search

plesk / centos2alma

CentOS 7 to AlmaLinux 8 conversion tool
Apache License 2.0
36 stars 7 forks source link

/var/lib/leapp/el8userspace//sys/fs/selinux: Read-only file system #273

Closed carlosiglesias-lab closed 3 weeks ago

carlosiglesias-lab commented 1 month ago

This is the first error i see after STDERR centos2alma_feedback.zip

Bitpalast commented 3 weeks ago

I think this is an issue with a missing relabeling of the SELinux security context. Depending on whether SELinux file relabelling was done before, either on the first reboot or the second reboot it should run before the system enters a state where further operating system or Leapp transactions are done. If labels on files are incorrect (e.g. no relabelling was done, but SELinux is turned on), access permission errors can occur, hence files cannot be written or modified.

Make sure that SELinux is “permissive” or “disabled”:

# sestatus && cat /etc/selinux/config && grep selinux /boot/grub2/grub.cfg

“disabled” or “permissive” is o.k., but it should not be enabled, because that could possible block access during boot phase. If SELinux is enabled, change the state to “permissive”:

# vi /etc/selinux/config

and write to the file:

# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted

I'd also recommend - for the situation described in this case - to disable selinux altogether in /boot/grub2/grub.cfg by adding "selinux=0" to the boot line, for example it could look like this:

if [ -z "${kernelopts}" ]; then set kernelopts="root=UUID=12345126-6de7-4bf1-acff-12233f8baf05 ro biosdevname=0 selinux=0 crashkernel=auto rd.auto=1 consoleblank=0 " fi

This can be edited on-the-fly during the boot sequence (hitting "e" on the dialog where the operating system selections are displayed). It might save you from a disaster so that you can continue with the upgrade. To re-enable it, first set SELinux to permissive, create a file .autorelabel in your / path (# touch /.autorelabel), then reboot to have the system relabel all files. Then, in a second step and if no issues are logged to the selinux log, set the SELinux configuration to enforcing and reboot again.

carlosiglesias-lab commented 3 weeks ago

Thank you very much @Bitpalast! :)