Unable to re-enable SELinux

Up until now we have disabled SELinux as our Standard Operating Procedure -- before you tell me off, I know. That's why we're enabling it now we've got time to.

Our normal procedure was to:

1. Set SELINUX=disabled in /etc/selinux/config
2. Add selinux=0 to the kernel line of grub

I'm trying to undo all this now, but on some servers it just won't reenable for some reason.

~ # grep ^SELINUX= /etc/selinux/config
SELINUX=permissive
~ # grep -i selinux /boot/grub/menu.lst 
~ # getenforce
Disabled
~ # sestatus
SELinux status:                 disabled
~ # setenforce 1
setenforce: SELinux is disabled
~ # sestatus
SELinux status:                 disabled

I've rebooted (multiple times) to no avail, including an initial reboot with a /.autorelabel file.

Can anyone tell me what I'm missing?

CentOS 6 2.6.32-431.20.3.el6.x86_64

Solution 1:

Running dmesg | grep -i selinux turned up this little error:

dracut: SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.24: No such file or directory

What file provides that?

~ # yum whatprovides /etc/selinux/targeted/policy/policy.24
selinux-policy-targeted-3.7.19-231.el6.noarch : SELinux targeted base policy
Repo        : base
Matched from:
Filename    : /etc/selinux/targeted/policy/policy.24

Reinstalling seems to make it good:

yum reinstall selinux-policy-targeted

Apologies for the noise; hopefully this might help someone else in the future though at least.