In most cases this cause by a faulty SELinux setting most likely on system file label.
This can happened if you just upgraded your Linux box or played with SELinux while trying to remove or disable it.
Before you can actually try to fix the issue with SELiunx that causing the system to hang at boot, you need to get your system booting up again.
Here’s how to do it.
In this example I will be using CentOS 5.9 but these steps should apply to any recent CentOS/RHEL.
STEP 01:
Restart the server an as soon as you see the boot screen as in the picture below (or similar depend on your distribution), press Esc button on the server keyboard. (you can actually press any key but we want to be safe).
Doing so will take you into Boot option menu as in the picture below.
STEP-2
Using the ↑and ↓keys choose the first boot menu in this case CenOS (2.6.18.348.18.1.el5)
and press A in the server keyboard to get the next screen as below.
STEP-3
In this screen menu append this to the end of the line selinux=0 enforcing=0.
So the whole line will look like this…
grub append> ro root=/dev/VolGroup00/LogVo100 selinux=0 enforcing=0
Your line might look other then the example but the idea is to append the arguments to the end of the line.
Note that we disable both, SELinux and enforcing, in most cases you will only need one of them however by using both arguments
we make sure the system boot even if SELinux is disabled but left enforcing or the targeted policy is missing or corrupted.
Once you done appending the arguments to the Kernel boot line, hit Enter and everything went well the system will
continue to boot and you should get the terminal login screen as below.
Once you have managed to get into the terminal, is now time to look at the issue that may cause the kernel panic.
Bare in mind that until now you have fixed noting but disabling the SELinux from causing the system to hang at boot. You now have to look into the cause of it.
Make sure you are logged in as root and run this command
# getenforce
Enforcing
The getenforce command returns Permissive when SELinux is enabled, but SELinux policy rules are not enforced or returns Disabled if SELinux is disabled.
Running The sestatus command returns the SELinux status and the policy being used
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 23
Policy from config file: targeted
In our case, the SELinux is enabled and running in enforcing mode using targeted policy.
As we already figure it up, in most cases kernel hang cause by a faulty SELinux setting most likely on system file label, you should make sure that system label are corrected.
The easiest way to do so is by relabeling the whole system using the SELinux its self, but in order for it to be able to do, you have to make sure that SELinux is running and in permissive mode.
First use the following command to confirm that the SELinux packages are installed.
# rpm -qa | grep selinux
libselinux-python-1.33.4-5.7.el5
libselinux-utils-1.33.4-5.7.el5
libselinux-devel-1.33.4-5.7.el5
selinux-policy-targeted-2.4.6-338.el5
libselinux-1.33.4-5.7.el5
selinux-policy-2.4.6-338.el5
Assuming the following packages are installed: selinux-policy-targeted, selinux-policy, libselinux, libselinux-python, libselinux-utils, policycoreutils
If one of the above is missing or corrupted install it or reinstall it using Yum command. if you want to be safe just reinstall using this command
# yum -y install libselinux libselinux-python libselinux-utils policycoreutils selinux-policy selinux-policy-targeted
Once you confirmed that all required packages are installed, run this command and make sure that SELinux is configured to run in permissive mode
# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
VERY IMPORTANT:
If in the above the line show SELINUX=enforcing or SELINUX=disabled, edit the file using your favorite editor make sure sure it say SELINUX=permissive as above and then reboot the system before you do the next step.
Run the below command and make sure SELinux is runing and in permissive mode.
# setenforce 0
# getinforce
permissive
With the above done, run this command to create a file on root system named .autorelabel and force the system to reboot.
# touch /.autorelabel
# reboot
During the next boot, if SELinux find the file ./autorelable it will relabel all system files and then delete the autorelable file.
*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.
****
Once the system is up and running again, you should run this command to make sure that SELinux did not deny actions during the last boot.
# grep "SELinux is preventing" /var/log/messages
If SELinux did not deny actions during the last boot, this command does not return any output and it is now safe to go ahead and enforce SELinux.
Edit the file /etc/selinux/config and this time append SELINUX=enforcing.
Reboot your system and make sure SELinux is running in enforcing mode
# getenforce
Enforcing
No comments:
Post a Comment