Selinux disabled, but still enforcing

fedoraselinux

I have some systems where, for various reasons, we want to completely disable selinux. To date, this has worked like a champ, with always using selinux=0 in the kickstarts and ensuring that /etc/sysconfig/selinux contains:

SELINUX=disabled

But as of today, I have one Fedora 17 workstation that is properly set up, yet following many reboots, it always comes up in enforcing mode:

# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 

# getenforce
Enforcing

What could be causing selinux to ignore the sysconfig entry, or to start despite it?

[Edit 1]

I saw a related question here and tried this:

# selinuxenabled ; echo $?
0
# getenforce
Enforcing

Best Answer

The actual config file is /etc/sellinux/config to which /etc/sysconfig/selinux links. It seems you might have lost the link and ended up with a regular file.

Verify that:

# ls -l /etc/sysconfig/selinux
lrwxrwxrwx. 1 root root 17 Dec 22 18:59 /etc/sysconfig/selinux -> ../selinux/config

or check the contents of /etc/selinux/config

Related Solutions

Postfix won’t run while selinux in enforcing mode

If you ever need ipv6 enabled, the way to solve this would be to build and install a custom SELinux policy, based on these errors:

# grep postfix_master /var/log/audit/audit.log | audit2allow -m postfixCustom > postfix.te
# checkmodule -M -m -o postfix.mod postfix.te
# semodule_package -m postfix.mod -o postfix.pp 
# semodule -i postfix.pp

CentOS 6 kickstart ignoring ‘selinux –disabled’

The CentOS 6 installer loads the policies in permissive mode by default (which I confirmed by running dmesg during the installation). That meant by the post installation step, SELinux is already active. As long as it is running, it doesn't look like you can remove the attributes.

You will have to pass the following someplace prior to the start of the installation (right at the end of kernel the boot loader line):

selinux=0

So something like this:

kernel /boot/vmlinuz-2.4.20-XXXXXXXXX ro root=/dev/hda1 nousb selinux=0

Here is what happens when you attempt to remove the attributes while in permissive mode (forgive the formatting, SF appears to be unhappy):

[root@centos6dev test]# find . -exec setfattr -x security.selinux {} \;
setfattr: .: Permission denied
setfattr: ./test2: Permission denied
setfattr: ./test3: Permission denied
setfattr: ./test: Permission denied

With selinux disabled from grub at boot time:

[root@centos6dev test]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 test
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 test2
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 test3
[root@centos6dev test]# find . -exec setfattr -x security.selinux {} \;
[root@centos6dev test]# ls -la
total 8
drwxr-xr-x  2 root root 4096 Dec 13 22:27 .
dr-xr-x---. 4 root root 4096 Dec 13 22:27 ..
-rw-r--r--  1 root root    0 Dec 13 22:27 test
-rw-r--r--  1 root root    0 Dec 13 22:27 test2
-rw-r--r--  1 root root    0 Dec 13 22:27 test3
[root@centos6dev test]# ls -Z
-rw-r--r-- root root ?                                test
-rw-r--r-- root root ?                                test2
-rw-r--r-- root root ?                                test3

Based on this as well as this bug report, this probably means you won't be able to remove the attributes in the post install. So as I outlined, you'll need to disable selinux prior to booting up the installation.

(or you can just leave it alone and learn to live with it. :) ).

Related Topic