I finished the previous post with a catastrophic situation: the VM didn't boot. I read on the internet that adding "selinux=0" on the kernel command line could fix it. Disabling SELinux from the kernel command line is interesting because SELinux is disabled at the early beginning of the boot process. So event if you have a broken configuration of SELinux, you can bypass it and boot. Below is the official definition of the kernel argument:
selinux= [SELINUX] Disable or enable SELinux at boot time.
Format: { "0" | "1" }
See security/selinux/Kconfig help text.
0 -- disable.
1 -- enable.
Default value is set via kernel config option.
If enabled at boot time, /selinux/disable can be used
later to disable prior to initial policy load.
I reboot the server and edit the command line to append "selinux=0". I checked the content of /etc/selinux.config:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=disabled
Damn it! SELINUXTYPE contains invalid value. This is the cause of the boot failure. After replacing SELINUX=enforcing by SELINUX=disabled and SELINUXTYPE=disabled by SELINUXTYPE=targeted, boot is fine.
final note
A better solution is available to fix and respect SELinux: Man geek Zabbix and SeLinux It uses the python utils audit2allow which is part of the SELinux project. Other people says that just upgrading the SELinux policy solved the problem but I didn't take the risk.
