Can't re-enable selinux

Latest response

I need to re-enable selinux on a bunch of workstations that has had it disabled for a long time.
Permissions on /etc/selinux/config are 644 root:root.
When I try to change the SELINUX= line from disabled to enforcing, it gives me a "read only" error and won't let me save it, even though, as root, I'm supposed to be able to write to the file.
This is on RHEL 6.9.
Any ideas?

Responses

Hi Paul,

Please copy the complete error message. For it might not be the file giving issue, but a file system or a disk. What workstations are you using: Virtual Machines or Physical?

Regards,

Jan Gerrit

Physical machines. When I open the file, its says "opening read only file". I edit the file anyway and when I go to save it responds with "E505: "/etc/selinux/config" is read only (add ! to override). When I use :w! to try to override, it gives me "/etc/selinux/config" E212: Can't open file for writing

I've tried it on 6 different workstations now, and 1 let me save the file, but after rebooting sestatus still said "SELinux status: disabled", even though /etc/selinux/config had it "SELINUX=enforcing" The file system for the "/" folder is ext4 with only the "defaults 1 1" options in /etc/fstab

Hi Paul,

Could you have encountered this issue? https://www.linuxquestions.org/questions/linux-newbie-8/e212-cant-open-file-for-writing-i-have-root-access-4175431271/ It describes someone having removed the write permission on a file owned by root.

Regards,

Jan Gerrit

No, that's not it. The permissions on the file are 644,. ownership root:root, and I'm editing as root. The selinux permissions on the file are "system_u:object_r:selinux_config_t:s0" (although if selinux is disabled, I'm thinking this probably wouldn't matter). As a test I just tried to change the permissions on config to something other than 644 and got this message - "changing permissions of 'config': Operation not permitted." Something is protecting this file beyond just the normal file permission settings.

There is only one option I could think of: Immutable attribute on the files.

lsattr /etc/selinux/config

----i--------e- /etc/selinux/config

if you see this:

chattr -i /etc/selinux/config

and try vi again

Cool, Jan Gerrit ! Learned something (again) - though I hope that I'll never face the need to use that solution ... :)

Regards,
Christian

Yes, that was it - thank you, that was driving me nuts!

Took me sometime to remember this. Must have been 2004 or 2005 that it was mentioned in a RHEL 4 or RHEL 5 training.

It's always good to keep the brain in good shape ... here we have another perfect example which proves this ! :)

Regards,
Christian

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.