Cannot enable SELinux Enforcing Mode

Support for security such as Firewalls and securing linux
Post Reply
Animalboy1968
Posts: 5
Joined: 2016/03/13 21:38:47

Cannot enable SELinux Enforcing Mode

Post by Animalboy1968 » 2017/05/17 17:45:56

Hi Guys, This is driving me nuts & I wonder if someone could help. My RPi3 is running a minimal install of CentOS7 which is running SELinux in Permissive Mode but I would like to enable Enforcing Mode. However, it doesn't seem to matter what I do, I just cannot get the setting to stick. Could someone please suggest what I might be doing wrong?

I have tried editing the /etc/selinux/config & running the touch /.autorelabel (my pics are too large for the post...sorry) but but to no avail. I have tried the setenforce command, which I understand is more of a runtime command but it does work however every time I reboot the setting goes back to permissive.
TIA
Roly
Just because you can do a thing, does not always mean that you should

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Cannot enable SELinux Enforcing Mode

Post by TrevorH » 2017/05/17 17:52:19

Make sure that /etc/sysconfig/selinux is a symlink to /etc/selinux/config and that you have SELINUX=enforcing in that file.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Animalboy1968
Posts: 5
Joined: 2016/03/13 21:38:47

Re: Cannot enable SELinux Enforcing Mode

Post by Animalboy1968 » 2017/05/19 16:08:20

Thanks TrevorH, I think everythig is setup the way it should be
Attachments
SELinux01.JPG
SELinux01.JPG (124.22 KiB) Viewed 5378 times
Just because you can do a thing, does not always mean that you should

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Cannot enable SELinux Enforcing Mode

Post by TrevorH » 2017/05/19 17:05:09

The only other thing I can think of is that you have set it permissive on the kernel command line. What's in /proc/cmdline?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Animalboy1968
Posts: 5
Joined: 2016/03/13 21:38:47

Re: Cannot enable SELinux Enforcing Mode

Post by Animalboy1968 » 2017/05/20 09:30:43

I have never seen this location referenced in all the stuff that I have read on SELinux so I don't know how to read this but this is what it looks like...thank you for your continued support
Attachments
output from /proc/cmdline
output from /proc/cmdline
SELinux02.JPG (46.79 KiB) Viewed 5349 times
Just because you can do a thing, does not always mean that you should

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Cannot enable SELinux Enforcing Mode

Post by TrevorH » 2017/05/20 10:53:07

So that's where it's coming from but this is not where you alter it. The /proc filesystem is a "view" onto the the kernel's internals and /proc/cmdline just shows you what arguments were used to boot the kernel. Since this an rpi, I am not sure where y ou would change this lot but it is the "selinux=1 security=selinux enforcing=0" bit on the end of that line that causes you to come up in permissive mode - more specifically it's the enforcing=0 bit.

This appears to be a documented thing and instructions for enabling it are in the selinux section of https://wiki.centos.org/SpecialInterest ... a4c17bfd-3
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Animalboy1968
Posts: 5
Joined: 2016/03/13 21:38:47

Re: Cannot enable SELinux Enforcing Mode

Post by Animalboy1968 » 2017/05/20 11:36:01

You are a f***ing star Trevor, Thank you so much. I really don't know how I missed this. Next time I am out in Brighton, I live in Eatbourne, I will happily buy you a beer. Thanks once again
Just because you can do a thing, does not always mean that you should

Post Reply