Bug 145881

Summary: ananconda: no selinux=0 when Disable SELinux is selected
Product: [Fedora] Fedora Reporter: Jeff Moe (jebba) <moe>
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED NOTABUG QA Contact: Mike McLean <mikem>
Severity: medium Docs Contact:
Priority: medium    
Version: 3Keywords: Reopened
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-21 10:42:29 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Jeff Moe (jebba) 2005-01-22 19:36:36 EST
Description of problem:
When an install is performed and SELinux is selected to be disabled in
anaconda it does /not/ set "selinux=0" in grub.conf.

Version-Release number of selected component (if applicable):
anaconda-10.1.0.2-1

Steps to Reproduce:
1. Do a fresh install (i did Custom Minimal, fwiw)
2. Select SELinux: Disable
3. Reboot
4. Check grub.conf or dmesg
  
Actual results:
There is no selinux=0 in /etc/grub.conf. Note, that selinux does get
disabled, but after it initializes and starts in permissive mode.
$ dmesg | grep selinux -i
SELinux:  Initializing
SELinux:  Starting in permissive mode
selinux_register_security:  Registering secondary module capability
SELinux:  Registering netfilter hooks
SELinux:  Disabled at runtime.
SELinux:  Unregistering netfilter hooks

When selinux=0, boot looks like:
$ dmesg | grep selinux -i
SELinux:  Disabled at runtime.
SELinux:  Unregistering netfilter hooks

Note, anaconda-ks.cfg shows that it was selected as disabled:
selinux --disabled

Expected results:
SELinux is completely disabled and never starts or does anything that
could potentially wreak selinux havok.

Or even better, the word "selinux" never appears anywhere on the
system. Even with it disabled, two selinux RPMs are installed. How
about an "selinux --banished" option? ;)

Additional info:
Perhaps the best way to do this is to make:
bootloader --location=mbr --append="rhgb quiet"
into
bootloader --location=mbr --append="rhgb quiet selinux=0"
Comment 1 Jeremy Katz 2005-01-22 19:48:52 EST
selinux disabled turns it off in the SELinux config file which then
disables things very early in init before it ever matters.  Boot
loader entries are extremely problematic in a lot of cases.
Comment 2 Jeff Moe (jebba) 2009-07-21 06:24:29 EDT
Actually NOTABUG, turns out to be a bug that gives local root access (without need of suid pulseaudio). Bummer.

http://lwn.net/Articles/342460/
Posted Jul 20, 2009 22:15 UTC (Mon) by spender (subscriber, #23067)
In reply to: mmap_min_addr and security modules by corbet
Parent article: Fun with NULL pointers, part 1

That's not the right check. security_file_mmap (which is either set by the capabilities module or overriden by the SELinux module) is what implements the final check. The one you pasted doesn't even apply for MAP_FIXED but is just to ensure that the allocator doesn't choose an address below mmap_min_addr when only a hint is specified.

If SELinux is compiled into the kernel, it needs to be disabled at boot via the kernel command-line, otherwise it registers its hooks with LSM and overrides that of the capabilities module for security_file_mmap which performs the mmap_min_addr check.

-Brad
Comment 3 Chris Lumens 2009-07-21 10:42:29 EDT
In the very long time since this bug was initially filed, a whole lot of things have changed.  For instance, we no longer offer the SELinux screen in anaconda because it's now an integral component of a Fedora system.  If you pass selinux=0 on the kernel command line when you install, it will get passed to the final installed system.

For this particular SELinux issue, you need to take that up with the SELinux guys.