Home / server / Questions / 607470
Accepted
Sencer H.
Asked: 2014-06-25 01:29:40 +0800 CST

CentOS Selinux config enforcing but unable to start

  • 772

I recently discovered selinux is disabled, but config file saying selinux enforcing mode setted. I read about possibilities about why selinux is disabled. I am suspecting on kernel. But I can't find what should I do to solve this problem. I'm afraid to touch anything because of the system is running remotely. My connection between system an me is only secure shell. There are a few continents between server and me. So, I need to solve this problem without make server unreachable :) What steps should I follow?

Information about server:

Centos 6.5
Linux 2.6.32-042stab068.8 #1 SMP Fri Dec 7 17:06:14 MSK 2012 i686 i686 i386 GNU/Linux

Server is running on VPS and so weirdly configured. I don't even detect which boot loader is installed on for check selinux configuration in boot loader.

Partitions (according to mtab):

/dev/simfs / simfs rw,relatime 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
none /dev devtmpfs rw,relatime,mode=755 0 0
none /dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=000 0 0
none /dev/shm tmpfs rw,relatime 0 0
none /proc/sys/fs/binfmt_misc binfmt_misc rw,relatime 0 0

EDIT: Unfortunately, I've learned the kernel in server is not supporting Selinux. Because of it is specialized for OpenVZ.

centos

2 Answers

  1. Best Answer

    You said that the VM is OpenVZ based. OpenVZ doesn't support SELinux due to how the containers work. It is not in the kernel which is why it won't actually enforce. I would set the configuration to disabled as recommended in the documentation. Your only solution is to use a VM with a different hypervisor such KVM/XEN which are popular in the web hosting industry. These use full hardware virtualization and are not limited like container based virtualization is.

    • 3

  2. You should know that SELINUX can be set to enforce or not in runtime differently than for boot.

    From the documentation on the CentOS website:

    The sestatus command displays the current mode and the mode from the configuration file referenced during boot:

    sestatus | grep -i mode

    Current mode: permissive

    Mode from config file: permissive

    Note that changing the runtime enforcement does not affect the boot time configuration:

    setenforce 1 sestatus | grep -i mode

    Current mode: enforcing

    Mode from config file: permissive

    I suggest changing it to permissive mode right away until you can make the changes that you know will be safe to avoid being locked out. Then, you can build up your policies, check the logs to see where there would be denials, and finally enable strict enforcing when you know what is going on.

    You can disable in either /etc/grub.conf or /etc/selinux/config, depending on your configuration. You can also use setenforce 0 -p to permanently save the change.

    • 0