Description of problem: If you have switched to a new policy (e.g., from targeted to mls) and then the system does not work with that policy, the solution is to reboot with enforcing=0 and than change the policy back (e.g., from mls to targeted). Since I normally run with targeted/enforcing (not permissive), I just changed the policy. But, the tool appears to change the runtime value of /selinux/enforce BEFORE it changes /etc/sysconfig/selinux Solution: change /etc/sysconfig/selinux file first. Better Solution: make changing the value of SELINUX in the file a separate and distict action from changing the runtime system
Changed to write the config file before setting/unsetting enforcing. The new order of things on save is: write config, change enforcing mode, touch /.autorelabel if required, save modifiers. Thanks for the bug report. Might make an FC6 update for this.