Bug 821966
Summary: | Anaconda ignores "selinux --disabled" and "firewall --disabled" kickstart options | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Andrew McNabb <amcnabb> | ||||||||||||||||||||
Component: | anaconda | Assignee: | Anaconda Maintenance Team <anaconda-maint-list> | ||||||||||||||||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||||||||||
Severity: | high | Docs Contact: | |||||||||||||||||||||
Priority: | unspecified | ||||||||||||||||||||||
Version: | 17 | CC: | anaconda-maint-list, awilliam, g.kaviyarasu, jonathan, robatino, satellitgo, sgallagh, vanmeeuwen+fedora | ||||||||||||||||||||
Target Milestone: | --- | ||||||||||||||||||||||
Target Release: | --- | ||||||||||||||||||||||
Hardware: | x86_64 | ||||||||||||||||||||||
OS: | Linux | ||||||||||||||||||||||
Whiteboard: | |||||||||||||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||||||||||
Clone Of: | Environment: | ||||||||||||||||||||||
Last Closed: | 2012-05-17 00:18:35 UTC | Type: | Bug | ||||||||||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||||||||||
Documentation: | --- | CRM: | |||||||||||||||||||||
Verified Versions: | Category: | --- | |||||||||||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||||||
Embargoed: | |||||||||||||||||||||||
Bug Depends On: | |||||||||||||||||||||||
Bug Blocks: | 752650 | ||||||||||||||||||||||
Attachments: |
|
Description
Andrew McNabb
2012-05-15 22:37:00 UTC
*** Bug 821962 has been marked as a duplicate of this bug. *** Proposing for F17 blocker under the following rules: "In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login"[1]. The reason most people would pass 'selinux --disabled' to anaconda would be to avoid AVCs in software they are installing. "The installer must be able to successfully complete a scripted installation, using the installer's preferred scripting system, which duplicates the default interactive installation as closely as possible"[2] [1] http://fedoraproject.org/wiki/Fedora_17_Final_Release_Criteria [2] http://fedoraproject.org/wiki/Fedora_17_Beta_Release_Criteria Please switch to tty2 (ctrl-alt-f2) and attach the logs from /tmp/*log to this bug as individual plain/text files. (In reply to comment #3) > Please switch to tty2 (ctrl-alt-f2) and attach the logs from /tmp/*log > to this bug as individual plain/text files. Are you referring to the logs during the install or logs after installation (/root/install.log and /root/install.log.syslog). If during the install, at what stage in the installation process should I copy them over? Thanks. So, bcl reckons this happens only when *both* are specified. lokkit will be called to disable the firewall, but not to disable selinux. If you install firewalld, then disabling of the firewall won't work, because lokkit doesn't control firewalld. But firewalld is no longer the default, so you have to explicitly install firewalld instead of s-c-f/iptables to get that problem. I guess that's really a separate bug that should be filed for F18; the firewall disablement method will need to be changed (or lokkit will need to grow support for firewalld, perhaps). bcl further states that the first bug here (selinux not being disabled if you specify to disable both selinux and firewall) has been present for a _long_ time. Given that, and the fact that neither bug in fact hits the criteria (nice try at criteria gymnastics, though :>), I vote -1 blocker. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers (In reply to comment #4) > (In reply to comment #3) > > Please switch to tty2 (ctrl-alt-f2) and attach the logs from /tmp/*log > > to this bug as individual plain/text files. > > Are you referring to the logs during the install or logs after installation > (/root/install.log and /root/install.log.syslog). If during the install, at > what stage in the installation process should I copy them over? Thanks. The install logs. You can find them in /var/log/anaconda/ on the installed system or in /tmp/ at the end of the install. Also, I canont reproduce this using a minimal install from the TC6 dvd. For me selinux and firewall are correctly disabled. Andrew, did you tweak your kickstart to install firewalld instead of system-config-firewall / iptables? If so, did your tweak result in lokkit no longer being installed? anaconda uses lokkit to disable selinux and the firewall, so if you use a kickstart which results in lokkit not being enabled, that could explain the failure. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers (In reply to comment #5) > If you install firewalld, then disabling of the firewall won't work, because > lokkit doesn't control firewalld. But firewalld is no longer the default, so > you have to explicitly install firewalld instead of s-c-f/iptables to get that > problem. I guess that's really a separate bug that should be filed for F18; the > firewall disablement method will need to be changed (or lokkit will need to > grow support for firewalld, perhaps). Hmm. The kickstart script is definitely not explicitly specifying firewalld, so it must be pulled in as part of a group or as a dependency. That's unfortunate. > bcl further states that the first bug here (selinux not being disabled if you > specify to disable both selinux and firewall) has been present for a _long_ > time. It might be something else, then, because we've used this kickstart script for years without having this problem. We make a few little changes at each release, but it's essentially the same script. I just went through the git logs, and both "firewall --disabled" and "selinux --disabled" have been specified since July 17, 2007. So I'm convinced that this is a new problem. (In reply to comment #7) > Andrew, did you tweak your kickstart to install firewalld instead of > system-config-firewall / iptables? If so, did your tweak result in lokkit no > longer being installed? anaconda uses lokkit to disable selinux and the > firewall, so if you use a kickstart which results in lokkit not being enabled, > that could explain the failure. If I do `rpm -q lokkit`, it reports, "package lokkit is not installed". However, on a Fedora 16 machine with the same kickstart script, the "lokkit" package is also missing, but selinux was correctly disabled. Perhaps Anaconda in old releases was using a copy of lokkit on the installation media instead of the target filesystem, or there's some other explanation. I'll post the logs momentarily, but it looks like this snippet might be relevant, given Adam's observation in Comment #7. 11:03:04,692 ERR anaconda: Error running /usr/sbin/lokkit: No such file or directory 11:03:04,694 ERR anaconda: lokkit run failed: Error running /usr/sbin/lokkit: No such file or directory 11:03:06,657 ERR anaconda: Error running /usr/sbin/lokkit: No such file or directory 11:03:06,659 ERR anaconda: lokkit run failed: Error running /usr/sbin/lokkit: No such file or directory Created attachment 585031 [details]
anaconda.ifcfg.log
Created attachment 585032 [details]
anaconda.log
Created attachment 585033 [details]
anaconda.program.log
Created attachment 585034 [details]
anaconda.storage.log
Created attachment 585035 [details]
anaconda.syslog
Created attachment 585036 [details]
anaconda.xlog
Created attachment 585037 [details]
anaconda.yum.log
Can you attach the precise kickstart you used? It seems like it might be needed at this point. Thanks! -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers Created attachment 585038 [details]
kickstart script
Created attachment 585039 [details]
package list imported in kickstart script
lokkit is part of system-config-firewall-base Your kickstart is pointing to a Beta repo it looks like. Please retest with the main repo. There was some confusion over whether firewalld would be used or not, maybe this is a result of that (in the end firewalld is not being used). (In reply to comment #21) > lokkit is part of system-config-firewall-base In that case, system-config-firewall-base is installed on the Fedora 16 machine but not on the Fedora 17 machine. (In reply to comment #22) > Your kickstart is pointing to a Beta repo it looks like. Please retest with the > main repo. There was some confusion over whether firewalld would be used or > not, maybe this is a result of that (in the end firewalld is not being used). Would you mind sharing the URL to a public repo for that? I've been pointed to where the vmlinuz and initrd.img files are available online, but these locations don't include the full list of packages. Thanks. By the way, if Anaconda needs the system-config-firewall-base package to be able to set kickstart options, should the package be mandatory in all kickstart installs? It seems like this might solve the problem, although I'm not sure whether it might add any side effects. Try http://dl.fedoraproject.org/pub/fedora/linux/development/17/x86_64/os/ (for x86_64, for i686 make the obvious substitution) -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers (In reply to comment #25) > Try http://dl.fedoraproject.org/pub/fedora/linux/development/17/x86_64/os/ (for > x86_64, for i686 make the obvious substitution) I didn't realize that I should just point at the development repository. Thanks. The installation is running now. Given the diagnosis so far and bcl's inability to reproduce, I'm -1 blocker on this at present. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers With the development repository, the system-config-firewall-base package is installed, and selinux is disabled. So, it looks like this bug will is fixed for Fedora 17 final. Will Fedora 18 use firewalld instead of system-config-firewall-base? If so, this bug might come back. Would it make sense for Anaconda to force system-config-firewall-base to be installed if "selinux --disabled" is specified? yes, the mechanisms will need to be re-evaluated for F18. With 28 comments on this bug, though, it probably makes more sense just to open a new one. I'll close this and open a new one against Rawhide. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers |