3 PRC: SE Linux Policy loading failed
>  
> 
> Hi,
> 
> On Sat, May 15, Bernd wrote:
> 
> > Hello,
> >
> > I just installed 15.3 PRC in a Hyper-V VM (UEFI with secure boot) to do some
> > qualification testing. I used the Full ISO and installed SLES with only the
> > base system module in minimal configuration and no registration. In the
> > installer I enabled SELinux in advisory mode.
> 
> I assume you mean SLES 15 SP3 and not Leap 15.3?
> It's really helpful to use correct product and version names, own created
> version numbers only lead to confusion and wrong advice.
> 
> In short: as documented since a long time, SLES does not come with a
> SELinux policy, you need to bring your own with you.
> I don't know why this option is visible in YaST, as only SLE Micro comes
> with full SELinux support.
> 
>   Thorsten
> 
> > This seems to freeze, in the first boot after Yast has installed the system.
> > Eearly in systemd after the kernel is loaded with:
> >
> > [8.5...] systemd[1]: Failed to load SELinux policy.
> > [!!!!!] Failed to load SELinux policy.
> > .. Freezing Execution
> >
> > When using the grub boot config editor and removing "security=selinux selinux
> =1
> > enforcing=1" from the linuxefi kernel command line, it succeeded to boot.
> >
> > BTW: when I only change enforcing=1 to enforcing=0 the boot continues but
> shows
> > quite a few errors about SELin ux label cannot be determined on systemd
> sockets
> > because "Function not implemented".and in operations there are errors like
> > broken name resolution.
> >
> > I have not yet tried with more modules. Do I need the Application Server
> > module?
> >
> > I noticed that selinux-tools (from base module) is not installed in minimal
> > (only "libselinux1" is present). If a user selects SELInux, it should
> probably
> > add that packacge to the list. However I added this package manually, and it
> > did not help with the situation.
> >
> > Want me to file a bugzilla? I havent seen it in "Known Issues" here: SLE Beta
> > (suse.com)
> >
> > BTW: I also turned off DHCPv6, but wicket dhcp6 seems to be started anyway?
> >
> > Gruss
> > Bernd
> 
> --
> Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS
> SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
> Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg)

-- 
Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg)

More information about the sle-beta mailing list