Bug 1673672
| Summary: | SELINUXTYPE not being set in /etc/selinux/config | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Jerry Snitselaar <jsnitsel> |
| Component: | anaconda | Assignee: | Anaconda Maintenance Team <anaconda-maint-list> |
| Status: | CLOSED WONTFIX | QA Contact: | Release Test Team <release-test-team> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.0 | CC: | jkonecny, jsnitsel, vmojzis |
| Target Milestone: | rc | ||
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-02-01 07:32:35 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jerry Snitselaar
2019-02-07 18:20:13 UTC
Hello, If I understand the issue correctly then during the installation of the selinux-policy-minimum the SELINUXTYPE value in the /etc/selinux/config file should be set to something else than targeted (correct value). But after the installation it is still targeted. By a quick look into the Anaconda code it looks that we are just changing only the SELINUX value in the installed file. So I would expect that scriptlets of the selinux-policy-minimum package should change this value correctly. I'm trying to find out why the SELINUXTYPE value is not properly set by a package and what is the reason that Anaconda should do that? I would rather not to change something based on the package installed, it is really easy to forget about this code when for example is the package renamed. Vit, Can you explain why this should happen in anaconda instead of the selinux-policy-* packages? Jiri,
My understanding of the explanation I received is that installing a selinux-policy-* package doesn't necessarily mean the user wants that type? I'm not sure under what circumstances that would happen, or what the end effect would be of for example having selinux-policy-minimum installed but an SELINUXTYPE of targeted. In the case I'm working on because of the package that requires the policy module package not having a requires based on the specific selinux-policy-%{selinuxtype} package it apparently was
causing the kickstart install to fail completely. That is solved, but my understanding is that the worry is a mismatch between the type in the config file and the policy package that is installed could cause issues. This really isn't my area, I just have been trying to understand it because I maintain the tpm packages for RHEL.
Thinking about it some more, the choice of the selinux-policy-* package to install comes out of the dependency checking (and whatever is put into the kickstart file), right? At the point that list of packages gets generated can anaconda take action, or is the installation process already in progress? Just wondering if it is even possible to make this work. Yes, we can read what packages will be installed before the installation and after dependency resolving and we can adjust settings of the system based on that. This is not a problem. The problematic part is that, we are responsible for setting the correct type for the installed system but we (Anaconda developers) don't have the knowledge to do that. We don't know what are plans of these packages and what should be the correct type to be set based on the installed system. If this is really the only option then I can imagine Anaconda addon which will be maintained by the selinux developers and it will do the required changes but I'm still not convinced that doing this in the package scriptlet would be much better solution. Another solution could be that the user will chose what SELINUXTYPE will be set by kickstart but if I understand you correctly than it doesn't solve your issue. As Jerry wrote, SELINUXTYPE should always be consciously set by the system administrator. Therefore by default each system should be installed with "targeted" policy, which can later be changed using procedure described in [1]. Since there was a change in the default system configuration, anaconda should make sure that the configuration files are consistent. That being said, I wrote a patch for selinux-policy-* packages which should be able to resolve the situation [2]. The patch changes behaviour of the packages and therefore cannot be incorporated in RHEL-7 packages. The anaconda addon sound much better since it could change the config file based on the knowledge of what packages will be installed in a transaction (%post script is very dependent on installation order). [1] - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/index#enabling-mls-in-selinux [2] - https://src.fedoraproject.org/rpms/selinux-policy/pull-request/15 After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. |