After installing SELinux, I was locked out of Ubuntu 18.10. Log in screen never appeared. What am i missing here? How to properly install SELinux?

Question

After reading a lot of articles, I heard SELinux is a great way to tighten the security. So I decided to install SELinux and I used below command:

pranav@inspiron-5548:~$ sudo apt-get install selinux
[sudo] password for pranav: 
Sorry, try again.
[sudo] password for pranav: 
Sorry, try again.
[sudo] password for pranav: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  policycoreutils selinux-policy-dummy
  selinux-utils
The following packages will be REMOVED:
  apparmor gnome-software-plugin-snap snapd
The following NEW packages will be installed:
  policycoreutils selinux selinux-policy-dummy
  selinux-utils
0 upgraded, 4 newly installed, 3 to remove and 0 not upgraded.
Need to get 544 kB of archives.
After this operation, 65.1 MB disk space will be freed.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu cosmic/universe amd64 selinux-utils amd64 2.8-1build1 [81.9 kB]
Get:2 http://archive.ubuntu.com/ubuntu cosmic/universe amd64 policycoreutils amd64 2.8-1 [450 kB]
Get:3 http://archive.ubuntu.com/ubuntu cosmic/universe amd64 selinux all 1:0.11 [11.2 kB]
Get:4 http://archive.ubuntu.com/ubuntu cosmic/universe amd64 selinux-policy-dummy all 0.1 [1,730 B]
Fetched 544 kB in 3s (211 kB/s)                  
Preconfiguring packages ...
(Reading database ... 193413 files and directories currently installed.)
Removing gnome-software-plugin-snap (3.30.2-0ubuntu8) ...
Removing snapd (2.37.1+18.10) ...
Removing apparmor (2.12-4ubuntu8) ...
Selecting previously unselected package selinux-utils.
(Reading database ... 193322 files and directories currently installed.)
Preparing to unpack .../selinux-utils_2.8-1build1_amd64.deb ...
Unpacking selinux-utils (2.8-1build1) ...
Selecting previously unselected package policycoreutils.
Preparing to unpack .../policycoreutils_2.8-1_amd64.deb ...
Unpacking policycoreutils (2.8-1) ...
Selecting previously unselected package selinux.
Preparing to unpack .../selinux_1%3a0.11_all.deb ...
Unpacking selinux (1:0.11) ...
Selecting previously unselected package selinux-policy-dummy.
Preparing to unpack .../selinux-policy-dummy_0.1_all.deb ...
Unpacking selinux-policy-dummy (0.1) ...
Processing triggers for mime-support (3.60ubuntu1) ...
Processing triggers for desktop-file-utils (0.23-3ubuntu3) ...
Setting up selinux-utils (2.8-1build1) ...
Processing triggers for bamfdaemon (0.5.3+18.04.20180207.2-0ubuntu1) ...
Rebuilding /usr/share/applications/bamf-2.index...
Setting up selinux-policy-dummy (0.1) ...
Processing triggers for systemd (239-7ubuntu10.8) ...
Processing triggers for man-db (2.8.4-2) ...
Processing triggers for gnome-menus (3.13.3-11ubuntu2) ...
Setting up policycoreutils (2.8-1) ...
selinux-autorelabel-mark.service is a disabled or a static unit, not starting it.
Setting up selinux (1:0.11) ...
Sourcing file `/etc/default/grub'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.18.0-16-generic
Found initrd image: /boot/initrd.img-4.18.0-16-generic
Found linux image: /boot/vmlinuz-4.18.0-15-generic
Found initrd image: /boot/initrd.img-4.18.0-15-generic
Found Windows Boot Manager on /dev/sda2@/EFI/Microsoft/Boot/bootmgfw.efi
Adding boot menu entry for EFI firmware configuration
done
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Processing triggers for systemd (239-7ubuntu10.8) ...
Processing triggers for initramfs-tools (0.131ubuntu15.1) ...
update-initramfs: Generating /boot/initrd.img-4.18.0-16-generic

And then restarted my computer. The following images appear:

First thing that appears

Second image

Note that this machine is dual booted with Windows 10.

After adding selinux=0 in the grub menu, I was able to gain back my PC running.

What am I missing here? What should I do? Should I uninstall SELinux or manage it to work properly?

You try to boot a Live environment and get rid of selinux again. You also could try to add selinux=0 to the kernel append in GRUB and then boot. — Thomas, Mar 09 '19 at 09:38
@Thomas can u be more specific of Live environment. What commands should I type etc? — Pranav, Mar 09 '19 at 09:41
You might want to try to add selinux=0 first. Please see https://askubuntu.com/questions/19486/how-do-i-add-a-kernel-boot-parameter for how to do that. — Thomas, Mar 09 '19 at 10:02
@Thomas Thanks a lot for help. Now I have my Ubuntu working. SELinux is a good thing, why do I get this kind of mess? Should I uninstall SELinux now? or Manage it, so that my computer won't crash? — Pranav, Mar 10 '19 at 02:01
SELinux ist not a piece of software you install and everything is secure. You have to configure access control policies. Otherwise you can mess up your system. First step might be to uninstall SELinux for now, read more about it, then reinstall it again and make use of it. — Thomas, Mar 10 '19 at 09:39
@Thomas, I did what u told. Purged SELinux but after restarting my computer, I had same issues (i.e No login screen). I noticed some things in Grub menu which has not affected when I purged SELinux. There is a line starting with word 'Linux', which still contain SELinux (i.e security=SELinux and SELinux = 1) What should I do? Do I have to manually remove "security=SELinux" and "SELinux=1" ? — Pranav, Mar 10 '19 at 10:03
Yes you need to disable SELinux entirely. By default it blocks everything, so if you removed the policy without disabling it NOTHING will be allowed by the kernel — Bigon, Mar 10 '19 at 10:05
Thanks a lot @Thomas. U save me and my work. (Very disappointed by SELinux ✋✋) — Pranav, Mar 10 '19 at 10:10
Don't be disappointed by SELinux. It is a good thing but needs extra work to configure it correctly. — Thomas, Mar 10 '19 at 10:13
I deleted those lines but it reappear again and again. How can I make it parmanent? @Thomas (Right now, to normally start the computer, I have to edit and remove it again and again. ) — Pranav, Mar 10 '19 at 11:06

Bigon · Answer 1 · 2019-03-10T10:48:13.937

SELinux is not fully supported in Ubuntu as they focus on apparmor and as already said by other people, it will probably require to adjust the policy.

But if you want to give it a try, you need to install an actual policy, here I see that you installed selinux-policy-dummy which is described as:

Empty Security-Enhanced Linux policy (dummy package)

This package is used to satisfy package dependencies, but does not contain an actual SELinux policy. This package should be installed if the system administrator is developing a custom SELinux policy.

You probably want to install selinux-policy-default instead, this package contains an actual policy, the system should boot a bit further. You also might want to check in /etc/selinux/config that the mode is set to permissive, that will make SELinux only log denials.

Edit: Also, try to install selinux-basic instead of selinuxpackage, the later is ubuntu specific and not maintained for years

After installing SELinux, I was locked out of Ubuntu 18.10. Log in screen never appeared. What am i missing here? How to properly install SELinux?

First thing that appears

Second image

1 Answers1