Bug 145881
Summary: | ananconda: no selinux=0 when Disable SELinux is selected | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jeff Moe (jebba) <moe> |
Component: | anaconda | Assignee: | Anaconda Maintenance Team <anaconda-maint-list> |
Status: | CLOSED NOTABUG | QA Contact: | Mike McLean <mikem> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | Keywords: | Reopened |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-07-21 14:42:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jeff Moe (jebba)
2005-01-23 00:36:36 UTC
selinux disabled turns it off in the SELinux config file which then disables things very early in init before it ever matters. Boot loader entries are extremely problematic in a lot of cases. Actually NOTABUG, turns out to be a bug that gives local root access (without need of suid pulseaudio). Bummer. http://lwn.net/Articles/342460/ Posted Jul 20, 2009 22:15 UTC (Mon) by spender (subscriber, #23067) In reply to: mmap_min_addr and security modules by corbet Parent article: Fun with NULL pointers, part 1 That's not the right check. security_file_mmap (which is either set by the capabilities module or overriden by the SELinux module) is what implements the final check. The one you pasted doesn't even apply for MAP_FIXED but is just to ensure that the allocator doesn't choose an address below mmap_min_addr when only a hint is specified. If SELinux is compiled into the kernel, it needs to be disabled at boot via the kernel command-line, otherwise it registers its hooks with LSM and overrides that of the capabilities module for security_file_mmap which performs the mmap_min_addr check. -Brad In the very long time since this bug was initially filed, a whole lot of things have changed. For instance, we no longer offer the SELinux screen in anaconda because it's now an integral component of a Fedora system. If you pass selinux=0 on the kernel command line when you install, it will get passed to the final installed system. For this particular SELinux issue, you need to take that up with the SELinux guys. |