Unable to boot servers with SELinux in Enforcing - unable to mount /boot/efi
Issue
- Systems are unable to boot when SELinux runs in Enforcing mode. The following services fail to start:
- boot-efi.mount
- proc-sys-fs-binfmt_misc.mount
- systemd-binfmt.service
-
Boot logs show several errors related to
systemd-binfmtandmount:May 10 07:39:48 hostname systemd-binfmt[674]: Failed to add binary format: No such device May 10 07:39:48 hostname systemd[1]: Mounted /boot. May 10 07:39:48 hostname lvm[675]: 2 logical volume(s) in volume group "vgroot" monitored May 10 07:39:48 hostname mount[684]: mount: /proc/sys/fs/binfmt_misc: unknown filesystem type 'binfmt_misc'. May 10 07:39:48 hostname mount[693]: mount: /proc/sys/fs/binfmt_misc: unknown filesystem type 'binfmt_misc'. May 10 07:39:48 hostname mount[697]: mount: /proc/sys/fs/binfmt_misc: unknown filesystem type 'binfmt_misc'. May 10 07:39:48 hostname systemd-fsck[718]: fsck.fat 4.1 (2017-01-24) May 10 07:39:48 hostname systemd-fsck[718]: /dev/sda1: 14 files, 1475/131068 clusters May 10 07:39:48 hostname systemd[1]: Started File System Check on /dev/sda1. May 10 07:39:48 hostname systemd[1]: Mounting /boot/efi... May 10 07:39:48 hostname mount[721]: mount: /boot/efi: unknown filesystem type 'vfat'. May 10 07:39:48 hostname systemd[1]: boot-efi.mount: Mount process exited, code=exited status=32 May 10 07:39:48 hostname systemd[1]: boot-efi.mount: Failed with result 'exit-code'. May 10 07:39:48 hostname systemd[1]: Failed to mount /boot/efi. -
There is a considerable difference in the number of kernel modules loaded with SELinux set to Enforcing vs Permissive:
# lsmod | wc -l # Enforcing 28 # lsmod | wc -l # Permissive 53
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
