View Issue Details

IDProjectCategoryView StatusLast Update
0017842CentOS-7selinux-policypublic2020-11-11 21:15
Reporterhunter86_bg 
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionwon't fix 
Product Version 
Target VersionFixed in Version 
Summary0017842: [CentOS 8.2.2004 ] Cannot set SELINUX in permissive
DescriptionDescription of problem:
Setting 'permissive' in /etc/sysconfig/selinux is not honoured (still enforcing)

Version-Release number of selected component (if applicable):
ibselinux-2.9-3.el8.x86_64
libselinux-utils-2.9-3.el8.x86_64
nfs-ganesha-selinux-3.3-2.el8.noarch
python3-libselinux-2.9-3.el8.x86_64
rpm-plugin-selinux-4.14.2-37.el8.x86_64
selinux-policy-3.14.3-41.el8_2.8.noarch
selinux-policy-devel-3.14.3-41.el8_2.8.noarch
selinux-policy-doc-3.14.3-41.el8_2.8.noarch
selinux-policy-targeted-3.14.3-41.el8_2.8.noarch

How reproducible:
Always

Actual results:
System is still in enforcing mode

Expected results:
SELINUX to be in permissive mode

Steps To ReproduceSteps to Reproduce:
1.Set SELINUX to permissive as follows:
[root@glustere ~]# cat /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

2. Reboot
3. Verify status:

[root@glustere ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
[root@glustere ~]# uptime
 22:52:45 up 2 min, 2 users, load average: 0,89, 0,73, 0,30
[root@glustere ~]# getenforce
Enforcing
Additional InformationAdditional info:
Workarounds that work:
- use 'enforcing=0' as kernel parameter
TagsNo tags attached.
abrt_hash
URL

Activities

TrevorH

TrevorH

2020-11-11 21:04

manager   ~0037869

Is /etc/sysconfig/selinux correctly a symlink to ../selinux/config ?
hunter86_bg

hunter86_bg

2020-11-11 21:05

reporter   ~0037870

BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1896922
hunter86_bg

hunter86_bg

2020-11-11 21:05

reporter   ~0037871

Nope, pure file.
hunter86_bg

hunter86_bg

2020-11-11 21:08

reporter   ~0037872

Seems that setting permissive in /etc/selinux/config works.
TrevorH

TrevorH

2020-11-11 21:15

manager   ~0037873

It's meant to be a symlink not a file. I'd suspect a stray use of sed somewhere without the parameter that tells it to respect symlinks has broken it.

Issue History

Date Modified Username Field Change
2020-11-11 21:02 hunter86_bg New Issue
2020-11-11 21:04 TrevorH Note Added: 0037869
2020-11-11 21:05 hunter86_bg Note Added: 0037870
2020-11-11 21:05 hunter86_bg Note Added: 0037871
2020-11-11 21:08 hunter86_bg Note Added: 0037872
2020-11-11 21:15 TrevorH Status new => closed
2020-11-11 21:15 TrevorH Resolution open => won't fix
2020-11-11 21:15 TrevorH Note Added: 0037873