[FACT-1477] SELinux fact not being correctly detected Created: 2016/07/29  Updated: 2019/01/28

Status: Ready for Review
Project: Facter
Component/s: None
Affects Version/s: FACT 3.3.0
Fix Version/s: FACT 3.11.4

Type: Bug Priority: Normal
Reporter: Paul Anderson Assignee: Unassigned
Resolution: Unresolved Votes: 1
Labels: docs_reviewed, linux, needs_repro, selinux
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

RHEL 6 and RHEL 7


Template:
Epic Link: unintended side efFACTs
Team: Platform OS
CS Priority: Reviewed
Release Notes: Bug Fix
Release Notes Summary: Facter now indicates if SELinux is enabled on the system by also checking for the existence of the /etc/selinux/config file in addition to checking for the presence of the SELinux filesystem.

 Description   

I'm working with a user who had to write their own fact to parse the output of sestatus. I was surprised and did a little digging. They have found that on their systems, Facter says that SE Linux is enabled but permissive. However, it is disabled. (I assume that some kernel module is loaded that causes the appropriate /sys data to be populated, but SE Linux is not enabled)

Here's the code for our SE Linux fact:

https://github.com/puppetlabs/facter/blob/4a495e877d68648b6315b1a68755627de4c3c52d/lib/src/facts/linux/operating_system_resolver.cc#L61

Basically, the assumptions are not true for this user:

[root@rhel7 ~]# facter -p selinux
true
[root@rhel7 ~]# grep selinuxfs /proc/self/mounts
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0

[root@rhel7 facter]# cat /sys/fs/selinux/enforce
0

[root@rhel7 ~]# getenforce
Disabled
[root@rhel7 ~]# sestatus
SELinux status: disabled

So basically, the code seems to indicate that if /sys/fs/selinux exists, the SE linux is enabled and if /sys/fs/selinux/enforce is zero, that it's in permissive mode.

However, as can be plainly seen, getenforce and sestatus both show that SE Linux is disabled, but both would say permissive if that were the case

I suggest that if our SE Linux fact disagrees with getenforce and sestatus, we should probably change our fact.



 Comments   
Comment by Vadym Chepkov [ 2018/12/17 ]

I still observe wrong fact detection :

# facter --version
3.11.6 (commit eb33a4d59e9b09d6c95028c215aa7d3081c097d3)
# facter os
{
  architecture => "x86_64",
  family => "RedHat",
  hardware => "x86_64",
  name => "RedHat",
  release => {
    full => "6.10",
    major => "6",
    minor => "10"
  },
  selinux => {
    config_mode => "disabled",
    current_mode => "permissive",
    enabled => true,
    enforced => false,
    policy_version => "24"
  }
}
# sestatus 
SELinux status:                 disabled

Generated at Sat Aug 08 08:48:36 PDT 2020 using Jira 8.5.2#805002-sha1:a66f9354b9e12ac788984e5d84669c903a370049.