Bug 1258569 - anaconda interprets 'selinux=0' parameter incorrectly
anaconda interprets 'selinux=0' parameter incorrectly
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: David Shea
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2015-08-31 12:21 EDT by A.J. Werkman
Modified: 2015-11-02 10:37 EST (History)
7 users (show)

See Also:
Fixed In Version: anaconda-24.5-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-11-02 10:37:37 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description A.J. Werkman 2015-08-31 12:21:07 EDT
Description of problem:
selinux directive on the commandline and in kickstart file is not honoured.

Version-Release number of selected component (if applicable):
23_Beta_TC1 Server Product

How reproducible:

Steps to Reproduce:
1. Prepare a kickstart file with a line 'selinux --disabled'.
2. Boot using kickstart file and selinux=0 on the commandline and install the system
3. On the installed system inspect /etc/selinux/config file and see that the policy is enforcing.

Actual results:
SElinux policy is enforcing

Expected results:
SElinux policy is disabled

Additional info:
Comment 1 A.J. Werkman 2015-09-10 14:24:16 EDT
This is a blocker by the Alpha criterion:

SELinux configuration

Unless explicitly specified otherwise, after system installation SELinux must be enabled and in enforcing mode.

As selinux is not changed if explicitly specified otherwise.
Comment 2 David Shea 2015-09-10 14:28:02 EDT
The problem is that selinux=0 is being interpreted as the same as a bare "selinux", i.e., enable selinux. It's also worth noting that this is not new behavior.
Comment 3 A.J. Werkman 2015-09-10 15:21:31 EDT
How would you disable selinux from the command line then?

But anyhowe also the selinux --disable line in a kickstart file does not disable selinux.
Comment 4 David Shea 2015-09-10 15:22:13 EDT
Command line overrides kickstart. On the command line you can use noselinux.
Comment 5 Adam Williamson 2015-09-14 11:38:18 EDT
A.J.: can you confirm that just using the kickstart and not the CLI parameter works? And that using the correct CLI parameter also works? Thanks.
Comment 6 Adam Williamson 2015-09-14 12:59:29 EDT
Discussed at 2015-09-14 blocker review meeting: https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2015-09-14/f23-blocker-review.2015-09-14-16.00.log.txt . Rejected as a blocker: it seems clear that the only thing here that's really a 'bug' is that anaconda doesn't interpret 'selinux=0' as expected, which is unfortunate but we agreed does not violate the criterion.

FWIW the criterion was actually only intended to require that in a 'normal' install, SELinux must be enabled. It wasn't intended to require that it be possible to disable SELinux via the installer, though I admit the wording turned out somewhat ambiguous. In any case, it seems clear that it *is* certainly possible to disable via the installer, A.J. just ran into an unfortunate corner case.
Comment 7 A.J. Werkman 2015-09-14 16:39:38 EDT
Kickstart works without the CLI parameter.

Using noselinux parameter on the commandline also works.
Comment 8 Adam Williamson 2015-09-14 17:31:23 EDT
OK, so updating the description. Thanks!
Comment 9 David Shea 2015-10-16 17:02:09 EDT

Note You need to log in before you can comment on or make changes to this bug.