SELinux on CentOS not working

arturh asked:

i’m new to CentOS and trying to enable SELinux and it’s not working after a restart as described on

The only error message I get after each reboot is:

master:~# cat /var/log/messages | grep "SELinux"
Jul 14 22:11:48 master kernel: SELinux:  Disabled at boot.

As far as Google could tell me this means my config file has SELINUX=0 / SELINUX=disabled. But my config file should be correct:

master:~# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.

I found it strange that the described /etc/sysconfig/selinux symlink did not exist so it created it pointing to /etc/selinux/config:

master:~# ls -l /etc/sysconfig/ | grep selinux
lrwxrwxrwx 1 root root   19 Jul 14 22:18 selinux -> /etc/selinux/config

System Details: freshly installed minimal CentOS 7 with current updates:

master:~# uname -a
Linux master 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

I also installed the packages described at the above link:

yum install policycoreutils policycoreutils-python selinux-policy selinux-policy-targeted libselinux-utils setroubleshoot-server setools setools-console mcstrans

Any idea how to debug this? I could not find any other way to enable SELinux other than changing the config file and rebooting, what could be wrong?
Could a kernel module be missing?


The culprit:

master:~# cat /etc/sysconfig/grub
GRUB_CMDLINE_LINUX="rootflags=uquota,gquota acpi=ht crashkernel=auto selinux=0 nodmraid rhgb quiet"

My answer:

SELinux was disabled on your kernel command line, by someone inserting selinux=0.

To resolve the problem, remove this from /etc/sysconfig/grub, regenerate your grub configuration, and then reboot.

You should also complain to whoever made this image, as this is a really nasty trick to play…

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.