selinux disabled, but still enforcing?

Question

I have some systems where, for various reasons, we want to completely disable selinux. To date, this has worked like a champ, with always using selinux=0 in the kickstarts and ensuring that /etc/sysconfig/selinux contains:

SELINUX=disabled

But as of today, I have one Fedora 17 workstation that is properly set up, yet following many reboots, it always comes up in enforcing mode:

# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 

# getenforce
Enforcing

What could be causing selinux to ignore the sysconfig entry, or to start despite it?

[Edit 1]

I saw a related question here and tried this:

# selinuxenabled ; echo $?
0
# getenforce
Enforcing

Answer 1

The actual config file is /etc/sellinux/config to which /etc/sysconfig/selinux links. It seems you might have lost the link and ended up with a regular file.

Verify that:

# ls -l /etc/sysconfig/selinux
lrwxrwxrwx. 1 root root 17 Dec 22 18:59 /etc/sysconfig/selinux -> ../selinux/config

or check the contents of /etc/selinux/config

Answer 2

Running CentOS 8, I used this for scripts:

sed -i "s/SELINUX=.*/SELINUX=disabled/" /etc/selinux/config

Basically, you want the SELinux config file to have this setting

| /etc/selinux/config :

...if...

SELINUX=enabled

...change to...

SELINUX=disabled

While sudo setenforce 0 will temporarily set it to "Permissive", changing the config file will permanently set it to "Disabled".