The selinux.mode state only checked the current status of SELinux in memory (getenforce) when determining if changes

needed to be made. The /etc/selinux/config file could have a different value, and it would not be changed. This commit
enhances idempotency of the state in regards to both the in-memory and configuration file enforcement of SELinux.

salt/modules/selinux.py

@@ -89,6 +89,27 @@ def getenforce():
         return 'Disabled'
 
 
+def getconfig():
+    '''
+    Return the selinux mode from the config file
+
+    CLI Example:
+
+    .. code-block:: bash
+
+        salt '*' selinux.getconfig
+    '''
+    try:
+        config = '/etc/selinux/config'
+        with salt.utils.fopen(config, 'r') as _fp:
+            for line in _fp:
+                if line.strip().startswith('SELINUX='):
+                    return line.split('=')[1].capitalize().strip()
+    except (IOError, OSError, AttributeError):
+        return None
+    return None
+
+
 def setenforce(mode):
     '''
     Set the SELinux enforcing mode

salt/states/selinux.py

@@ -94,7 +94,14 @@ def mode(name):
     if tmode == 'unknown':
         ret['comment'] = '{0} is not an accepted mode'.format(name)
         return ret
+    # Either the current mode in memory or a non-matching config value
+    # will trigger setenforce
     mode = __salt__['selinux.getenforce']()
+    config = __salt__['selinux.getconfig']()
+    # Just making sure the oldmode reflects the thing that didn't match tmode
+    if mode == tmode and mode != config and tmode != config:
+        mode = config
+
     if mode == tmode:
         ret['result'] = True
         ret['comment'] = 'SELinux is already in {0} mode'.format(tmode)