Bug 2039968

Summary: anaconda writes "selinux=0" to /etc/default/grub on live installs
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: anaconda-maint-list, jonathan, kellin, robatino, vanmeeuwen+fedora, vponcova, vslavik, w
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: openqa
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-02-05 00:48:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1953783    

Description Adam Williamson 2022-01-12 19:42:18 UTC 
In recent Rawhide composes, it seems that anaconda is adding "selinux=0" to the GRUB_CMDLINE_LINUX line in /etc/default/grub on live installs, so it reads:

GRUB_CMDLINUX_LINUX="rhgb quiet selinux=0"

this obviously results in the system having SELinux disabled, which is definitely not what we want.

This only seems to happen on live installs (at least, on a quick check - the openQA base_selinux test is failing on live image installs, but passing on the server DVD install and the Silverblue dvd_ostree install). I'm not sure what changed exactly, yet.

This is a violation of Basic release criterion "Unless explicitly specified otherwise, after system installation SELinux must be enabled and in enforcing mode" - https://fedoraproject.org/wiki/Basic_Release_Criteria#selinux-configuration - so proposing as a Beta blocker.
Comment 1 Adam Williamson 2022-01-13 19:01:19 UTC 
https://github.com/rhinstaller/anaconda/commit/b11de43acca8ccca410557ac7513e99076d94234 inadvertently flipped the logic of a check in liveinst that's supposed to add `--noselinux` to the anaconda command line if SELinux is disabled; now it adds `--noselinux` if it's enabled. https://github.com/rhinstaller/anaconda/pull/3779 should fix it.
Comment 2 Vladimír Slávik 2022-01-17 15:28:09 UTC 
PR merged, waiting for release.
Comment 3 Adam Williamson 2022-02-05 00:48:21 UTC 
This is confirmed fixed, the openQA test passes in current composes.