[SOLVED] SElinux >>changed Targeted to Strict. All kernels now Panic on boot.

Support for security such as Firewalls and securing linux
Post Reply
Black_Heart
Posts: 16
Joined: 2011/12/23 05:40:00

[SOLVED] SElinux >>changed Targeted to Strict. All kernels now Panic on boot.

Post by Black_Heart » 2011/12/23 08:26:44

Similar to musikbyg's topic_id=34078&forum=42
Using dif. HD to post, so will try those tips then check back here tomorrow.

AMD K7
CentOS 5.7
Four recent kernels, incl. PAE, installed from v5.7 CD-1 (October)
Was a fresh install using full-disk encryption.
Has been working great, even with SElinux set to enforcing.
PROBLEM kicked-in immediately after going to SElinux Admin (gui) Cont'l Panel and changing policy from "Targeted to Strict"
I also unchecked two boxes which were noted as dangerous permissions. Can't recall these items.
Rebooted immediately after saving changes, as directed. Entered my crypt pass and boot proceeded as normal.
In ~15 seconds, kernel panic. Details below. Tried all four Kernels, with and w/o PAE. Same panic msg.
Edited GRUB (legacy) for single-mode and "linux rescue" . No change.
Term message below:

type=1404 enforcing=1 old_enforcing=0 audit...etc
type=1403 audit... policy loaded
type=1400 audit... avc:denied (execute) for pid=1 comm=init path... /sbin/init:error while loading
shared libraries: libsepol.so.1:
Failed to map segment from shared object: Permission denied
Kernel Panic -not synching: attempted to kill init

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SElinux >>changed Targeted to Strict. All kernels now Panic on boot.

Post by TrevorH » 2011/12/23 12:37:59

Interrupt the boot at the grub prompt and append "selinux=0" to the end of the kernel parameter list. This will disable selinux and allow you to boot up. From your messages that you posted, it appears that init is unable to load because it cannot read libsepol.so.1 - can you post the output from

[code]
ls -laZ `locate libsepol.so.1`
[/code]

Black_Heart
Posts: 16
Joined: 2011/12/23 05:40:00

Re: SElinux >>changed Targeted to Strict. All kernels now Panic on boot.

Post by Black_Heart » 2011/12/24 06:13:51

TrevorH-- Thank you. This is good info. I did manage overnight to use a related parameter " enforcing=0" and got the problem resolved. It turned out to be a little more convoluted than expected . Will describe things here for those interested.

After "enforcing=0" as above, boot continued normally, pausing 5 min. while the 'Strict' policy relabelings were set, per my (pre-panic) policy change. Got to desktop, the AVC popup advising in a detailed window the processes which would be stopped if I allowed sys to reboot into full enforcing-strict mode. About twenty items listed to be blocked if I did not go back to prev. "Targeted" Policy. These included smartd, gconfd and scim-panel-gtk, mostly to prevent them from accessing 'mislabeled' files. The saved AVC text reports only show a few of the rejected processes for some reason. After rebooting back into the fully Enforcing/Strict condition, got past the GDM login, then (now black screen) xserver would not start. Tried 'startx' and got rejected by PAM for Permissions. Root login also rejected. Restarted back to your GRUB-edit trick to go back to my original Enforcing-Enforcing-Targeted settings. On restart, SElinux refused to give-up its Strict status and screen went black again after login. Figured I'd just turn off SElinux and reboot a few times to give the policy labelings a chance to take. Finally, with things running normally, I set my SElinux Admin Panel back to where I had it at the beginning, Enforcing-Enforcing-Targeted. This time it worked. Apparently SElinux has to be nudged gradually into and out of any strict policy alterations. I don't think many users will have luck using "Strict" Policy setting. Best hope is that default Targeted restrictions will gradually include more processes than the present (200) with CentOS 5.7. Possibly v6 of the distro will have a hotter SElinux default. I'm hesitant to install anything higher than v5.7 since I'm running an old sys. Thanks again, BH

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

[SOLVED] SElinux >>changed Targeted to Strict. All kernels n

Post by pschaff » 2011/12/26 12:09:34

[quote]
Black_Heart wrote:
... I'm hesitant to install anything higher than v5.7 since I'm running an old sys. ...[/quote]

The CentOS-6 LiveCD/DVD is good for a compatibility test. Thanks for reporting back. Marking this thread [SOLVED] for posterity.

Post Reply