I’ve been playing around with SELinux at work recently. Not surprisingly, I was struggling to get SELINUXTYPE=strict
to work properly. Unfortunately, all “google results for ‘enabling selinux strict’ would return were dead ends. People would enable selinux strict, kernel panic, and ‘fix’ it by disabling selinux.
Well, a co-worker of mine *was* able to successfully enable selinux’s strict policy on RHEL5 (CentOS 5). He gave me this guide to post to the world for others to see how (thanks Mykola):
Introduction
I was trying to figure out *what* restrictions selinux was capable of by monitoring AVC denial messages while selinux was in permissive strict mode (which, BTW, are spat to /var/log/audit/audit.log
). So, I set my settings to /var/selinux/config
, rebooted, and got a (familiar) kernel panic.
Enabling SELinux strict in RHEL5–without a kernel panic
Sifting through the cesspool of google results (I’m not trying to disable selinux!), I managed to find an (incomplete) guide to enabling selinux’s strict policy in RHEL5.
If you alter /etc/sysconfig/selinux and set SELinux strict mode instead of targeted, make sure you don’t just reboot!
First, set strict and permissive (just to be sure we can reboot and login again).
Now, before you reboot, touch /.autorelabel. Your system will not successfully reboot if you do not do this!
# touch /.autorelabel
This was useful information, but this guide failed to mention that the following actions must additionally be preformed before you can reboot (otherwise, you’ll get a kernel panic):
In order to enable Selinux strict policy on a RHEL 5 server you must install the package “selinux-policy-strict” (it is in the repositories).
# yum install selinux-policy-strict # reboot
Conclusion
You will need to create policies if you want to use enforcing. If you don’t, then you will encounter an error on startup that several processes have respawned too many times and that they have been delayed by five minutes.
init: Id "4" respawning too fast: disabled for 5 minutes init: Id "3" respawning too fast: disabled for 5 minutes init: Id "5" respawning too fast: disabled for 5 minutes init: Id "1" respawning too fast: disabled for 5 minutes init: Id "2" respawning too fast: disabled for 5 minutes init: Id "6" respawning too fast: disabled for 5 minutes
Basically, the processes are starting, but being blocked by selinux. so they try to start again… ad infinitum. You will need to create a policy for them (use audit2allow).
Hope this helps somebody…
Related Posts
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
It has helped me in resolving my issue partly. But i need to read lot to understand before applying the policy given by audit2allow utility.
Dude you are eversome !!!!
I had same issue and I saw in logs that strict policy can’t be enforced because of ….. some thing missing.
What actually was missing is “strict” basic refence policy!
Without that policy selinux strict can’t make even label
Thank a lot!!!!!