Hello!
SELinux prevents netconsole from loading when I put netconsole=... in the kernel command line.
What adjustments shall I need to make to allow module loading from the kernel command line?
SELinux prevents netconsole kernel module from loading (CentOS 7)
SELinux prevents netconsole kernel module from loading (CentOS 7)
Last edited by restest on 2019/04/12 16:33:17, edited 1 time in total.
Re: SELinux prevents netconsole from loading (CentOS 7)
Why?
What does it do?
How do you know?
What does it do?
How do you know?
Re: SELinux prevents netconsole kernel module from loading (CentOS 7)
SE alerts are usually logged in the audit log (as AVCs). You can use audit2allow to find out what to do about it. More info can be found here: https://wiki.centos.org/HowTos/SELinux
Re: SELinux prevents netconsole kernel module from loading (CentOS 7)
Use enforcing=0 instead and it will come up in permissive mode but log all denials. You can then use those to work out what the problem is and how to fix it.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: SELinux prevents netconsole kernel module from loading (CentOS 7)
fwiw, I received a response from RH stating that doing kernel command line selinux=0 is bad, something to the affect of many things now depend on "selinux stuff" being loaded/available and if you disable it with a kernel parameter like that it's bad. Problem I then had was user gui from system-config-users failed to work, and we had other unrelated problems we thought was all caused by selinux so the thought was to disable it.... ok kernel parameter should do it.
I think the correct way to disable it is in /etc/selinux/config. That would then allow software that was blocked by it to run.
note the permissive setting, that means act like disabled but put warnings (to /var/log/audit i think) whenever something would have been blocked, very useful for troubleshooting.
I think the correct way to disable it is in /etc/selinux/config. That would then allow software that was blocked by it to run.
Code: Select all
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
#SELINUX=enforcing
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Re: SELinux prevents netconsole kernel module from loading (CentOS 7)
No, the correct method is never to disable it. If you want to test something works without selinux then run setenforce 0 as root and that's it.
If you disable it then you now have a second problem as it takes extra action to turn it back on again. To do that you need to edit the config file and set it to permissive mode first, then you touch /.autorelabel and reboot and watch it relabel every single file on your system. Once that's done, then you can edit the config file and turn it back to enforcing mode.
If you disable it then you now have a second problem as it takes extra action to turn it back on again. To do that you need to edit the config file and set it to permissive mode first, then you touch /.autorelabel and reboot and watch it relabel every single file on your system. Once that's done, then you can edit the config file and turn it back to enforcing mode.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke