It was observed that SELinux was being disabled, as expected, in earlier ISO compose - RHSS-2.1-20131023.n.0-RHS-x86_64-DVD1

During the installation of the RHSS system using the RHSS-2.1-20131114.0-RHS-x86_64-DVD1.iso , I kept watch on the '/etc/selinux/config' file, and was able to observe the following:

1. The original file was put in with SELinux config settings as 'enforcing', which is expected.

2. When the redhat-storage-server package is installed, the SELinux config is edited to have the setting changed to 'disabled', which is again as expected.

3. It seems that the SELinux setting of 'disabled' is retained till all packages are installed, though it is hard to verify exactly.

4. Then abruptly the SELinux setting is changed to 'enforcing' in the config file. It appears to be happening during the period after package installation is completed, and postscripts/postaction phase starts. But I was not able to verify the exact point of time.

To further confirm, I made the '/etc/selinux/config' file immutable (unchangeable), after the redhat-storage-server package installation had made the expected change to 'disabled'. The installation proceeded to completion without any error to the reboot screen. Then I changed the file back to normal, and rebooted the system. The SELinux 'disabled' setting was retained.

It is confirmed that all the postscript actions of the redhat-storage-server is being executed, but something is changing the SELinux setting back to 'enforcing' at the very end of installation.

Hope these observations help to narrow down the issue.

I think I may have found the bugger ;-)

Looking at the '/var/log/anaconda.program.log' in the RHSS system that I had installed from RHSS-2.1-20131114.0-RHS-x86_64-DVD1.iso, on which I had made the '/etc/selinux/config' file immutable, I see the following entries. Note that I have placed arrows to highlight the interesting parts.

----------------------------------------------------------
Running... /bin/mount -n -t selinuxfs -o defaults /selinux /mnt/sysimage/selinux
Running... /bin/mount -n -t usbfs -o defaults /proc/bus/usb /mnt/sysimage/proc/bus/usb
Running... /bin/umount /mnt/stage2
23:58:13,855 INFO    : Running... ['/usr/sbin/authconfig', '--update', '--nostart', '--enableshadow', '--passalgo=sha512', '--enablefingerprint']
23:58:14,176 INFO    : Running... ['/usr/sbin/lokkit', '--quiet', '--nostart', '-f', '--service=ssh']
23:58:14,250 INFO    : Running... ['/usr/sbin/lokkit', '--quiet', '--nostart', '--selinux=enforcing']  <----------
23:58:14,316 INFO    : Failed to write selinux configuration. <----------
23:58:14,629 INFO    : Running... ['/sbin/grub-install', '--just-copy']
23:58:14,706 INFO    : Running... ['/sbin/grub', '--batch', '--no-floppy', '--device-map=/boot/grub/device.map']
----------------------------------------------------------

Now trying the same '/usr/sbin/lokkit' command with the given options, on the installed system, I get the following.
----------------------------------------------------------
# sestatus 
SELinux status:                 disabled

# cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 


# /usr/sbin/lokkit --quiet --nostart --selinux=enforcing
/usr/sbin/setenforce: SELinux is disabled

# cat /etc/selinux/config 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#	enforcing - SELinux security policy is enforced.
#	permissive - SELinux prints warnings instead of enforcing.
#	disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#	targeted - Only targeted network daemons are protected.
#	strict - Full SELinux protection.
SELINUXTYPE=targeted
----------------------------------------------------------

It can be seen that the run of the command changes the SELinux config setting to 'enforcing'

This command comes from the following package.

----------------------------------------------------------
# rpm -qf /usr/sbin/lokkit 
system-config-firewall-base-1.2.27-5.el6.noarch
----------------------------------------------------------

The system-config-firewall-base package was not previously being installed on an RHSS system installed from ISO, but it was being installed on an RHSS system installed from RH Satellite server, though without the current side-effects.

It came into the ISO install, by the following commit, which introduced the package as a 'Requires' for redhat-storage-server package

https://code.engineering.redhat.com/gerrit/#/c/15506/

Ref: https://bugzilla.redhat.com/show_bug.cgi?id=994889#c45

The '/usr/sbin/lokkit' command is being run during the 'writeconfig' step, as per the following snippet from /var/log/anaconda.log

----------------------------------------------------------
23:58:13,849 INFO    : leaving (1) step postinstallconfig
23:58:13,849 INFO    : moving (1) to step writeconfig
23:58:13,849 DEBUG   : writeconfig is a direct step
23:58:13,850 INFO    : Writing main configuration
23:58:13,855 WARNING : '/usr/sbin/authconfig' specified as full path
23:58:14,176 WARNING : '/usr/sbin/lokkit' specified as full path
23:58:14,250 WARNING : '/usr/sbin/lokkit' specified as full path
23:58:14,327 INFO    : removing libuser.conf at /tmp/libuser.EMNUUC
23:58:14,327 INFO    : created new libuser.conf at /tmp/libuser.EMNUUC with instPath="/mnt/sysimage"
23:58:14,352 INFO    : leaving (1) step writeconfig
23:58:14,352 INFO    : moving (1) to step firstboot
23:58:14,352 DEBUG   : firstboot is a direct step
23:58:14,352 INFO    : leaving (1) step firstboot
23:58:14,353 INFO    : moving (1) to step instbootloader
----------------------------------------------------------

The patch is under review at https://code.engineering.redhat.com/gerrit/16011

This patch removes system-config-firewall-base and system-config-firewall-tui as dependencies.  As a side effect, these two packages will add in discrepency in installed package list between ISO vs Satellite.

Verified on RHSS-2.1-20131120.0-RHS-x86_64-DVD1.iso .

SELinux is being persistently set to disabled state.