Write the phenomenon today:
A server due to misoperation started SELinux, resulting in the server can not log on, the original user name password all failed. After you close SELinux again, it returns to normal.
My curiosity now is that SELinux is based on what principle prevents the passwd command from being executed in single-user mode.
Seliunx principle:
Through a module LSM (Linux Security Modules) that is outside the Linux kernel, a hook is added to the native Linux rights Management, which increases the SELinux policy check after the native permission check. Through this mechanism called type coercion, it can be used for the management of file reading and writing, directory properties, TCP connection and other resources. This includes system management limitations and the ability to restrict passwd executable users. This means that if you need to enable selinux, you need a complete, comprehensive set of policies. Too strict management will bring great inconvenience to the daily management, management of the loose will lose the meaning.
A study of server anomalies that could result from the SELinux of Linux