[solved]SELINUX=disabled - It's Ok?

Issues related to applications and software problems
Hanisch
Posts: 43
Joined: 2015/08/10 13:26:03

[solved]SELINUX=disabled - It's Ok?

Post by Hanisch » 2017/09/17 11:00:12

Hello,
after Update my CentOS 7 Installation in a VirtualBox can't successfuly booting the system.
The Boot-message is:

Code: Select all

[ !!!!!! ] Failed to load SELinux policy, freezing
With the boot-Option in line "linux16" added "selinux=0" the system is booting well.

Than with:

Code: Select all

sudo yum reinstall selinux-policy-targeted
the system do not boot again. The Display-Manager can't start the GUI and show always again the Login-Screen of gdm.

Foremost edit the /etc/selinux/config and set

Code: Select all

SELINUX=disabled
the system is booting well now.

My question:
Is that Ok, or will to manifest some complications?

with regards
Ch. Hanisch
Last edited by Hanisch on 2017/09/18 13:33:57, edited 1 time in total.

User avatar
TrevorH
Forum Moderator
Posts: 23494
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELINUX=disabled - It's Ok?

Post by TrevorH » 2017/09/17 12:02:52

Disabling selinux is not recommended though I do not currently know what is wrong that means you need to do so.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
avij
Forum Moderator
Posts: 2653
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: SELINUX=disabled - It's Ok?

Post by avij » 2017/09/17 12:24:43

There is also a third setting, SELINUX=permissive. This will only log any problems in the logs. This way you can boot up normally, and then check the logs what would have been blocked had SELinux been set to "enabled".

Hanisch
Posts: 43
Joined: 2015/08/10 13:26:03

Re: SELINUX=disabled - It's Ok?

Post by Hanisch » 2017/09/17 14:04:33

avij wrote:There is also a third setting, SELINUX=permissive. This will only log any problems in the logs. This way you can boot up normally, and then check the logs what would have been blocked had SELinux been set to "enabled".
Ok - with SELINUX=permissive the system run well. Only on gdm-Login-Screen re-emerges a message:

Code: Select all

Unfähig einen gültigen Kontakt zu erhalten für BENUTZER

But which logs can I check?

with regards
Ch. Hanisch

hunter86_bg
Posts: 1328
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SELINUX=disabled - It's Ok?

Post by hunter86_bg » 2017/09/17 17:53:37

Try to relabel the system by:
1.Boot the system in permissive mode
2.

Code: Select all

touch /.autorelabel
3.Set /etc/sysconfig/selinux to enforcing
4.reboot

NOTE: It could take some time to relabel the whole system, so get a maintenance window in advance.After the second reboot (happens automatically), the machine should be up and running.

Hanisch
Posts: 43
Joined: 2015/08/10 13:26:03

Re: SELINUX=disabled - It's Ok?

Post by Hanisch » 2017/09/17 19:29:51

Hello,
hunter86_bg wrote:Try to relabel the system by:
1.Boot the system in permissive mode
2.

Code: Select all

touch /.autorelabel
3.Set /etc/sysconfig/selinux to enforcing
4.reboot
This is not a solution for the problem with the Login-message:

Code: Select all

Unfähig einen gültigen Kontakt zu erhalten für BENUTZER
With RightCtrl+F2

Code: Select all

Login: BENUTZER
Passwort:
Unable to get valid context for BENUTZER
Last Login: ...
With "3.Set /etc/sysconfig/selinux to enforcing" Login is only possible as root.
The Display-Manager can't start the GUI and show always again the Login-Screen of gdm.

with regards
Ch. Hanisch
Last edited by Hanisch on 2017/09/17 19:51:27, edited 2 times in total.

hunter86_bg
Posts: 1328
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SELINUX=disabled - It's Ok?

Post by hunter86_bg » 2017/09/17 19:49:05

I guess you tried a system relabel?
If so -check with 'audit2why' and 'audit2allow' the audit logs, so we can find out why selinux is locking the GDM.

Hanisch
Posts: 43
Joined: 2015/08/10 13:26:03

Re: SELINUX=disabled - It's Ok?

Post by Hanisch » 2017/09/17 20:08:05

hunter86_bg wrote:I guess you tried a system relabel?
What is system relabel? Perhaps here
https://www.centos.org/docs/5/html/5.2/ ... label.html
If so -check with 'audit2why' and 'audit2allow' the audit logs, so we can find out why selinux is locking the GDM.
What's the meaning of this?
What am I to do?

with regards
Ch. Hanisch

hunter86_bg
Posts: 1328
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SELINUX=disabled - It's Ok?

Post by hunter86_bg » 2017/09/17 20:12:11

Hanisch wrote:
hunter86_bg wrote:I guess you tried a system relabel?
What is system relabel? Perhaps here
https://www.centos.org/docs/5/html/5.2/ ... label.html
If so -check with 'audit2why' and 'audit2allow' the audit logs, so we can find out why selinux is locking the GDM.
What's the meaning of this?
What am I to do?

with regards
Ch. Hanisch
The system relabel is defined in my previous post and it seems that you haven't tried it.
'audit2why' and 'audit2allow' are 2 binaries that can help you with selinux issues and propose a solution.
As you haven't done the relabel I won't recomend to do any changes based on 'audit2allow' proposals.

Hanisch
Posts: 43
Joined: 2015/08/10 13:26:03

Re: SELINUX=disabled - It's Ok?

Post by Hanisch » 2017/09/17 20:29:41

hunter86_bg wrote: The system relabel is defined in my previous post and it seems that you haven't tried it.
I have now done

Code: Select all

sudo touch /.autorelabel
sudo reboot
But I have still in /etc/selinux/config

Code: Select all

SELINUX=permissive
'audit2why' and 'audit2allow' are 2 binaries that can help you with selinux issues and propose a solution.
What's the meaning of this?
What am I to do?

with regards
Ch. Hanisch

Post Reply