SELinux prevents netconsole kernel module from loading (CentOS 7)

Support for security such as Firewalls and securing linux
Post Reply
restest
Posts: 2
Joined: 2019/04/10 04:04:13

SELinux prevents netconsole kernel module from loading (CentOS 7)

Post by restest » 2019/04/10 04:16:37

Hello!
SELinux prevents netconsole from loading when I put netconsole=... in the kernel command line.
What adjustments shall I need to make to allow module loading from the kernel command line?
Last edited by restest on 2019/04/12 16:33:17, edited 1 time in total.

aks
Posts: 2730
Joined: 2014/09/20 11:22:14

Re: SELinux prevents netconsole from loading (CentOS 7)

Post by aks » 2019/04/11 18:08:06

Why?
What does it do?
How do you know?

restest
Posts: 2
Joined: 2019/04/10 04:04:13

Re: SELinux prevents netconsole from loading (CentOS 7)

Post by restest » 2019/04/12 16:30:57

aks wrote:
2019/04/11 18:08:06
How do you know?
Because if I add selinux=0 to the kernel command line netconsole loads successfully

aks
Posts: 2730
Joined: 2014/09/20 11:22:14

Re: SELinux prevents netconsole kernel module from loading (CentOS 7)

Post by aks » 2019/04/12 18:40:47

SE alerts are usually logged in the audit log (as AVCs). You can use audit2allow to find out what to do about it. More info can be found here: https://wiki.centos.org/HowTos/SELinux

User avatar
TrevorH
Forum Moderator
Posts: 25618
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux prevents netconsole kernel module from loading (CentOS 7)

Post by TrevorH » 2019/04/12 23:31:30

Use enforcing=0 instead and it will come up in permissive mode but log all denials. You can then use those to work out what the problem is and how to fix it.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

ron7000
Posts: 69
Joined: 2019/01/15 20:00:28

Re: SELinux prevents netconsole kernel module from loading (CentOS 7)

Post by ron7000 » 2019/05/16 14:52:02

fwiw, I received a response from RH stating that doing kernel command line selinux=0 is bad, something to the affect of many things now depend on "selinux stuff" being loaded/available and if you disable it with a kernel parameter like that it's bad. Problem I then had was user gui from system-config-users failed to work, and we had other unrelated problems we thought was all caused by selinux so the thought was to disable it.... ok kernel parameter should do it.

I think the correct way to disable it is in /etc/selinux/config. That would then allow software that was blocked by it to run.

Code: Select all

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.

#SELINUX=enforcing

SELINUX=disabled

# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
note the permissive setting, that means act like disabled but put warnings (to /var/log/audit i think) whenever something would have been blocked, very useful for troubleshooting.

User avatar
TrevorH
Forum Moderator
Posts: 25618
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux prevents netconsole kernel module from loading (CentOS 7)

Post by TrevorH » 2019/05/16 21:55:56

No, the correct method is never to disable it. If you want to test something works without selinux then run setenforce 0 as root and that's it.

If you disable it then you now have a second problem as it takes extra action to turn it back on again. To do that you need to edit the config file and set it to permissive mode first, then you touch /.autorelabel and reboot and watch it relabel every single file on your system. Once that's done, then you can edit the config file and turn it back to enforcing mode.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply