RHEL SELinux: /etc/sysconfig/selinux or /etc/selinux/config?

redhat selinux rhel7

From a CentOS 7 system I have to hand, but CentOS 6 and Fedora 31 are the same

lrwxrwxrwx. 1 root root   17 Oct 31  2018 selinux -> ../selinux/config

Seems they are the same file. Personally use /etc/selinx/config due to muscle memory.

but in my system they are different files, size is diff, change time is diff

Then consider that your system is 'broken'. This is easy to test, set permissive in one and enforcing in the other. Reboot ...


The default selinux configuration file is in /etc/selinux/config per man 8 selinux. In Appendix D of the RHEL 6 Deployment Guide (couldn't find in RHEL 7 doc), they mention that /etc/sysconfig is a symbolic link to /etc/selinux/config:

The /etc/sysconfig/selinux file contains the basic configuration options for SELinux. It is a symbolic link to /etc/selinux/config

You'll know it's a symlink when you see the ls -la output because the first field will be l, for link, and the ugo will have rwx:

[root@test sysconfig]# ls -lah selinux
lrwxrwxrwx. 1 root root 19 Nov 24 00:58 selinux -> /etc/selinux/config

Before I learned that this was a symlink, I accidentally overwrote the file with sed because by default sed doesn't follow symlinks:

[root@test sysconfig]# ls -lah selinux
lrwxrwxrwx. 1 root root 17 Jul 24 23:16 selinux -> ../selinux/config
[root@test sysconfig]# grep '^SELINUX=' selinux
SELINUX=enforcing
[root@test sysconfig]# sed -i 's/SELINUX=enforcing/SELINUX=permissive/' selinux
[root@test sysconfig]# ls -lah selinux
-rw-r--r--. 1 root root 544 Nov 24 00:50 selinux

If you ever get in that situation, it's an easy fix to restore the symlink:

[root@test sysconfig]# rm /etc/sysconfig/selinux
rm: remove regular file ‘/etc/sysconfig/selinux’? y
[root@test sysconfig]# ln -s /etc/selinux/config selinux
[root@test sysconfig]# ls -lah selinux
lrwxrwxrwx. 1 root root 19 Nov 24 00:52 selinux -> /etc/selinux/config

I am personally only modifying /etc/selinux/config, one so I don't happen to make another mistake with the symlink, but two because some configuration files in that directory are becoming deprecated in newer releases; for example, nfs in RHEL 8.

Related

How to clean up mysql installation on centos
How to force Mac (Yosemite) to use USB Bluetooth instead of internal? [duplicate]
Disable inactive memory swapping
Listening to music with MacBooks lid closed
Make Skim save PDF's with embedded notes by default
How can I explain to my friend that running a "hackintosh" is a violation of the law? [closed]
How to update latest MacBook pro EFI firmware manually?
How can I create a new Recovery Partition on EXTERNAL disk?
How can I disable the delay + minimum distance when deleting icons from the Dock by dragging in Mountain Lion?
"This UPX compressed binary contains an invalid Mach-O header and cannot be loaded."
What characters might be used to substitute for colon in folder names using a time-of-day? [closed]
MBP Touch Bar Mirror Displays Keyboard Shorcut