View Issue Details

IDProjectCategoryView StatusLast Update
0015668CentOS-7selinux-policypublic2019-01-07 07:06
ReporterViliam 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version7.6.1810 
Target VersionFixed in Version 
Summary0015668: sestatus and getenforce report incorrect SELinux status if /etc/selinux/config is missing
DescriptionIn case SELinux is already in enforcing or permissive mode and then /etc/selinux/config is removed, then sestatus and getenforce commands incorrectly report that SELinux is disabled.
Steps To Reproduce1. Verify that the current SELinux mode is enforcing or permissive:

[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31

2. Delete or remove /etc/selinux/config

mv -b /etc/selinux/config /etc/selinux/config.backup

3. Observe that SELinux seems to be disabled however applications are still protected by SELinux as can be seen in /var/log/audit/audit.log:

[root@localhost ~]# getenforce
Disabled
[root@localhost ~]# sestatus
SELinux status: disabled

TagsNo tags attached.
abrt_hash
URL

Activities

Viliam

Viliam

2019-01-07 07:06

reporter   ~0033526

Please feel free to close the case now. The issue has been reported to RHEL (https://bugzilla.redhat.com/show_bug.cgi?id=1663550) and it is actually not a bug but a feature.

Issue History

Date Modified Username Field Change
2019-01-04 20:00 Viliam New Issue
2019-01-07 07:06 Viliam Note Added: 0033526