Dominick Grift <dominick.grift@xxxxxxxxxxx> writes: > We can get into a state where selinux is enabled without a policy. Someone was sharp enough to notice an inconsistency in the info below. I used "SELINUXTYPE=blah" where when I actually tested it I used "SELINUXTYPE=dssp5". Both are invalid and lead to the same results. So just read s/dssp5/blah/ > > Reproducer: > > cat > /etc/selinux/config <<EOF > ELINUX=disabled > SELINUXTYPE=blah > EOF > > Further info: > > Reproduced on Debian Bullseye > 5.10.0-8-amd64 > SELinux 3.1 > > Note that *both conditions* above have to be met to trigger this. > > If you only have a typo "ELINUX=disabled" then SELinux will boot in > permissive mode > > If you only have a type "SELINUXTYPE=blah" then SELinux will not be > enabled because the policy cannot be found > > root@bullseye:~# sestatus > SELinux status: enabled > SELinuxfs mount: /sys/fs/selinux > SELinux root directory: /etc/selinux > Loaded policy name: dssp5 > Current mode: permissive > Mode from config file: error (Success) > Policy MLS status: disabled > Policy deny_unknown status: denied > Memory protection checking: actual (secure) > Max kernel policy version: 33 > > root@bullseye:~# ls /sys/fs/selinux > access create mls ss > avc deny_unknown null status > booleans disable policy user > checkreqprot enforce policy_capabilities validatetrans > class initial_contexts policyvers > commit_pending_bools load reject_unknown > context member relabel > > root@bullseye:~# ls /etc/selinux > config dssp5-debian semanage.conf -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift
