We can get into a state where selinux is enabled without a policy. Reproducer: cat > /etc/selinux/config <<EOF ELINUX=disabled SELINUXTYPE=blah EOF Further info: Reproduced on Debian Bullseye 5.10.0-8-amd64 SELinux 3.1 Note that *both conditions* above have to be met to trigger this. If you only have a typo "ELINUX=disabled" then SELinux will boot in permissive mode If you only have a type "SELINUXTYPE=blah" then SELinux will not be enabled because the policy cannot be found root@bullseye:~# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: dssp5 Current mode: permissive Mode from config file: error (Success) Policy MLS status: disabled Policy deny_unknown status: denied Memory protection checking: actual (secure) Max kernel policy version: 33 root@bullseye:~# ls /sys/fs/selinux access create mls ss avc deny_unknown null status booleans disable policy user checkreqprot enforce policy_capabilities validatetrans class initial_contexts policyvers commit_pending_bools load reject_unknown context member relabel root@bullseye:~# ls /etc/selinux config dssp5-debian semanage.conf -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift
