Bug 177639
| Summary: | Disable SElinux in firstboot fails. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Woodhouse <dwmw2> |
| Component: | system-config-securitylevel | Assignee: | Chris Lumens <clumens> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | dwalsh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-02-08 20:09:53 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 150222 | ||
Dan - the problem here is that when someone sets SELinux to disabled from the default of enforcing in firstboot, I'm not running any sort of program to disable it. All that happens is that /etc/sysconfig/selinux is modified so that it will be disabled on the next reboot. Is there any action I can take to disable it immediately? No the best you can do is disable enforcing mode until the next reboot. setenforce 0 Unmount /selinux might also cause is_selinux_enabled to start returning errors or that it is not enabled, but I am not sure this would be stable. Dan This worked perfectly when it was done in anaconda before we booted into the 'live' system. Why was it changed? Still happening in current rawhide. I turn off selinux in firstboot, but still
am not permitted to things like loading libraries from /lib64...
audit(1139323154.689:89): avc: denied { search } for pid=2652 comm="gpm"
name="lib64" dev=sda5 ino=1729921 scontext=system_u:system_r:gpm_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
That's a separate selinux bug, of course -- but since I've _never_ had a working
system with selinux, the feature I _really_ want is to be able to just disable it.
firstboot should force a reboot if you disable selinux, since this is the only way to disable it once it is running. It should also setenforce 0, before it reboots since strange things can happen before the reboot. David, Please report the bugs that you have had to get your machine running with SELinux enabled. If you are hitting these bugs, others are probably as well. As far as the AVC message you are showing above, this is a serious problem, since it indicates /lib64 was never labeled. Looks like an installation problem if this is a fresh install. I think I did report the /lib64 bug already somewhere, or I was told that it had already been reported. It's a fresh install -- it's easy enough to reproduce. firstboot now does seem to want to force a reboot when I disable selinux -- that's fine. But it's also telling me that the entire file system will need to be relabelled. That's strange, since selinux is being disabled. That's a generic warning message that appears. I can change this after FC5 when we're free to mess with strings again. |
I asked for no selinux. It seems to have ignored me... I have random failures which I usually associate with selinux, and this kind of thing in /var/log/audit/audit.log... type=AVC msg=audit(1137083751.862:271): avc: denied { connectto } for pid=2845 comm="cups-config-dae" name="system_bus_socket" scontext=system_u:system_r:cupsd_config_t:s0 tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=unix_stream_socket This is still my first boot -- should I have to reboot before SElinux is disabled? If so, that should be documented (or selinux choice should be done in anaconda instead of firstboot).