Bug 454338

Summary: RFE: Plz add feature to disble selinux *without* dialog box
Product: [Fedora] Fedora Reporter: Jeff Moe (jebba) <moe>
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-07 19:26:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeff Moe (jebba) 2008-07-07 19:17:41 UTC 
Description of problem:
Some users, for whatever reason, do not need or want selinux. The latest
anaconda removes the dialog box to disble selinux and this has upset a not
insignificant number of users.

* Red Hat wants to have selinux enabled by default
* Red Hat wants as few confusing dialog boxes as possible (especially where the
user likely doesnt know what they want)

But:
* Many users do not want selinux and would like to disable it.

So there has been a very long thread on fedora-devel about this and people
arguing to have the dialog box back, others saying users that don't want it are
confused. I noted (somewhat indirectly) that one Fedora user named Linus happens
to disable selinux.... It has resulted in much gnashing of teeth.


Version-Release number of selected component (if applicable):
Latest rawhide, apparently.


How reproducible:
Run anaconda, try to disable selinux.


Steps to Reproduce:
1. Run install CD from the future (which doesn't yet exist AFIAK)
2. In anaconda disable selinux
3. Fail
  

Actual results:
No way to disable selinux.


Expected results:
SELinux completely disabled.


Additional info:

I propose the *perfect* solution which is easy and satisfies everyone above.

Other obscure setups, such as users that want xfs/reiserfs/jfs filesystems can
do so by specifying them at the boot: prompt of the CD. This allows this
non-typical setups to be used, without bothering users with dialogs such as
"which filesystem do you want? reiser/xfs/jfs? etc". Best of both worlds. The
same should be done with selinux.

All that would need to be done is:

1) Add documentation to the install manual which says, "If you want to disable
SELinux, add 'linux selinux=0' to the boot: line of the install CD"

2) Also add this to the CD's syslinux files (e.g. where you hit F3 or whatever
on the install CD and it tells you options).

3) Anaconda would need a small unobtrusive patchlet which sees that selinux=0
has been passed to the install (which I think it does already, so it runs
anaconda --disable-selinux or somesuch) and then pass this to grub.conf. The
passing to grub would then mean the user wouldn't have to do any post-install
configuration either.

*WIN* *WIN* *WIN* everyone.  :)

Thanks.
Comment 1 Jeremy Katz 2008-07-07 19:26:23 UTC 
You can already boot with 'selinux=0' and this is even already documented in the
command-line.txt document included with the anaconda package (And linked to on
the wiki)

And this has been the case since the first bits of SELinux support were added
about four years ago.
Comment 2 Jeff Moe (jebba) 2008-07-07 21:20:11 UTC 
You can boot with selinux=0, but unless I'm mistaken this does not get passed on
to the installed system (hence the previous need for a dialog box).
Comment 3 Jeremy Katz 2008-07-07 21:43:38 UTC 
If you install with selinux=0, we ensure that disabled gets set in
/etc/selinux/config.
Comment 4 Jeff Moe (jebba) 2008-07-07 22:43:21 UTC 
Ok, I just tested this with a stock fedora 9 installation--I believe it's the
same for rawhide. If you pass selinux=0 to the CD boot: line it does *not* get
passed to grub in the final install.


It gets disabled in /etc/selinux/config, which is like passing noselinux to
anaconda, but it doesn't get passed to grub.conf. They do have different behavior.

Concisely:
user does:   boot: selinux=0
anaconda: anaconda.id.bootloader.args.append("selinux=0")
grub then has:  selinux=0


Then if any user ever mentions it on fedora-devel again, just say "install with
selinux=0 and it will *completely* disable it".  Everybody happy. :)