LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-01-2013, 11:54 AM   #1
carlwilson
LQ Newbie
 
Registered: Jan 2004
Posts: 9

Rep: Reputation: Disabled
SELinux configuration after change to init 5


I'm running a Centos 6.2 32-bit system with SELinux enabled and enforcing.

The default init level was level 3 but now I need to make some clones of this machine with init 5 at boot.

Clones work ok, but cannot get to level 5 on console.

I've found that SELinux is the culprit - change it to 'permissive' and it all works going to level 5 - but there are no logs of anything wrong. The only thing I see if I try to go to init 5 with SELinux configred for enforcing is:
init: prefdm main process (<process number>) terminated with status 1
init: prefdm main process ended, respawning

and finally
init: prefdm respawning too fast, stopped.

Tried relabelling the file system, but that has no effect when I change back to enforcing.

So, I'll guess that this might fall under some security remit for SELinux and post in this forum.

Anyone got any ideas about how to configure selinux to overcome this?
Please don't tell me to disable selinux or rebuild the machine - neither is a viable option. I do need console access at init 5. I'm looking for some configuration clues for selinux.
 
Old 05-01-2013, 12:16 PM   #2
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,421

Rep: Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590
did you make the " clones" under int3 ?

if so
set intab to 5

let SE relabel the partitions on boot
-- the easiest way is to set "setenforce=0 , reboot
then setenforce=1 and reboot
-- it will take some time if the drives are very large
then make the clones
 
Old 05-01-2013, 12:27 PM   #3
carlwilson
LQ Newbie
 
Registered: Jan 2004
Posts: 9

Original Poster
Rep: Reputation: Disabled
Done that

made clone under init 3

edit /etc/selinux/config for permissive
edit /etc/inittab for 5
touch /.autorelabel; reboot

Disk relabels and system comes up in level 5

edit /etc/selinux/config for enforcing
reboot

Machine hangs
Reboot (single) and change inittab to 3

Back to start of loop
 
Old 05-01-2013, 02:12 PM   #4
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,421

Rep: Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590Reputation: 2590
are you sure that "hang" is not se reading and checking the drive
that WILL take a lot of time if it is a large drive

hit < escape> during boot to turn off the silent mode
and see what it is doing

a 250 gig drive might take 30 min.
 
Old 05-02-2013, 04:40 AM   #5
carlwilson
LQ Newbie
 
Registered: Jan 2004
Posts: 9

Original Poster
Rep: Reputation: Disabled
It seems unlikely that the 'hang' is se checking the drive. Surely it's already done that when it relabeled the disk?

Hitting <esc>, or <alt-d> when it's hung doesn't do anything.

I've also started the machine without 'rhgb quiet'. It gets to the end of the boot and just hangs without starting 'X' (gnome).

I guess I'm going to have to go forwards with this one in permissive mode until I figure out some more detail or sort out a complete rebuild which goes to level 5 from the start.

Just on a chance, after googling for this issue, I re-installed selinux-policy-targeted. No change. Looks as if I'm going to have to find out a lot more about how SELinux works.
 
Old 05-02-2013, 02:21 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,394
Blog Entries: 55

Rep: Reputation: 3566Reputation: 3566Reputation: 3566Reputation: 3566Reputation: 3566Reputation: 3566Reputation: 3566Reputation: 3566Reputation: 3566Reputation: 3566Reputation: 3566
Is the audit service running?
If it does, does /var/log/audit/audit.log show any clues?
Elif it's not running are there any AVC messages in /var/log/messages?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
RHEL 6.2 selinux configuration to allow openldap to start m.prakash.81 Linux - Security 1 03-25-2013 07:23 AM
SELinux change context to my own name kingkashif Programming 1 03-16-2013 07:44 AM
selinux not allows to change www root proNick Linux - Newbie 1 10-19-2008 10:19 PM
SELinux Security Level Configuration modernsaint Linux - Security 2 12-10-2007 01:21 AM
SELINUX configuration help... stanford Linux - Server 3 03-21-2007 05:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration