Michael Altfield's gravatar

Enabling SELinux strict on RHEL5

I’ve been playing around with SELinux at work recently. Not surprisingly, I was struggling to get SELINUXTYPE=strict to work properly. Unfortunately, all “google results for ‘enabling selinux strict’ would return were dead ends. People would enable selinux strict, kernel panic, and ‘fix’ it by disabling selinux.

Googling for "enabling selinux strict"

Well, a co-worker of mine *was* able to successfully enable selinux’s strict policy on RHEL5 (CentOS 5). He gave me this guide to post to the world for others to see how (thanks Mykola):

Introduction

I was trying to figure out *what* restrictions selinux was capable of by monitoring AVC denial messages while selinux was in permissive strict mode (which, BTW, are spat to /var/log/audit/audit.log). So, I set my settings to /var/selinux/config, rebooted, and got a (familiar) kernel panic.

Enabling SELinux strict in RHEL5–without a kernel panic

Sifting through the cesspool of google results (I’m not trying to disable selinux!), I managed to find an (incomplete) guide to enabling selinux’s strict policy in RHEL5.

If you alter /etc/sysconfig/selinux and set SELinux strict mode instead of targeted, make sure you don’t just reboot!

First, set strict and permissive (just to be sure we can reboot and login again).

Now, before you reboot, touch /.autorelabel. Your system will not successfully reboot if you do not do this!

# touch /.autorelabel

This was useful information, but this guide failed to mention that the following actions must additionally be preformed before you can reboot (otherwise, you’ll get a kernel panic):

In order to enable Selinux strict policy on a RHEL 5 server you must install the package “selinux-policy-strict” (it is in the repositories).

# yum install selinux-policy-strict
# reboot

Conclusion

You will need to create policies if you want to use enforcing. If you don’t, then you will encounter an error on startup that several processes have respawned too many times and that they have been delayed by five minutes.

init: Id "4" respawning too fast: disabled for 5 minutes
init: Id "3" respawning too fast: disabled for 5 minutes
init: Id "5" respawning too fast: disabled for 5 minutes
init: Id "1" respawning too fast: disabled for 5 minutes
init: Id "2" respawning too fast: disabled for 5 minutes
init: Id "6" respawning too fast: disabled for 5 minutes

Basically, the processes are starting, but being blocked by selinux. so they try to start again… ad infinitum. You will need to create a policy for them (use audit2allow).

Hope this helps somebody…

2 comments to Enabling SELinux strict on RHEL5

  • sjeganathan

    It has helped me in resolving my issue partly. But i need to read lot to understand before applying the policy given by audit2allow utility.

  • user

    Dude you are eversome !!!!
    I had same issue and I saw in logs that strict policy can’t be enforced because of ….. some thing missing.
    What actually was missing is “strict” basic refence policy!
    Without that policy selinux strict can’t make even label

    Thank a lot!!!!!

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>