disable_selinux = true is not working

[un1xman]

As far as now, Selinux is working with enforcing mode, on nodes by default. After I change disable_selinux=true it notaffected Selinux configs. Even, I destroy cluster and created with this config. Still selinux is active on nodes. Am I doing something wrong or incomplete?

[air3ijai]

Based on the docs, we have 2 ways to disable SELinux

1. We can disable selinux on all nodes using disable_selinux - Disable SELinux on all nodes.

   disable_selinux = true

2. We can disable selinux on agent nodes using agent_nodepools

   agent_nodepools = [
     {
       name        = "agent-small",
       server_type = "cx22",
       location    = "fsn1",
       selinux     = false
     }

But I see same result in bot cases

sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

[air3ijai]

Can we rely on preinstall_exec, to disable SELinux?

  preinstall_exec = [
    "setenforce 0",
    "sed -i -E 's/^SELINUX=[a-z]+/SELINUX=disabled/' /etc/selinux/config"
  ]

[air3ijai]

Applied preinstall_exec from comment above and triggered nodes scaling

getenforce

Permissive

sestatus

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          disabled
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELinux can be completly disabled with the "selinux=0" kernel
# commandline option.
#
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

And after manual node reboot

getenforce

Disabled

sestatus

SELinux status:                 disabled

[air3ijai]

[Bug]: Disabling SELINUX option is not working #1370.