SELinux cannot be enabled after following all the procedures

[gus4rs]

I disabled SELinux in an old fedora version (pre-30), and overtime upgraded the distro to 36 and now cannot enable it anymore. I am trying to make it permissive, and tried changing it on the config but it doesn't work.

I put in the /etc/sysconfig/selinux :

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

symlink present:

# ls -l /etc/sysconfig/selinux 
lrwxrwxrwx. 1 root root 17 Apr 21  2018 /etc/sysconfig/selinux -> ../selinux/config

My kernel params:

# cat /proc/cmdline 
BOOT_IMAGE=(hd0,msdos1)/vmlinuz-5.19.15-201.fc36.x86_64 root=/dev/mapper/fedora_fedora-root ro rd.lvm.lv=fedora_fedora/root rhgb quiet

After a touch /.autorelabel and reboot, it is still disabled:

# getenforce 
Disabled

Tried to re-generate the initramfs image:

# dracut -F

to no avail.

I've collected some logs, but no error found:

# dmesg | grep -i selinux 

[    0.445625] SELinux:  Initializing.
[    1.899886] ata1.00: ATA-8: Fedora-0 SSD, F.02PTBW, max UDMA/100
[    1.991220] scsi 0:0:0:0: Direct-Access     ATA   Fedora-0 SSD    PTBW PQ: 0 ANSI: 5
[    2.020710] evm: security.selinux
[    4.065913] systemd[1]: systemd v250.8-1.fc36 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)

#journalctl --since -5m | grep -i selinux

Oct 25 22:36:39 kernel: SELinux:  Initializing.
Oct 25 22:36:39 kernel: evm: security.selinux
Oct 25 22:36:39 systemd[1]: systemd v250.8-1.fc36 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Oct 25 22:36:48 systemd[1]: selinux-autorelabel-mark.service - Mark the need to relabel after reboot was skipped because of a failed condition check (ConditionPathExists=!/.autorelabel).
Oct 25 22:37:03 sshd[2130]: debug1: SELinux support disabled [preauth]
Oct 25 22:37:03 sshd[2130]: debug1: SELinux support disabled

What else could be preventing it from enabling? Is there any tool for sanity checking?

[gus4rs]

If I manually call /usr/sbin/load_policy -i then it loads the policy files and getenforce return Permissive

Upon next reboot all is lost though, and it returns to the 'disabled' state. Who is supposed to load these policies at boot time? My dracut apparently contains the selinux module:

# dracut --list-modules  | grep selinux
selinux

[bachradsusi]

I have no idea how this could happen.

It is up to systemd to load a policy. You can try changing the default systemd log level to debug using systemd.log_level=debug on the kernel command line to get additional information. You should also check the stderr at early boot. The selinux_init_load_policy() function from libselinux, which is used by systemd, logs to stderr output.

[bachradsusi]

First I'd try to use enforcing=0 on kernel command line to switch to permissive mode directly in kernel before a policy is loaded.

[gus4rs]

Enabled debug in systemd. It prints a bunch of AVC denials right after switching root from initramfs dracut (this is where the policies should've been loaded, I checked with a fresh installed distro where Selinux is enabled)

This is the first one:

Nov 07 09:37:29 audit[1]: AVC avc:  denied  { prog_run } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=bpf permissive=1

Note permissive=1, meaning the config was taken into account. But for some reason it failed to load the policies.

I tried do a full relabel in the system after manually loading the policies:

# /usr/sbin/load_policy -i && fixfiles relabel

and rebooted, no luck.