SELinux: getenforce says 'Disabled' but config file says 'permissive'
I've got one server which, according to the /etc/selinux/config file, the mode is set to "permissive" but when I run getenforce, it reports the it is disabled. Yes, the server has been restarted, so I would think it should be in permissive mode.
I thought I had seen information about setting SELinux mode during boot. I can't remember if it was something in inittab or grub.conf, but I've checked both of those areas and there is no reference to SELinux in either place. So, at this point, it is unclear why this server showing that it's disabled.
Any ideas?
Responses
Guru
6863 points
I'm not sure how this would impact a system, but... can you look at:
[root@cypher ~]# ls -l /etc/selinux/config
-rw-r--r--. 1 root root 547 Apr 30 09:43 /etc/selinux/config
[root@cypher ~]# ls -l /etc/sysconfig/selinux
lrwxrwxrwx. 1 root root 17 Apr 30 09:43 /etc/sysconfig/selinux -> ../selinux/config
[root@cypher ~]# ls -lZ /etc/selinux/config
-rw-r--r--. root root system_u:object_r:selinux_config_t:s0 /etc/selinux/config
And make sure the file in /etc/sysconfig is still a symlink. Also - I wonder if the context is changed on a file which is neccsarry for SElinux to start, if it would just disable the whole stack (i.e. if someone did an mv of config file, or if someone did a chmod 777 to the config file, or changed the owner - and SElinux saw that when it started, it would disable the whole stack.)
do you see SElinux initializing in /var/log/messages?
Guru
6863 points
I believe the label should still be 'selinux_config_t' (even though SElinux is currently disabled) like in the following example:
[root@rhel6 ~] # grep ^SELINUX= /etc/selinux/config
SELINUX=disabled
[root@rhel6 ~] # ls -lZ /etc/selinux/config
-rw-r--r--. root root system_u:object_r:selinux_config_t:s0 /etc/selinux/config
It almost seems as though at one point SELinux was not enabled then re-enabled (possibly)? Which shoudl have relabeled the entire file systems after the reboot.
I'm sure support could get this sorted in no time ;-) But, if I was in this situation, I would want to test a few things. I would first try to relabel the entire system, which can take quite a while.
DISCLAIMER: I have heard of systems being so out of compliance that the person first needed to set SElinux to PERMISSIVE, then relabel, the set to ENFORCING. (i.e. could not simply go to ENFORCING).
Check out the following doc (and the Note at the bootom)
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html
And.. this is part of the reason I love helping out at the Portal - I just discovered a justification why you should use PERMISSIVE rather than DISABLED (from the Sec Doc above)
"Also, files created while SELinux is disabled are not labeled."
Guru
6863 points
My pleasure - I wish I knew the "silver bullet" but.. I think you'll get this resolved.
This thread made me also wonder about something else (when you mentioned grub.conf) - I guess I had not considered that to be the culprit. For the benefit of others that happen upon this thread, grub.conf could actually have been playing a role in this as well (though Dan said he checked there)
https://access.redhat.com/solutions/3176
Make sure SELinux is not disabled using Grub boot loader.
Search /boot/grub/grub.conf for selinux
# egrep -i 'selinux|enforcing' /boot/grub/grub.conf
(/boot/efi/EFI/fedora/grub.cfg) for Fedora, with EFI.
Check out this link, I wonder if you have to enable the "policycoreutils".
See this Red Hat documentation.
*I have no idea why my reply turned into a zero. Fixed.
Guru
6827 points
Hi Samantha, I noticed you mentioned:
(### quoted)
Check out this link, I wonder if you have to enable the "policycoreutils".
See this Red Hat documentation.
(### end quoted)
Dan, perhaps in addition to what James wrote, check out this bit Samantha found...
Guru
6863 points
Good find!
BTW - If you use Satellite (or RHN probably allows this also) you can create a profile of a "known good" system and then compare your other systems to see what the package differential is. Otherwise, you might want to run a rpm -ql | sort on both systems and run an sdiff against the 2 outputs.
After looking at the file list of selinux-policy-targeted - I guess that makes sense. I thought the contexts were acquired by looking at the rpm manifest. I need to do some learning ;-)
[root@apoc files]# grep \/etc\/selinux /etc/selinux/targeted/contexts/files/file_contexts
/etc/selinux(/.*)? system_u:object_r:selinux_config_t:s0
/etc/selinux/([^/]*/)?seusers -- system_u:object_r:selinux_config_t:s0
/etc/selinux/([^/]*/)?users(/.*)? -- system_u:object_r:selinux_config_t:s0
/etc/selinux/([^/]*/)?logins(/.*)? system_u:object_r:selinux_login_config_t:s0
/etc/selinux/([^/]*/)?policy(/.*)? system_u:object_r:semanage_store_t:s0
/etc/selinux/([^/]*/)?setrans\.conf -- system_u:object_r:selinux_config_t:s0
/etc/selinux/([^/]*/)?contexts(/.*)? system_u:object_r:default_context_t:s0
/etc/selinux/([^/]*/)?contexts/files(/.*)? system_u:object_r:file_context_t:s0
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- system_u:object_r:semanage_read_lock_t:s0
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- system_u:object_r:semanage_trans_lock_t:s0
/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? system_u:object_r:semanage_store_t:s0
Another curiosity thing again - I wonder what would have happened had you run a restorecon -Fv /etc/selinux/config before you installed the missing package. Crazy!
Guru
6827 points
If the server is virtual (vmware), perhaps snapshot it first. or clone it and test it on the clone.
Guru
6827 points
Dan you are using Targeted SELinux, not MLS SELinux, right? If MLS SELinux, remember to check this Red Hat article, particularly the grub boot directive or the system will panic guaranteed upon reboot (ask me how I know, at least it used to when changing to MLS SELinux under RHEL 5).
Guru
6863 points
Just to let you know - working with profiles is one of the easier areas to get familiar with. (which is one thing I like about Satellite, you can pick-and-chose which features to use and go at your own pace when you want to utilize them). I mostly use them for reporting and comparing hosts - but you can also use them to sync systems to a known-good profile - or when we do significant upgrades, we first create a profile that we can roll back to.
Over the past year I developed our use of activation keys - mostly to manage which parent/child channels the host will subscribe to, in addition to the config channels. Working on that was reasonably complicated (for me anyhow ;-)
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.