A story that was terrible if SELinux was properly disabled
Be wary of the tightness that CentOS won't boot.
Cause: SELinux misconfiguration
Yes, as usual, I was logging into CentOS 7.4 and trying to permanently disable SELinux.
5.4.2. Disable SELINUX To disable SELinux, set SELINUX = disabled in / etc / selinux / config.
However, the beginning of misery was that I accidentally disabled the "SELINUXTYPE" option instead of the correct "SELINUX" option.
vi /etc/selinux/config
Server that does not come up
I think that the setting is completed, and when I restart the OS, it does not come up at all. To be correct, it doesn't work even after waiting 10 minutes from the CentOS startup screen.
When I forcibly power off and look at the console screen, the words [Failed to load SELinux policy.] Are ...
At this point, I realized that I had done it.
This time, I set the [SELUINUXTYPE] option to perform advanced access control (MLS, etc.) for users and files. SELinux reads this setting when the OS boots and processes it if necessary. If this setting does not exist for the argument, a kernel panic will occur.
Reference
5.3. Main Configuration File SELINUXTYPE=targeted The SELINUXTYPE option sets the SELinux policy to use. The target policy is the default policy. Change this option only if you want to use the MLS policy.
Basics of Mandatory Access Control (SELinux) MLS(Multi Level Security) MLS is a feature that adds level-based access control to category-based access control (MCS). You have fine-grained control over the reach of users and processes, providing a very high degree of security. However, it can be said that it is a function used in national defense / military systems that are difficult to operate and manage and require strong security.
[fedora WIKI]SELinux/Config When booting up the machine, init uses libselinux to read this file, and determines which policy to load and what mode to put the machine in.*
Login in single user mode
I couldn't log in again ... I just tried to log in from grub in single user mode.
As I investigated later, it seems that the method of setting [SELinux = 0] in the grub kernel option also works. Centos7: Disable and boot SELinux from grub
Virtual console crashes with error
In order to operate grub and log in in single user mode, it is necessary to perform the operation quickly after turning on the power.
The server this time is a VM on ESXi6.5, and I was trying to operate it with the Web virtual console of vSphere Web Client, but every time I turn on the OS and start the Web virtual console to operate the grub screen, the following Message has come out.
An unexpected error has occurred.
The client may continue to work, but here I refresh my browser and
We encourage you to submit a bug report.
If you perform [Reload] according to this exception window, you will always be returned to the login screen of the vSphere Web Client, so you have progressed to a kernel panic while logging in ... Turn off the power ... Turn on the power ... ・ I enjoyed the torture of repeating ...
** [Solution: Close window with ESC key] ** This isn't official knowledge because it's a system I discovered by chance while fighting for about 20 minutes, but this exception window disappears when I press the ** ESC key. ** You can now enter the grub operation without any problems.
grub boot, kernel parameter change, OS boot
In order to start bash in single user mode, I was trying to start the OS by playing with kernel parameters.
First, select the OS and press [e] to enter edit mode.
Rewrite the kernel parameter after ro on the [linux16] line to rw init = / bin / sh.
this
This way
Then, by pressing [Ctrl-x], the OS will go up and you will be able to accept commands.
Passing [init = / bin / sh] to the kernel parameter and starting it seems to mean skipping the usual reading of / etc / inittab and starting sh for the time being.
Reference
kernel-parameters.txt
https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt
Understanding "Systemd" -System startup-
http://equj65.net/tech/systemd-boot/
>
Understanding "Systemd" -System startup- http://equj65.net/tech/systemd-boot/ >
Now that bash has started, you can change the password for ~~ root and restore the settings you made ~~.
vi /etc/selinux/config
Cannot enter:
After modifying the setting SELINUXTYPE = disabled to SELINUXTYPE = targeted in vi, when I tried to exit with : wq, the: key is only entered as; no matter how many times I press it. ..
Because, in this OS boot method, the keyboard is input in English, so it was discovered that the key display symbols on the Japanese keyboard and the input contents are completely different.
(Speaking of which, when editing kernel parameters with grub, I can't enter the symbol =, but since there is a = near the setting, I tried to utilize it without erasing it.)
Of course, you can press it in consideration of Difference between Japanese keyboard and English keyboard, but in my beloved Topre REALFORCE ** Unfortunately, even if I tried all the keys with / without shift, a mysterious trap was set up that : and = were not entered **.
** [Solution: Save without symbols] **
I learned this this time without studying, but it is possible to overwrite and save with ZZ in addition to: wq in vi. If it wasn't there, it would be over. This will save it.
I was able to save it safely. Try rebooting.
It started without any problem and recovered. The solution!
Finally
It's just config, but config, I've simply scrutinized it. This time it was the verification environment at hand, but when I thought that the console was a remote environment that was only available locally, it was really awkward. After setting, be sure to check the match with the assumed config ...
reference
5.4.2. Disable SELINUX https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-enabling_and_disabling_selinux-disabling_selinux
5.3. Main configuration file https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-working_with_selinux-main_configuration_file
Basics of Mandatory Access Control (SELinux) https://thinkit.co.jp/article/13296
[fedora WIKI]SELinux/Config https://fedoraproject.org/wiki/SELinux/Config
SELinux Memorandum of Understanding https://qiita.com/JhonnyBravo/items/2012250c1cec9a682b86
After disabling SELinux, it became Kernel panic and could not be booted. https://www.ipentec.com/document/linux-boot-kernel-panic-after-selinux-disabled
Centos7: boot with SELinux disabled from grub https://okisanjp.hatenablog.jp/entry/archives/771
SELinux Reintroduction-Basics- https://www.ffri.jp/assets/files/monthly_research/MR201406_A%20Re-introduction%20to%20SELinux_JPN.pdf
25.10. Editing the terminal menu during boot In Red Hat Enterprise Linux 7, rescue mode is equivalent to single-user mode and requires a root password. https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-terminal_menu_editing_during_boot
Change root password in CentOS7 single user mode https://it.rin-ka.net/centos7-single-mode/
Reset root password https://www.server-world.info/query?os=CentOS_7&p=resetpass
Access GRUB and single-user mode using a serial console https://docs.microsoft.com/ja-jp/azure/virtual-machines/troubleshooting/serial-console-grub-single-user-mode
Understanding "Systemd" -System startup- http://equj65.net/tech/systemd-boot/
kernel-parameters.txt https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt
26.3. Boot in single user mode (grub legacy) https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/5/html/installation_guide/s1-rescuemode-booting-single
Red Hat Enterprise Linux-I want to boot in single user mode (grub legacy) https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c01982340
How to enter equal "=" in GRUB https://users.miraclelinux.com/support/?q=node/154
Recommended Posts