Knowledge Base:Booting SELinux with an initramfs
Trying to boot in SELinux enforcing mode with an initramfs fails.
* Mounting /dev mknod: '/dev/console': Permission denied mknod: '/dev/tty1': Permission denied mknod: '/dev/tty': Permission denied mknod: '/dev/null': Permission denied mknod: '/dev/kmsg': Permission denied * Starting udev * Failed to start udev * ERROR: udev failed to start
SELinux-enabled systems, booting in enforcing mode, whereas the system is prepared using an initramfs first.
The initramfs tries to prepare the system, but by doing so creates files that are wrongly labeled. When the initramfs handles over control of the system to the init application, this application loads in the SELinux policy, enables SELinux enforcing mode and continues. As the files (and directories) are wrongly labeled, the applications do not have the proper privileges to continue and the system freezes.
Right now, we are in the process of figuring out which privileges are needed and if we can update the initramfs to load the policy earlier (so that newly created files or directories are immediately labeled correctly). If you do need to boot in enforcing mode, we recommend the following steps:
- Boot the system in permissive mode. For production systems, this might mean that you need to enable SELinux development mode
- During the boot-up sequence, switch on enforcing mode. You can do this through the /etc/local.d files if you want, or in an init script called earlier.
- After switching enforcing mode, toggle the secure_mode_policyload SELinux boolean. This will prohibit switching back to permissive mode as long as the system is operational (in other words, until you reboot again)