Fedora 14 does not respect /etc/sysconfig/selinux?

Eric Warnke ewarnke at albany.edu
Wed May 11 14:31:52 UTC 2011 

I have a number of testing systems installed with Fedora 14.  They were
installed with the minimal profile, have no 3rd party repositories or
rpm's installed, are fully up-to-date, and were exhibiting some strange
behavior with the corosync/pacemaker packages.

The problems with corosync are a direct result of the system not
respecting the /etc/sysconfog/selinux directives.  I have attached some
sessions below to show the errant behavior.

Boot 1:
[root at tiny ~]# uptime
08:30:43 up 0 min,  1 user,  load average: 0.15, 0.06, 0.02
[root at tiny ~]# getenforce
Enforcing
[root at tiny ~]# more /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Boot 2:
[root at tiny ~]# uptime
08:33:01 up 0 min,  1 user,  load average: 0.30, 0.06, 0.02
[root at tiny ~]# getenforce
Enforcing
[root at tiny ~]# cat /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

After a call to setenforce 0
[root at tiny ~]# getenforce
Permissive

As you can clearly see the SELINUX directive is being ignored during boot.
 I have had to move startup of the affected packages to /etc/rc.local
after a call to setenforce 0.

Cheers,
Eric Warnke
Research IT Group
SUNY at Albany

More information about the selinux mailing list