Hello, to detect if SELinux is disabled, in version 2.4 there was a check for /proc/PID/attr/current to have something else than "kernel" as value. This allowed to distinguish between "Disabled" and "Permissive" when the filesystem is mounted and the /enforce file has the value 0. That check got removed in later versions and a check was added based on whether /etc/selinux/config exists. This leads to two problems. The first one is that older versions which have SELinux disabled in the config file still have the filesystem mounted (unless selinux=0 is passed as kernel param) which causes the newer behavior to think SELinux is "Permissive" instead of disabled. The second problem is that the existence of the config file is only loosely related to whether SELinux is disabled or not. On one hand a recent change of the config file (creation/removal) is not valid now but only after it got applied, e.g., by a reboot, on the second hand the check does not work from containers.¹ I suggest to drop the config file check and replace it by a /proc/PID/attr/current check which is more reliable because it tells something about the current state and works from containers. What do you think? For context, this is the GitHub issue where this suggestion originated from: https://github.com/kubevirt/kubevirt/issues/5298 Regards, Kai ¹ Here an example: $ getenforce ; podman run --rm -it fedora sh -c 'dnf install -y /usr/sbin/getenforce >/dev/null && getenforce' Permissive Disabled -- Kinvolk GmbH | Adalbertstr.6a, 10999 Berlin | tel: +491755589364 Geschäftsführer/Directors: Alban Crequy, Chris Kühl, Iago López Galeiras Registergericht/Court of registration: Amtsgericht Charlottenburg Registernummer/Registration number: HRB 171414 B Ust-ID-Nummer/VAT ID number: DE302207000
