Let’s start with the phenomenon today.
A server started SELinux due to misoperation, resulting in the server can not login, all the original username passwords are invalid. After closing SElinux, it returned to normal.
My curiosity now is how SElinux prevents the execution of passwd commands in single-user mode.
SELiunxPrinciple:
Through a module LSM (Linux Security Modules) plugged into the Linux kernel, a hook is added after the privilege management of the native linux. After the privilege check, the policy of SELinux is added through this hook.A little check. This mechanism, known as type coercion, allows the management of various resources such as file reads and writes, directory attributes, TCP connections, and so on. This includes the limitation of system management, which can restrict the executable users of passwd. That is to say, if you need to enable SELinux, you need one.A complete and complete strategy group. Too strict management will bring great inconvenience to the daily management. If the management is too loose, it will lose its meaning.