Red Hat Bugzilla – Full Text Bug Listing
|Summary:||ananconda: no selinux=0 when Disable SELinux is selected|
|Product:||[Fedora] Fedora||Reporter:||Jeff Moe (jebba) <moe>|
|Component:||anaconda||Assignee:||Anaconda Maintenance Team <anaconda-maint-list>|
|Status:||CLOSED NOTABUG||QA Contact:||Mike McLean <mikem>|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2009-07-21 10:42:29 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Jeff Moe (jebba) 2005-01-22 19:36:36 EST
Description of problem: When an install is performed and SELinux is selected to be disabled in anaconda it does /not/ set "selinux=0" in grub.conf. Version-Release number of selected component (if applicable): anaconda-10.1.0.2-1 Steps to Reproduce: 1. Do a fresh install (i did Custom Minimal, fwiw) 2. Select SELinux: Disable 3. Reboot 4. Check grub.conf or dmesg Actual results: There is no selinux=0 in /etc/grub.conf. Note, that selinux does get disabled, but after it initializes and starts in permissive mode. $ dmesg | grep selinux -i SELinux: Initializing SELinux: Starting in permissive mode selinux_register_security: Registering secondary module capability SELinux: Registering netfilter hooks SELinux: Disabled at runtime. SELinux: Unregistering netfilter hooks When selinux=0, boot looks like: $ dmesg | grep selinux -i SELinux: Disabled at runtime. SELinux: Unregistering netfilter hooks Note, anaconda-ks.cfg shows that it was selected as disabled: selinux --disabled Expected results: SELinux is completely disabled and never starts or does anything that could potentially wreak selinux havok. Or even better, the word "selinux" never appears anywhere on the system. Even with it disabled, two selinux RPMs are installed. How about an "selinux --banished" option? ;) Additional info: Perhaps the best way to do this is to make: bootloader --location=mbr --append="rhgb quiet" into bootloader --location=mbr --append="rhgb quiet selinux=0"
Comment 1 Jeremy Katz 2005-01-22 19:48:52 EST
selinux disabled turns it off in the SELinux config file which then disables things very early in init before it ever matters. Boot loader entries are extremely problematic in a lot of cases.
Comment 2 Jeff Moe (jebba) 2009-07-21 06:24:29 EDT
Actually NOTABUG, turns out to be a bug that gives local root access (without need of suid pulseaudio). Bummer. http://lwn.net/Articles/342460/ Posted Jul 20, 2009 22:15 UTC (Mon) by spender (subscriber, #23067) In reply to: mmap_min_addr and security modules by corbet Parent article: Fun with NULL pointers, part 1 That's not the right check. security_file_mmap (which is either set by the capabilities module or overriden by the SELinux module) is what implements the final check. The one you pasted doesn't even apply for MAP_FIXED but is just to ensure that the allocator doesn't choose an address below mmap_min_addr when only a hint is specified. If SELinux is compiled into the kernel, it needs to be disabled at boot via the kernel command-line, otherwise it registers its hooks with LSM and overrides that of the capabilities module for security_file_mmap which performs the mmap_min_addr check. -Brad
Comment 3 Chris Lumens 2009-07-21 10:42:29 EDT
In the very long time since this bug was initially filed, a whole lot of things have changed. For instance, we no longer offer the SELinux screen in anaconda because it's now an integral component of a Fedora system. If you pass selinux=0 on the kernel command line when you install, it will get passed to the final installed system. For this particular SELinux issue, you need to take that up with the SELinux guys.