CentOS 9 - changing SELinux disabled to permissive

[kathyl1721]

As the title says, we have a Centos 9 Stream device where SELinux is set to disabled. We want it to be permissive. In /etc/selinux/config I changed the line to permissive - SELINUX=permissive. Then I ran

Code: Select all

grubby --update-kernel ALL --remove-args selinux

and reboot. After reboot I issue a sestatus and it still says it is disabled. I also tried fixfiles -F onboot but that did not work. What am I doing incorrectly?

[TrevorH]

Is /etc/sysconfig/selinux a symlink to ../selinux/config ? It should be.

[kathyl1721]

Yes it is.

[lightman47]

Throwing this out here:

I use "sudo getenforce" to find out the current status, and "sudo setenforce (enforcing|permissive|disabled) to change the default.

[kathyl1721]

I've done that also, but always get the response that SElinux is disabled.

[lightman47]

What's set in /etc/selinux/config?

[jlehtone]

... "sudo setenforce (enforcing|permissive|disabled)" to change the default.

AFAIK, the 'setenforce' does merely change current running status; not update config that is used on next boot.

[TrevorH]

Show the full contents of /etc/selinux/config and of /proc/cmdline, also the output from `uname -a`

[kathyl1721]

Sorry for the delay. After I change selinux to permissive, /etc/selinux/config looks like this:

SELINUX=permissive
SELINUXTYPE=targeted


uname -a:

5.14.0-419.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Feb 7 23:01:41 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

/proc/cmdline:

BOOT_IMAGE=(hd0,gpt2)/vmlinuz-5.14.0-419.el9.x86_64 root=/dev/mapper/hostname-root ro crashkernel=1G-4G:192M,4G-64G:265M,64G-:512 resume=/dev/mapper/hostname-swap rd.lvm.lv=hostname-root rd.lvm.lv=hostname/swap

[TrevorH]

How about the output from `rpm -Va \*selinux\*`

Otherwise I would suggest reading your logs, probably either /var/log/messages or /var/log/secure to see if there are any selinux related errors at boot time.