Page 1 of 1

SELinux prevents netconsole kernel module from loading (CentOS 7)

Posted: 2019/04/10 04:16:37
by restest
Hello!
SELinux prevents netconsole from loading when I put netconsole=... in the kernel command line.
What adjustments shall I need to make to allow module loading from the kernel command line?

Re: SELinux prevents netconsole from loading (CentOS 7)

Posted: 2019/04/11 18:08:06
by aks
Why?
What does it do?
How do you know?

Re: SELinux prevents netconsole from loading (CentOS 7)

Posted: 2019/04/12 16:30:57
by restest
aks wrote:
2019/04/11 18:08:06
How do you know?
Because if I add selinux=0 to the kernel command line netconsole loads successfully

Re: SELinux prevents netconsole kernel module from loading (CentOS 7)

Posted: 2019/04/12 18:40:47
by aks
SE alerts are usually logged in the audit log (as AVCs). You can use audit2allow to find out what to do about it. More info can be found here: https://wiki.centos.org/HowTos/SELinux

Re: SELinux prevents netconsole kernel module from loading (CentOS 7)

Posted: 2019/04/12 23:31:30
by TrevorH
Use enforcing=0 instead and it will come up in permissive mode but log all denials. You can then use those to work out what the problem is and how to fix it.

Re: SELinux prevents netconsole kernel module from loading (CentOS 7)

Posted: 2019/05/16 14:52:02
by ron7000
fwiw, I received a response from RH stating that doing kernel command line selinux=0 is bad, something to the affect of many things now depend on "selinux stuff" being loaded/available and if you disable it with a kernel parameter like that it's bad. Problem I then had was user gui from system-config-users failed to work, and we had other unrelated problems we thought was all caused by selinux so the thought was to disable it.... ok kernel parameter should do it.

I think the correct way to disable it is in /etc/selinux/config. That would then allow software that was blocked by it to run.

Code: Select all

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.

#SELINUX=enforcing

SELINUX=disabled

# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
note the permissive setting, that means act like disabled but put warnings (to /var/log/audit i think) whenever something would have been blocked, very useful for troubleshooting.

Re: SELinux prevents netconsole kernel module from loading (CentOS 7)

Posted: 2019/05/16 21:55:56
by TrevorH
No, the correct method is never to disable it. If you want to test something works without selinux then run setenforce 0 as root and that's it.

If you disable it then you now have a second problem as it takes extra action to turn it back on again. To do that you need to edit the config file and set it to permissive mode first, then you touch /.autorelabel and reboot and watch it relabel every single file on your system. Once that's done, then you can edit the config file and turn it back to enforcing mode.