Bug 435300

Summary: anaconda ignores selinux kickstart option
Product: Red Hat Enterprise Linux 4 Reporter: Klaus Ethgen <Klaus+rhbz>
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 4.8CC: dwalsh, jgranado, lists, rlerch, tao
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Known Issue: In previous versions of Red Hat Enterprise Linux 4, adding the line selinux --permissive to a kickstart file sets selinux to permissive mode. However, this line is currently ignored by the installer, leaving selinux set to the default mode: enforcing. To set selinux to permissive or disabled mode during a kickstart installation, add the sed -i -e 's/\(^SELINUX=\).*$/\1permissive/' /etc/selinux/config command to the %post section of the kickstart file. Making sure to replace "permissive" with the required selinux mode. Alternatively, make sure that /etc/selinux/config contains SELINUX=permissive after installation is complete. Again, making sure that "permissive" is replaced with the required selinux mode.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-25 14:21:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 458752    

Description Klaus Ethgen 2008-02-28 15:45:08 UTC 
Description of problem:
I have the line
   selinux --permissive
in my kickstart file. This worked well for long time now. But since some time
the resulting system has selinux in enforced mode.

How reproducible:
· Add the line above to a kickstart file
· Install the system
· look to /etc/selinux/config

Actual results:
SELINUX=enforcing

Expected results:
SELINUX=permissive
Comment 1 Andy Lindeberg 2008-07-24 21:57:56 UTC 
Can you please attach the kickstart file you're using, as well as
/var/log/anaconda.log?
Comment 2 Joel Andres Granados 2008-09-24 12:17:26 UTC 
There are two workarounds for this bug and they are:

put "setenforce 1" in the %pre section.

or, once the system has finished installation execute the `setenforce 1` command.

This will not go int 4.8
Comment 3 RHEL Program Management 2008-09-24 12:38:45 UTC 
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.
Comment 4 Klaus Ethgen 2009-05-13 09:23:12 UTC 
I know how to work around the bug but that do not fix the bug at all.

The problem is that the _documented_ way how to do it does not work anymore. I do not know why you declined the bug but. So please specify it a bit more.
Comment 6 Ludek Smid 2009-05-13 14:51:02 UTC 
(In reply to comment #4)
> The problem is that the _documented_ way how to do it does not work anymore. I
> do not know why you declined the bug but. So please specify it a bit more.  
It's *very* late in RHEL 4.8 release cycle. We are considering release noting this bug.
Comment 8 Joel Andres Granados 2009-05-13 15:12:56 UTC 
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
For rhel4.8 installations there is a known issue where the system installs with selinux in enforcing mode, even though "selinux --permissive" was present in the kickstart file.
If the resulting system needs to be in permissive mode,"setenforce 1" must be added to the %pre section of the kickstart file. Or "setenforce 1" must be executed once the system has finished its reboot after installation.
Comment 10 Ryan Lerch 2009-05-14 01:25:00 UTC 
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -1,2 +1,21 @@
-For rhel4.8 installations there is a known issue where the system installs with selinux in enforcing mode, even though "selinux --permissive" was present in the kickstart file.
+Known Issue: In previous versions of Red Hat Enterprise Linux 4, adding the line
-If the resulting system needs to be in permissive mode,"setenforce 1" must be added to the %pre section of the kickstart file. Or "setenforce 1" must be executed once the system has finished its reboot after installation.+
+    selinux --permissive
+
+to a kickstart file sets selinux to permissive mode. However, this line is currently ignored by the installer, leaving selinux set to the default mode: enforcing.
+
+To set selinux to permissive mode during a kickstart installation, add the
+
+    setenforce 1
+
+command to the
+
+    %pre
+
+section of the kickstart file.
+
+Alternatively, run
+
+    setenforce 1
+
+after installation is complete.
Comment 11 Barry Brimer 2009-05-18 18:49:01 UTC 
I do not see how using "setenforce 1" anywhere will cause the installed system to modify the default behavior of SELinux.  setenforce is used to modify SELinux on a running system, while it is running, but does not have any persistence, nor does ti change the content of any configuration files.  To make this change across a system reboot you will need to change the SELINUX= line in /etc/selinux/config with a command similar to:

sed -i -e 's/\(^SELINUX=\)enforcing$/\1permissive/' /etc/selinux/config
Comment 12 Chris Lumens 2009-05-19 15:12:45 UTC 
anaconda always runs in permissive mode, so messing with setenforce in the %pre script isn't going to do anything, just like comment #11 says.
Comment 13 Joel Andres Granados 2009-05-19 15:47:37 UTC 
Barry:

Thx for the correction.
Comment 14 Joel Andres Granados 2009-05-19 15:47:37 UTC 
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -6,16 +6,17 @@
 
 To set selinux to permissive mode during a kickstart installation, add the
 
-    setenforce 1
 
+    sed -i -e 's/\(^SELINUX=\)enforcing$/\1permissive/' /etc/selinux/config
+
 command to the
 
-    %pre
+    %post
 
 section of the kickstart file.
 
-Alternatively, run
+Alternatively, make sure that /etc/selinux/config contains
 
-    setenforce 1
+SELINUX=enforcing
 
 after installation is complete.
Comment 15 Barry Brimer 2009-05-19 16:36:50 UTC 
For completeness .. I imagine that the selinux directive as a whole is being ignored, regardless of what mode selinux is being set to, although I have not tested this.  In which case, the release note should probably state that the selinux parameter is being ignored and as such to set your system to permissive mode to include:

sed -i -e 's/\(^SELINUX=\)enforcing$/\1permissive/' /etc/selinux/config

or to set SELinux to disabled mode to include:

sed -i -e 's/\(^SELINUX=\)enforcing$/\1disabled/' /etc/selinux/config

in the %post section of your kickstart file.

In a related note, it may be worth checking to see if this issue occurs in an interactive install, or only in a kickstart.
Comment 16 Barry Brimer 2009-05-19 17:47:05 UTC 
I believe this should read:

Alternatively, make sure that /etc/selinux/config contains

SELINUX=permissive

or

SELINUX=disabled


based upon your desired (non-enforcing, non-default) SELinux mode

.. making sure that /etc/selinux/config contains

SELINUX=enforcing

is incorrect.
Comment 17 Daniel Walsh 2009-05-19 17:52:08 UTC 
lokkit --selinux=disabled

will do this also, although it might muck around with iptables rules.


command looks good.
Comment 18 Joel Andres Granados 2009-05-19 17:53:28 UTC 
I still think that giving the user the sed line is very usefull.   Instead of
just telling him to "make sure" with out giving anymore info.  Let me do a
little modification to the sed statement.
Comment 19 Joel Andres Granados 2009-05-19 17:58:59 UTC 
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -4,19 +4,19 @@
 
 to a kickstart file sets selinux to permissive mode. However, this line is currently ignored by the installer, leaving selinux set to the default mode: enforcing.
 
-To set selinux to permissive mode during a kickstart installation, add the
+To set selinux to permissive or disabled mode during a kickstart installation, add the
 
 
-    sed -i -e 's/\(^SELINUX=\)enforcing$/\1permissive/' /etc/selinux/config
+    sed -i -e 's/\(^SELINUX=\).*$/\1permissive/' /etc/selinux/config
 
 command to the
 
     %post
 
-section of the kickstart file.
+section of the kickstart file.  Making sure to replace "permissive" with the required selinux mode.
 
 Alternatively, make sure that /etc/selinux/config contains
 
-SELINUX=enforcing
+SELINUX=permissive
 
-after installation is complete.+after installation is complete.  Again, making sure that "permissive" is replaced with the required selinux mode.
Comment 20 RHEL Program Management 2010-03-25 14:21:14 UTC 
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.