[CENTOS] A story that was terrible if SELinux was properly disabled

Be wary of the tightness that CentOS won't boot.

Cause: SELinux misconfiguration

Yes, as usual, I was logging into CentOS 7.4 and trying to permanently disable SELinux.

5.4.2. Disable SELINUX To disable SELinux, set SELINUX = disabled in / etc / selinux / config.

However, the beginning of misery was that I accidentally disabled the "SELINUXTYPE" option instead of the correct "SELINUX" option.

vi /etc/selinux/config

image.png

Server that does not come up

I think that the setting is completed, and when I restart the OS, it does not come up at all. To be correct, it doesn't work even after waiting 10 minutes from the CentOS startup screen. image.png

When I forcibly power off and look at the console screen, the words [Failed to load SELinux policy.] Are ... image.png

At this point, I realized that I had done it.

This time, I set the [SELUINUXTYPE] option to perform advanced access control (MLS, etc.) for users and files. SELinux reads this setting when the OS boots and processes it if necessary. If this setting does not exist for the argument, a kernel panic will occur.

Reference

5.3. Main Configuration File SELINUXTYPE=targeted The SELINUXTYPE option sets the SELinux policy to use. The target policy is the default policy. Change this option only if you want to use the MLS policy.

Basics of Mandatory Access Control (SELinux) MLS(Multi Level Security) MLS is a feature that adds level-based access control to category-based access control (MCS). You have fine-grained control over the reach of users and processes, providing a very high degree of security. However, it can be said that it is a function used in national defense / military systems that are difficult to operate and manage and require strong security.

[fedora WIKI]SELinux/Config When booting up the machine, init uses libselinux to read this file, and determines which policy to load and what mode to put the machine in.*

Login in single user mode

I couldn't log in again ... I just tried to log in from grub in single user mode.

As I investigated later, it seems that the method of setting [SELinux = 0] in the grub kernel option also works. Centos7: Disable and boot SELinux from grub

Virtual console crashes with error

In order to operate grub and log in in single user mode, it is necessary to perform the operation quickly after turning on the power.

The server this time is a VM on ESXi6.5, and I was trying to operate it with the Web virtual console of vSphere Web Client, but every time I turn on the OS and start the Web virtual console to operate the grub screen, the following Message has come out.

image.png

An unexpected error has occurred.
The client may continue to work, but here I refresh my browser and
We encourage you to submit a bug report.

If you perform [Reload] according to this exception window, you will always be returned to the login screen of the vSphere Web Client, so you have progressed to a kernel panic while logging in ... Turn off the power ... Turn on the power ... ・ I enjoyed the torture of repeating ...


** [Solution: Close window with ESC key] ** This isn't official knowledge because it's a system I discovered by chance while fighting for about 20 minutes, but this exception window disappears when I press the ** ESC key. ** You can now enter the grub operation without any problems.

grub boot, kernel parameter change, OS boot

In order to start bash in single user mode, I was trying to start the OS by playing with kernel parameters.

First, select the OS and press [e] to enter edit mode. image.png

Rewrite the kernel parameter after ro on the [linux16] line to rw init = / bin / sh.

image.png this image.png This way

Then, by pressing [Ctrl-x], the OS will go up and you will be able to accept commands. image.png

Passing [init = / bin / sh] to the kernel parameter and starting it seems to mean skipping the usual reading of / etc / inittab and starting sh for the time being.

Reference
kernel-parameters.txt https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt
Understanding "Systemd" -System startup- http://equj65.net/tech/systemd-boot/ >

Now that bash has started, you can change the password for ~~ root and restore the settings you made ~~.

vi /etc/selinux/config

Cannot enter:

After modifying the setting SELINUXTYPE = disabled to SELINUXTYPE = targeted in vi, when I tried to exit with : wq, the: key is only entered as; no matter how many times I press it. ..

Because, in this OS boot method, the keyboard is input in English, so it was discovered that the key display symbols on the Japanese keyboard and the input contents are completely different.

(Speaking of which, when editing kernel parameters with grub, I can't enter the symbol =, but since there is a = near the setting, I tried to utilize it without erasing it.)

Of course, you can press it in consideration of Difference between Japanese keyboard and English keyboard, but in my beloved Topre REALFORCE ** Unfortunately, even if I tried all the keys with / without shift, a mysterious trap was set up that : and = were not entered **.


** [Solution: Save without symbols] **

I learned this this time without studying, but it is possible to overwrite and save with ZZ in addition to: wq in vi. If it wasn't there, it would be over. This will save it.

image.png

I was able to save it safely. Try rebooting.

image.png

It started without any problem and recovered. The solution!

Finally

It's just config, but config, I've simply scrutinized it. This time it was the verification environment at hand, but when I thought that the console was a remote environment that was only available locally, it was really awkward. After setting, be sure to check the match with the assumed config ...

reference

5.4.2. Disable SELINUX https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-enabling_and_disabling_selinux-disabling_selinux

5.3. Main configuration file https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-working_with_selinux-main_configuration_file

Basics of Mandatory Access Control (SELinux) https://thinkit.co.jp/article/13296

[fedora WIKI]SELinux/Config https://fedoraproject.org/wiki/SELinux/Config

SELinux Memorandum of Understanding https://qiita.com/JhonnyBravo/items/2012250c1cec9a682b86

After disabling SELinux, it became Kernel panic and could not be booted. https://www.ipentec.com/document/linux-boot-kernel-panic-after-selinux-disabled

Centos7: boot with SELinux disabled from grub https://okisanjp.hatenablog.jp/entry/archives/771

SELinux Reintroduction-Basics- https://www.ffri.jp/assets/files/monthly_research/MR201406_A%20Re-introduction%20to%20SELinux_JPN.pdf

25.10. Editing the terminal menu during boot In Red Hat Enterprise Linux 7, rescue mode is equivalent to single-user mode and requires a root password. https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-terminal_menu_editing_during_boot

Change root password in CentOS7 single user mode https://it.rin-ka.net/centos7-single-mode/

Reset root password https://www.server-world.info/query?os=CentOS_7&p=resetpass

Access GRUB and single-user mode using a serial console https://docs.microsoft.com/ja-jp/azure/virtual-machines/troubleshooting/serial-console-grub-single-user-mode

Understanding "Systemd" -System startup- http://equj65.net/tech/systemd-boot/

kernel-parameters.txt https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt

26.3. Boot in single user mode (grub legacy) https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/5/html/installation_guide/s1-rescuemode-booting-single

Red Hat Enterprise Linux-I want to boot in single user mode (grub legacy) https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c01982340

How to enter equal "=" in GRUB https://users.miraclelinux.com/support/?q=node/154

Recommended Posts

A story that was terrible if SELinux was properly disabled
A story that Seaborn was easy, convenient and impressed
A story that I was addicted to at np.where
A story that I was addicted to calling Lambda from AWS Lambda.
A story that was struggling to loop processing 3 million ID data
A story that stumbled upon installing matplotlib
The story that XGBoost was finally installed
A story that sometimes does not work if pip is up to date
A story that I was addicted to when I made SFTP communication with python
python memo-"if not A and B" was "if (not A) and B"
A story that was convenient when I tried using the python ip address module
A story that an error occurred when PyInstaller was used in a program that uses googleapiclient