Status: Ready for Review
Affects Version/s: FACT 3.3.0
Fix Version/s: FACT 3.11.4
RHEL 6 and RHEL 7
Release Notes:Bug Fix
Release Notes Summary:Facter now indicates if SELinux is enabled on the system by also checking for the existence of the /etc/selinux/config file in addition to checking for the presence of the SELinux filesystem.
I'm working with a user who had to write their own fact to parse the output of sestatus. I was surprised and did a little digging. They have found that on their systems, Facter says that SE Linux is enabled but permissive. However, it is disabled. (I assume that some kernel module is loaded that causes the appropriate /sys data to be populated, but SE Linux is not enabled)
Here's the code for our SE Linux fact:
Basically, the assumptions are not true for this user:
[root@rhel7 ~]# facter -p selinux
[root@rhel7 ~]# grep selinuxfs /proc/self/mounts
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
[root@rhel7 facter]# cat /sys/fs/selinux/enforce
[root@rhel7 ~]# getenforce
[root@rhel7 ~]# sestatus
SELinux status: disabled
So basically, the code seems to indicate that if /sys/fs/selinux exists, the SE linux is enabled and if /sys/fs/selinux/enforce is zero, that it's in permissive mode.
However, as can be plainly seen, getenforce and sestatus both show that SE Linux is disabled, but both would say permissive if that were the case
I suggest that if our SE Linux fact disagrees with getenforce and sestatus, we should probably change our fact.