Problem
Various CentOS Linux 8 servers freeze/hang when changing SELinux Booleans.
Details and research
We manage hundreds of CentOS Linux servers. Lately we see deviant behavior on some (but not all) servers when changing SELinux Booleans. Just opon the change commands the server completely freezes and no ICMP/SSH/TTY is possible at all. Only a bare power cycle will restore the functionality.
Scope:
- Various CentOS Linux 8 installations (8.1 - 8.3).
- SELinux is enabled in Enforcing Mode on all servers.
- No consistency found in which servers have this problem.
- The problem exists cross OS minor release.
- The problem exists cross kernel releases.
What I've tried
Changing the SELinux Booleans by using the setsebool command, or changing it by altering the pseudo-fs /sys/fs/selinux result both in the same reproducable errors.
The sequences I've tried (see below) have the zabbix_run_sudo boolean as example, but the behavior also applies to other booleans.
Using setsebool
Execute setsebool zabbix_run_sudo on freezes the server immediatly. Expected behavior is that the command runs for a max of a few seconds and then return to shell.
Using strace on this command shows this tool is altering the SELinux pseudo-fs (/sys/fs/selinux) and during the second step the server hangs.
Altering the SELinux pseudo-fs
When altering the SELinux pseudo-fs manualy, by echoing 1 to some paths I can mimic the use of the previous tested setsebool tool. These steps are also documented on The Geek Diary website: https://www.thegeekdiary.com/understanding-selinux-booleans/
The tested steps:
echo 1 > /sys/fs/selinux/booleans/zabbix_run_sudo(no problem)echo 1 > /sys/fs/selinux/commit_pending_bools(freezes the server)
Now I'm a bit out of options because I really like to have SELinux in enforcing mode, but also need various SELinux Booleans to be configured. I can not consistently recreate a working of failing server. Because of some variance I'm not currently aware off, different servers deployments end up in different states.
Any help on how to debug and fix this issue is very welcome!
