[solved]SELINUX=disabled - It's Ok?

Issues related to applications and software problems
Hanisch
Posts: 27
Joined: 2015/08/10 13:26:03

[solved]SELINUX=disabled - It's Ok?

Postby Hanisch » 2017/09/17 11:00:12

Hello,
after Update my CentOS 7 Installation in a VirtualBox can't successfuly booting the system.
The Boot-message is:

Code: Select all

[ !!!!!! ] Failed to load SELinux policy, freezing

With the boot-Option in line "linux16" added "selinux=0" the system is booting well.

Than with:

Code: Select all

sudo yum reinstall selinux-policy-targeted

the system do not boot again. The Display-Manager can't start the GUI and show always again the Login-Screen of gdm.

Foremost edit the /etc/selinux/config and set

Code: Select all

SELINUX=disabled

the system is booting well now.

My question:
Is that Ok, or will to manifest some complications?

with regards
Ch. Hanisch
Last edited by Hanisch on 2017/09/18 13:33:57, edited 1 time in total.

User avatar
TrevorH
Forum Moderator
Posts: 21171
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELINUX=disabled - It's Ok?

Postby TrevorH » 2017/09/17 12:02:52

Disabling selinux is not recommended though I do not currently know what is wrong that means you need to do so.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
avij
Forum Moderator
Posts: 2176
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: SELINUX=disabled - It's Ok?

Postby avij » 2017/09/17 12:24:43

There is also a third setting, SELINUX=permissive. This will only log any problems in the logs. This way you can boot up normally, and then check the logs what would have been blocked had SELinux been set to "enabled".

Hanisch
Posts: 27
Joined: 2015/08/10 13:26:03

Re: SELINUX=disabled - It's Ok?

Postby Hanisch » 2017/09/17 14:04:33

avij wrote:There is also a third setting, SELINUX=permissive. This will only log any problems in the logs. This way you can boot up normally, and then check the logs what would have been blocked had SELinux been set to "enabled".

Ok - with SELINUX=permissive the system run well. Only on gdm-Login-Screen re-emerges a message:

Code: Select all

Unfähig einen gültigen Kontakt zu erhalten für BENUTZER


But which logs can I check?

with regards
Ch. Hanisch

hunter86_bg
Posts: 803
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SELINUX=disabled - It's Ok?

Postby hunter86_bg » 2017/09/17 17:53:37

Try to relabel the system by:
1.Boot the system in permissive mode
2.

Code: Select all

touch /.autorelabel

3.Set /etc/sysconfig/selinux to enforcing
4.reboot

NOTE: It could take some time to relabel the whole system, so get a maintenance window in advance.After the second reboot (happens automatically), the machine should be up and running.

Hanisch
Posts: 27
Joined: 2015/08/10 13:26:03

Re: SELINUX=disabled - It's Ok?

Postby Hanisch » 2017/09/17 19:29:51

Hello,
hunter86_bg wrote:Try to relabel the system by:
1.Boot the system in permissive mode
2.

Code: Select all

touch /.autorelabel

3.Set /etc/sysconfig/selinux to enforcing
4.reboot

This is not a solution for the problem with the Login-message:

Code: Select all

Unfähig einen gültigen Kontakt zu erhalten für BENUTZER

With RightCtrl+F2

Code: Select all

Login: BENUTZER
Passwort:
Unable to get valid context for BENUTZER
Last Login: ...


With "3.Set /etc/sysconfig/selinux to enforcing" Login is only possible as root.
The Display-Manager can't start the GUI and show always again the Login-Screen of gdm.

with regards
Ch. Hanisch
Last edited by Hanisch on 2017/09/17 19:51:27, edited 2 times in total.

hunter86_bg
Posts: 803
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SELINUX=disabled - It's Ok?

Postby hunter86_bg » 2017/09/17 19:49:05

I guess you tried a system relabel?
If so -check with 'audit2why' and 'audit2allow' the audit logs, so we can find out why selinux is locking the GDM.

Hanisch
Posts: 27
Joined: 2015/08/10 13:26:03

Re: SELINUX=disabled - It's Ok?

Postby Hanisch » 2017/09/17 20:08:05

hunter86_bg wrote:I guess you tried a system relabel?

What is system relabel? Perhaps here
https://www.centos.org/docs/5/html/5.2/ ... label.html

If so -check with 'audit2why' and 'audit2allow' the audit logs, so we can find out why selinux is locking the GDM.

What's the meaning of this?
What am I to do?

with regards
Ch. Hanisch

hunter86_bg
Posts: 803
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SELINUX=disabled - It's Ok?

Postby hunter86_bg » 2017/09/17 20:12:11

Hanisch wrote:
hunter86_bg wrote:I guess you tried a system relabel?

What is system relabel? Perhaps here
https://www.centos.org/docs/5/html/5.2/ ... label.html

If so -check with 'audit2why' and 'audit2allow' the audit logs, so we can find out why selinux is locking the GDM.

What's the meaning of this?
What am I to do?

with regards
Ch. Hanisch

The system relabel is defined in my previous post and it seems that you haven't tried it.
'audit2why' and 'audit2allow' are 2 binaries that can help you with selinux issues and propose a solution.
As you haven't done the relabel I won't recomend to do any changes based on 'audit2allow' proposals.

Hanisch
Posts: 27
Joined: 2015/08/10 13:26:03

Re: SELINUX=disabled - It's Ok?

Postby Hanisch » 2017/09/17 20:29:41

hunter86_bg wrote:The system relabel is defined in my previous post and it seems that you haven't tried it.

I have now done

Code: Select all

sudo touch /.autorelabel
sudo reboot

But I have still in /etc/selinux/config

Code: Select all

SELINUX=permissive

'audit2why' and 'audit2allow' are 2 binaries that can help you with selinux issues and propose a solution.

What's the meaning of this?
What am I to do?

with regards
Ch. Hanisch