Bug 477059

Summary: ipa-server-install generates /etc/selinux/config, kernel panics on reboot when no selinux was previously installed
Product: [Fedora] Fedora Reporter: Seva <seva>
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: anaconda-maint-list, dpal, dwalsh, eparis, jgranado, sgallagh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-20 18:36:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Seva 2008-12-18 21:21:38 UTC
Description of problem:

On Fedora 10, ipa-server-install generates /etc/selinux/config on a system that previously did noth ave /etc/selinux/config at all and has selinux disabled and no policies installed.

on reboot kernel panics as it tries to load selinux

Version-Release number of selected component (if applicable):

ipa-server-1.2.0-3.fc10.x86_64

How reproducible:

Install Fedora 10 w/out selinux or uninstall it.

Steps to Reproduce:
1. ipa-server-install
2. shutdown -r now
  
Actual results:

kernel panic

Expected results:

no kernel panic

Additional info:

Comment 1 Rob Crittenden 2009-01-12 19:31:51 UTC
What kernel are you running?

Comment 2 Rob Crittenden 2009-01-12 20:27:49 UTC
User reports its 2.6.27.7-134.fc10.x86_64.

Additionally, this host is running as Xen DomU.

Comment 3 Eric Paris 2009-01-12 21:14:42 UTC
The real questions are

a) why did you delete /etc/selinux/config?   you're supposed to set SELINUX=disabled if you want to disable selinux, not delete the config file

b) what is actually creating the new config file.  I've no problem with it being created, but if it didn't already exist it certainly shouldn't be creating the new file with SELINUX=enforcing, which is what must have happened to get a panic...

Comment 4 Eric Paris 2009-01-12 21:25:59 UTC
Can you help explain how you went about "removing" selinux so I can try to figure out how it got out of whack?  In any case your best fix it to put the config file back with the info telling the system to disable selinux.

Comment 5 Eric Paris 2009-01-12 21:45:29 UTC
(The reporter is apparently unable to comment in BZ)

a. I didn't delete it, it was never created, the kickstart contains:

selinux --disabled

And under %packages I have

-selinux-policy
-selinux-policy-targeted

b. ipa-server-install script.

c.

Actually the problem might be that selinux stuff was pulled in by yum
as a dependency of ipa-server and /etc/selinux/config was created at
that point, I also have "selinux=0" in grub.conf

*************

So I guess we really want to stop pulling selinux-policy in on people?  Maybe?  Dan?

Comment 6 Daniel Walsh 2009-01-13 14:59:16 UTC
I guess this is really an anaconda problem.

selinux-policy package sets up the /etc/selinux/config file when it gets installed, it is pulled in by the ipa packages, in order for them to install their policy.

anaconda should really execute a 

# lokkit --selinux=disabled

When the user specifies that selinux is disabled, this would create the /etc/selinux/config file with the appropriate flags, and selinux-policy would not override.

Surprised this has never happened before.

Comment 7 Chris Lumens 2009-08-27 20:50:27 UTC
Please retest this with F12 Alpha and if you're still seeing the problem, attach /tmp/program.log to this bug report so we can see how lokkit was run.  anaconda certainly does know how to run lokkit to disable selinux.

Comment 8 Bug Zapper 2009-11-16 09:44:01 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping