3

I am on Fedora 29 and SELinux is currently disabled. I am trying to put into permissive mode using setenforce permissive, but always get setenforce: SELinux is disabled this output and then status still remains disabled. I looked and found out that it is not possible to do without reboot. I am not looking to change SELinux system wide, changing it on runtime should be OK. I am running the commands as root. Any ideas to make it work without reboot?

# sestatus
SELinux status:                 disabled
# setenforce Permissive
setenforce: SELinux is disabled
# sestatus
SELinux status:                 disabled
sebasth
  • 14,872
Pensu
  • 131
  • 2
    Permissive (setenforce 0) means disabled. Enforcing (setenforce 1) means enabled. – Christopher Oct 10 '19 at 12:19
  • 1
    In /etc/sysconfig/selinux set SELINUX=permissive and make sure you don't have any kernel parameters (in grub.cfg) to disable selinux as well, permissive mode will load selinux but won't block any thing, but will allow you to change the state on the fly when needed. – Rabin Oct 10 '19 at 12:41
  • 2
    @Christopher no, permissive means enabled in permissive mode; if sestatus says “disabled”, then SELinux is fully disabled. setenforce toggles between the two enabled states, “permissive” and “enforcing”. – Stephen Kitt Oct 10 '19 at 13:30
  • @StephenKitt Nice catch - a nuance I had not perceived, having assumed the module was loaded. – Christopher Oct 10 '19 at 13:35

1 Answers1

2

Enabling SELinux is not really possible without reboot. If SELinux was disabled previously, the system needs to perform full filesystem relabeling on next boot. In addition to difficulties of relabeling filesystem on running system, every process would need to still need to be restarted to get them running in correct SELinux domains. In conclusion, to enable previously disabled SELinux even in permissive mode requires a reboot.

Different SELiux modes and what is involved in switching between them is explained in Red Hat documentation

sebasth
  • 14,872