[solved]SELINUX=disabled - It's Ok?

Issues related to applications and software problems
hunter86_bg
Posts: 800
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SELINUX=disabled - It's Ok?

Postby hunter86_bg » 2017/09/18 06:28:16

Try to set /etc/sysconfig/selinux to enforcing, reboot and check if the Gnome Display Manager can start.
Regarding SELinux troubleshooting check this short thread

Hanisch
Posts: 27
Joined: 2015/08/10 13:26:03

Re: SELINUX=disabled - It's Ok?

Postby Hanisch » 2017/09/18 09:16:37

hunter86_bg wrote:Try to set /etc/sysconfig/selinux to enforcing, reboot and check if the Gnome Display Manager can start.

The Gnome Display Manager always return to Login-Screen. It's not possible to run a Desktop as user.
Therefore I have again in /etc/sysconfig/selinux

Code: Select all

SELINUX=permissive

I think that is Ok. for me.

Only the message on gdm-Login-Screen

Code: Select all

Unfähig einen gültigen Kontakt zu erhalten für BENUTZER

is distempering.

with regards
Ch. Hanisch

User avatar
TrevorH
Forum Moderator
Posts: 21158
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELINUX=disabled - It's Ok?

Postby TrevorH » 2017/09/18 09:31:52

So run in permissive mode and then look at your audit log to determine _why_ it doesn't work. You can use our wiki selinux page to work through the steps required to identify the problems and create a policy file (or maybe you have a mislabeled file that stops things from working in which case relabeling that file or the entire filesystem will fix it).

Useful resources for SELinux: http://wiki.centos.org/HowTos/SELinux | http://wiki.centos.org/TipsAndTricks/SelinuxBooleans | http://docs.fedoraproject.org/en-US/Fed ... ced_Linux/ | http://www.youtube.com/watch?v=bQqX3RWn0Yw | http://opensource.com/business/13/11/se ... licy-guide
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Hanisch
Posts: 27
Joined: 2015/08/10 13:26:03

Re: SELINUX=disabled - It's Ok?

Postby Hanisch » 2017/09/18 13:33:18

Hello,
the solution is found.
in this Link https://centoshelp.org/security/selinux ... eshooting/
this was the solution:
Reset SELinux to its initial state:

Code: Select all

yum remove selinux-policy
rm -rf /etc/selinux
yum install selinux-policy-targeted
fixfiles -f -F relabel
reboot

I have now:

Code: Select all

$ sudo sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

an the system works fine.

with regards
Ch. Hanisch

MalnPr0
Posts: 1
Joined: 2017/12/01 18:49:57

Re: [solved]SELINUX=disabled - It's Ok?

Postby MalnPr0 » 2017/12/01 18:59:25

I had a very similar experience with CentOS 7.3.

I updated /etc/sysconfig/selinux to use these values:
SELINUX=permissive
SELINUXTYPE=minimum

I performed a reboot and was unable to access CentOS normally or through rescue mode. I would see these errors popup during boot and it would eventually just hang:

Code: Select all

[FAILED] Failed to start Authorization Manager.
See 'systemctl status polkit.service' for details.
[DEPEND] Dependency failed for Dynamic System Tuning Daemon

[FAILED] Failed to start Import network configuration from initramfs.
See 'systemctl status rhel-import-state.service' for details.

[FAILED] Failed to start Login Service.
See 'systemctl status systemd-logind.service' for details.


Ultimately I ended up removing selinux-policy and ran fixfiles as the previous poster recommended. I did not re-install selinux-policy, just remove and the fixfiles command.

At CentOS boot screen, selected "Troubleshoot", then highlighted the option to Rescue System (pressed tab to append -> console=ttyS1,115200n8 since I was connecting over a console connection), selected default option to automatically mount existing CentOS install, then ran these commands:
yum remove selinux-policy
chroot /mnt/sysimage
fixfiles -f -F relabel
exit
reboot

If you want to re-install selinux-policy like the previous poster suggested, be sure to run this command first to get internet connectivity:
dhclient [INTERFACE_NAME]

Thanks!