Chotaire Wiki

Stuff you didn't know

User Tools

Site Tools


linux-fedora30

Proper way of booting the emergency console on Fedora 30

Selinux will prevent any changes made to system files if you just boot with init=/bin/sh, so do it right:

  1. Start your system and wait for the GRUB menu to show (if you don't see a GRUB menu, press and hold the left Shift key right after starting the system).
  2. Now highlight the kernel you want to use, and press the e key. You should be able to see and edit the commands associated with the highlighted kernel.
  3. Go down to the line starting with linux and add your parameter “rd.break enforcing=0” to its end, then hit CTRL + X to boot.
mount –o remount,rw /sysroot
chroot /sysroot

Now do your changes, then CTRL + D to exit chroot, then reboot. Please remember to restore selinux file contexts after the reboot as some files may be incorrect after your changes:

restorecon -Rv /

Remove splash screen (all kernel entries) on Fedora 30

  1. Edit /etc/default/grub and remove “rhgb quiet” from the GRUB_CMDLINE_LINUX line.
  2. Just to be sure, also remove “rhgb quiet” from the “set default_kernelopts=” line in /boot/grub2/grub.cfg
  3. Run the following, then reboot:
grubby --remove-args="rhgb quiet" --update-kernel=ALL

Can't navigate to first or last line using nano on Fedora 30

It is no longer possible to navigate to the first line (CTRL + W, then CTRL + Y) nor to the last line (CTRL + W, then CTRL + V).

In nano 4.0 the commands have changed. Now you type:

  • Navigate to first line: CTRL + W, then CTRL + T, then CTRL + Y.
  • Navigate to last line: CTRL + W, then CTRL + T, then CTRL + V.

Hint: You can keep holding the CTRL key and then just type the letters, there's no reason to release CTRL.

Now fixed in nano-4.1-1.fc30.x86_64 and later, thanks Fedora!

Multiple issues with selinux on Fedora 30 Beta 1.8

Local logins and sshd not working

When doing the base install of Fedora 30 server, I was unable to login to the console (neither as root nor as any other user) and sshd won't start. I managed to reboot the box with selinux disabled and ran some selinux debugging to find the cause. I finally compiled a module with all the missing bits and made it available to you guys:

Fixing this mess using my hotfix

Alright, let's fix the selinux issues that prevent us from actually logging in via SSH or local login (tty), at the same time we fix some other minor selinux hiccups (e.g. with NetworkManager and iptables-services):

Fedora 30 has long been released and these issues may or may not have been fixed. Double-check by watching your syslogs before you apply this. If you think this article is obsolete then leave a comment.

Following this tutorial you will be installing a selinux module which will persist OS updates. Please read all of this thoroughly so you will know how to remove the module at a later time once the final FC30 is released. Also remember, you shouldn't just be blindly installing a compiled selinux module from an untrusted source, I am just supplying this for the impatient ones. If you are security-aware then you will be compiling from the .te file that I've included in the archive. Last updated: March 31st, 2019.

  • Start your system and wait for the GRUB menu to show (if you don't see a GRUB menu, press and hold the left Shift key right after starting the system).
  • Now highlight the kernel you want to use, and press the e key. You should be able to see and edit the commands associated with the highlighted kernel.
  • Go down to the line starting with linux and add your parameter “enforcing=0” to its end, then hit CTRL + X to boot.
  • Make sure that tar, gzip, policycoreutils are installed:
dnf install -y tar gzip policycoreutils
tar -zxvf chot-fc30-beta1.8-2.tar.gz
semodule -i chot-fc30-beta1.8-2.pp
restorecon -Rv /
sync
reboot

Fyi, this is the updated module after restoring selinux file contexts:

module chot-fc30-beta1.8-2 1.0;

require {
        type iptables_t;
        type unconfined_service_t;
        type sshd_t;
        type getty_t;
        type chkpwd_t;
        type init_t;
        type unconfined_t;
        type insmod_t;
        type tty_device_t;
        type dhcpc_t;
        type NetworkManager_t;
        type initrc_t;
        type local_login_t;
        class process { noatsecure rlimitinh siginh };
        class chr_file { read write };
}

#============= NetworkManager_t ==============
allow NetworkManager_t dhcpc_t:process { noatsecure rlimitinh siginh };
allow NetworkManager_t initrc_t:process { noatsecure rlimitinh siginh };

#============= chkpwd_t ==============
allow chkpwd_t tty_device_t:chr_file { read write };

#============= getty_t ==============
allow getty_t local_login_t:process { noatsecure rlimitinh siginh };

#============= init_t ==============
allow init_t chkpwd_t:process siginh;
allow init_t unconfined_service_t:process siginh;
allow init_t unconfined_t:process siginh;

#============= iptables_t ==============
allow iptables_t insmod_t:process { noatsecure rlimitinh siginh };

#============= local_login_t ==============
allow local_login_t chkpwd_t:process { noatsecure rlimitinh siginh };
allow local_login_t unconfined_t:process { noatsecure siginh };

#============= sshd_t ==============
allow sshd_t chkpwd_t:process { noatsecure rlimitinh siginh };

At a later time, if you wish to remove this selinux module, issue the following command:

semodule -r chot-fc30-beta1.8-2

Update April 25th, 2019

Things have improved since Beta 1.8, I've done another test this time dist-upgrading from fc29. But there are still some issues which are documented here, make sure you install all available updates from fedora-testing before using this updated module (or… re-install using a later build than Beta 1.8): linux-fc30-selinux-issues



linux-fedora30.txt · Last modified: 2019/09/25 04:02 by chotaire