Selinux will prevent any changes made to system files if you just boot with init=/bin/sh, so do it right:
mount –o remount,rw /sysroot chroot /sysroot
Now do your changes, then CTRL + D to exit chroot, then reboot. Please remember to restore selinux file contexts after the reboot as some files may be incorrect after your changes:
restorecon -Rv /
grubby --remove-args="rhgb quiet" --update-kernel=ALL
It is no longer possible to navigate to the first line (CTRL + W, then CTRL + Y) nor to the last line (CTRL + W, then CTRL + V).
In nano 4.0 the commands have changed. Now you type:
Hint: You can keep holding the CTRL key and then just type the letters, there's no reason to release CTRL.
When doing the base install of Fedora 30 server, I was unable to login to the console (neither as root nor as any other user) and sshd won't start. I managed to reboot the box with selinux disabled and ran some selinux debugging to find the cause. I finally compiled a module with all the missing bits and made it available to you guys:
Alright, let's fix the selinux issues that prevent us from actually logging in via SSH or local login (tty), at the same time we fix some other minor selinux hiccups (e.g. with NetworkManager and iptables-services):
Following this tutorial you will be installing a selinux module which will persist OS updates. Please read all of this thoroughly so you will know how to remove the module at a later time once the final FC30 is released. Also remember, you shouldn't just be blindly installing a compiled selinux module from an untrusted source, I am just supplying this for the impatient ones. If you are security-aware then you will be compiling from the .te file that I've included in the archive. Last updated: March 31st, 2019.
dnf install -y tar gzip policycoreutils
tar -zxvf chot-fc30-beta1.8-2.tar.gz semodule -i chot-fc30-beta1.8-2.pp restorecon -Rv / sync reboot
Fyi, this is the updated module after restoring selinux file contexts:
module chot-fc30-beta1.8-2 1.0; require { type iptables_t; type unconfined_service_t; type sshd_t; type getty_t; type chkpwd_t; type init_t; type unconfined_t; type insmod_t; type tty_device_t; type dhcpc_t; type NetworkManager_t; type initrc_t; type local_login_t; class process { noatsecure rlimitinh siginh }; class chr_file { read write }; } #============= NetworkManager_t ============== allow NetworkManager_t dhcpc_t:process { noatsecure rlimitinh siginh }; allow NetworkManager_t initrc_t:process { noatsecure rlimitinh siginh }; #============= chkpwd_t ============== allow chkpwd_t tty_device_t:chr_file { read write }; #============= getty_t ============== allow getty_t local_login_t:process { noatsecure rlimitinh siginh }; #============= init_t ============== allow init_t chkpwd_t:process siginh; allow init_t unconfined_service_t:process siginh; allow init_t unconfined_t:process siginh; #============= iptables_t ============== allow iptables_t insmod_t:process { noatsecure rlimitinh siginh }; #============= local_login_t ============== allow local_login_t chkpwd_t:process { noatsecure rlimitinh siginh }; allow local_login_t unconfined_t:process { noatsecure siginh }; #============= sshd_t ============== allow sshd_t chkpwd_t:process { noatsecure rlimitinh siginh };
At a later time, if you wish to remove this selinux module, issue the following command:
semodule -r chot-fc30-beta1.8-2
Things have improved since Beta 1.8, I've done another test this time dist-upgrading from fc29. But there are still some issues which are documented here, make sure you install all available updates from fedora-testing before using this updated module (or… re-install using a later build than Beta 1.8): linux-fc30-selinux-issues