Bug 1032128 - SELinux in enforcing mode in RHSS system installed from RHSS 2.1 U1 RC ISO
SELinux in enforcing mode in RHSS system installed from RHSS 2.1 U1 RC ISO
Status: CLOSED CURRENTRELEASE
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: distribution (Show other bugs)
2.1
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Anthony Towns
Rejy M Cyriac
: Regression, ZStream
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-19 10:24 EST by Rejy M Cyriac
Modified: 2014-07-11 02:40 EDT (History)
6 users (show)

See Also:
Fixed In Version: redhat-storage-server-2.1.1.0-6.el6rhs
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-09 11:45:29 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rejy M Cyriac 2013-11-19 10:24:56 EST
Description of problem:
SELinux in enforcing mode in RHSS system installed from RHSS 2.1 U1 RC ISO - RHSS-2.1-20131114.0-RHS-x86_64-DVD1.iso

The SELinux config file is expected to be edited by post install script of redhat-storage-server rpm, for it to be set to disabled. It is interesting to note that for RHSS system installed from RH Satellite Server, SELinux is disabled as expected.

--------------------------------
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

# cat /etc/selinux/config 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#	enforcing - SELinux security policy is enforced.
#	permissive - SELinux prints warnings instead of enforcing.
#	disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#	targeted - Only targeted network daemons are protected.
#	strict - Full SELinux protection.
SELINUXTYPE=targeted

# rpm -q redhat-storage-server
redhat-storage-server-2.1.1.0-5.el6rhs.noarch
# 

# rpm -q --scripts redhat-storage-server | grep -i selinux
sed -i -e 's/\(^SELINUX=\).*$/\1disabled/' /etc/selinux/config

# rpm -ivh --force /mnt/Packages/redhat-storage-server-2.1.1.0-5.el6rhs.noarch.rpm 
Preparing...                ########################################### [100%]
   1:redhat-storage-server  ########################################### [100%]

# cat /etc/selinux/config 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#	enforcing - SELinux security policy is enforced.
#	permissive - SELinux prints warnings instead of enforcing.
#	disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#	targeted - Only targeted network daemons are protected.
#	strict - Full SELinux protection.
SELINUXTYPE=targeted
# 
--------------------------------

Version-Release number of selected component (if applicable):
RHSS-2.1-20131114.0-RHS-x86_64-DVD1.iso

How reproducible:


Steps to Reproduce:
1.Install RHSS using RHSS-2.1-20131114.0-RHS-x86_64-DVD1.iso 
2.Examine SELinux status after reboot

Actual results:
SELinux is not disabled, but in enforcing, on RHSS system installed from ISO, while SELinux is disabled on RHSS system installed from RH Satellite Server.

Expected results:
SELinux should be disabled on RHSS system installed from ISO or RH Satellite Server.

Additional info:
Comment 1 Rejy M Cyriac 2013-11-19 10:30:31 EST
It was observed that SELinux was being disabled, as expected, in earlier ISO compose - RHSS-2.1-20131023.n.0-RHS-x86_64-DVD1
Comment 2 Rejy M Cyriac 2013-11-19 13:47:07 EST
During the installation of the RHSS system using the RHSS-2.1-20131114.0-RHS-x86_64-DVD1.iso , I kept watch on the '/etc/selinux/config' file, and was able to observe the following:

1. The original file was put in with SELinux config settings as 'enforcing', which is expected.

2. When the redhat-storage-server package is installed, the SELinux config is edited to have the setting changed to 'disabled', which is again as expected.

3. It seems that the SELinux setting of 'disabled' is retained till all packages are installed, though it is hard to verify exactly.

4. Then abruptly the SELinux setting is changed to 'enforcing' in the config file. It appears to be happening during the period after package installation is completed, and postscripts/postaction phase starts. But I was not able to verify the exact point of time.

To further confirm, I made the '/etc/selinux/config' file immutable (unchangeable), after the redhat-storage-server package installation had made the expected change to 'disabled'. The installation proceeded to completion without any error to the reboot screen. Then I changed the file back to normal, and rebooted the system. The SELinux 'disabled' setting was retained.

It is confirmed that all the postscript actions of the redhat-storage-server is being executed, but something is changing the SELinux setting back to 'enforcing' at the very end of installation.

Hope these observations help to narrow down the issue.
Comment 3 Rejy M Cyriac 2013-11-19 14:02:12 EST
I think I may have found the bugger ;-)

Looking at the '/var/log/anaconda.program.log' in the RHSS system that I had installed from RHSS-2.1-20131114.0-RHS-x86_64-DVD1.iso, on which I had made the '/etc/selinux/config' file immutable, I see the following entries. Note that I have placed arrows to highlight the interesting parts.

----------------------------------------------------------
Running... /bin/mount -n -t selinuxfs -o defaults /selinux /mnt/sysimage/selinux
Running... /bin/mount -n -t usbfs -o defaults /proc/bus/usb /mnt/sysimage/proc/bus/usb
Running... /bin/umount /mnt/stage2
23:58:13,855 INFO    : Running... ['/usr/sbin/authconfig', '--update', '--nostart', '--enableshadow', '--passalgo=sha512', '--enablefingerprint']
23:58:14,176 INFO    : Running... ['/usr/sbin/lokkit', '--quiet', '--nostart', '-f', '--service=ssh']
23:58:14,250 INFO    : Running... ['/usr/sbin/lokkit', '--quiet', '--nostart', '--selinux=enforcing']  <----------
23:58:14,316 INFO    : Failed to write selinux configuration. <----------
23:58:14,629 INFO    : Running... ['/sbin/grub-install', '--just-copy']
23:58:14,706 INFO    : Running... ['/sbin/grub', '--batch', '--no-floppy', '--device-map=/boot/grub/device.map']
----------------------------------------------------------

Now trying the same '/usr/sbin/lokkit' command with the given options, on the installed system, I get the following.
----------------------------------------------------------
# sestatus 
SELinux status:                 disabled

# cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 


# /usr/sbin/lokkit --quiet --nostart --selinux=enforcing
/usr/sbin/setenforce: SELinux is disabled

# cat /etc/selinux/config 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#	enforcing - SELinux security policy is enforced.
#	permissive - SELinux prints warnings instead of enforcing.
#	disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#	targeted - Only targeted network daemons are protected.
#	strict - Full SELinux protection.
SELINUXTYPE=targeted
----------------------------------------------------------

It can be seen that the run of the command changes the SELinux config setting to 'enforcing'

This command comes from the following package.

----------------------------------------------------------
# rpm -qf /usr/sbin/lokkit 
system-config-firewall-base-1.2.27-5.el6.noarch
----------------------------------------------------------
Comment 4 Rejy M Cyriac 2013-11-19 14:11:54 EST
The system-config-firewall-base package was not previously being installed on an RHSS system installed from ISO, but it was being installed on an RHSS system installed from RH Satellite server, though without the current side-effects.

It came into the ISO install, by the following commit, which introduced the package as a 'Requires' for redhat-storage-server package

https://code.engineering.redhat.com/gerrit/#/c/15506/

Ref: https://bugzilla.redhat.com/show_bug.cgi?id=994889#c45
Comment 5 Rejy M Cyriac 2013-11-19 14:31:12 EST
The '/usr/sbin/lokkit' command is being run during the 'writeconfig' step, as per the following snippet from /var/log/anaconda.log

----------------------------------------------------------
23:58:13,849 INFO    : leaving (1) step postinstallconfig
23:58:13,849 INFO    : moving (1) to step writeconfig
23:58:13,849 DEBUG   : writeconfig is a direct step
23:58:13,850 INFO    : Writing main configuration
23:58:13,855 WARNING : '/usr/sbin/authconfig' specified as full path
23:58:14,176 WARNING : '/usr/sbin/lokkit' specified as full path
23:58:14,250 WARNING : '/usr/sbin/lokkit' specified as full path
23:58:14,327 INFO    : removing libuser.conf at /tmp/libuser.EMNUUC
23:58:14,327 INFO    : created new libuser.conf at /tmp/libuser.EMNUUC with instPath="/mnt/sysimage"
23:58:14,352 INFO    : leaving (1) step writeconfig
23:58:14,352 INFO    : moving (1) to step firstboot
23:58:14,352 DEBUG   : firstboot is a direct step
23:58:14,352 INFO    : leaving (1) step firstboot
23:58:14,353 INFO    : moving (1) to step instbootloader
----------------------------------------------------------
Comment 7 Bala.FA 2013-11-19 21:09:38 EST
The patch is under review at https://code.engineering.redhat.com/gerrit/16011

This patch removes system-config-firewall-base and system-config-firewall-tui as dependencies.  As a side effect, these two packages will add in discrepency in installed package list between ISO vs Satellite.
Comment 10 Rejy M Cyriac 2013-11-20 10:59:55 EST
Verified on RHSS-2.1-20131120.0-RHS-x86_64-DVD1.iso .

SELinux is being persistently set to disabled state.

Note You need to log in before you can comment on or make changes to this bug.