1258569 – anaconda interprets 'selinux=0' parameter incorrectly

Bug 1258569 - anaconda interprets 'selinux=0' parameter incorrectly

Summary: anaconda interprets 'selinux=0' parameter incorrectly

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	anaconda
Sub Component:
Version:	23
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	David Shea
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	RejectedBlocker
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-08-31 16:21 UTC by A.J. Werkman
Modified:	2015-11-02 15:37 UTC (History)
CC List:	7 users (show)
Fixed In Version:	anaconda-24.5-1
Clone Of:
Environment:
Last Closed:	2015-11-02 15:37:37 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description A.J. Werkman 2015-08-31 16:21:07 UTC

Description of problem:
selinux directive on the commandline and in kickstart file is not honoured.

Version-Release number of selected component (if applicable):
23_Beta_TC1 Server Product

How reproducible:
Everytime

Steps to Reproduce:
1. Prepare a kickstart file with a line 'selinux --disabled'.
2. Boot using kickstart file and selinux=0 on the commandline and install the system
3. On the installed system inspect /etc/selinux/config file and see that the policy is enforcing.

Actual results:
SElinux policy is enforcing

Expected results:
SElinux policy is disabled

Additional info:

Comment 1 A.J. Werkman 2015-09-10 18:24:16 UTC

This is a blocker by the Alpha criterion:

SELinux configuration

Unless explicitly specified otherwise, after system installation SELinux must be enabled and in enforcing mode.


As selinux is not changed if explicitly specified otherwise.

Comment 2 David Shea 2015-09-10 18:28:02 UTC

The problem is that selinux=0 is being interpreted as the same as a bare "selinux", i.e., enable selinux. It's also worth noting that this is not new behavior.

Comment 3 A.J. Werkman 2015-09-10 19:21:31 UTC

How would you disable selinux from the command line then?

But anyhowe also the selinux --disable line in a kickstart file does not disable selinux.

Comment 4 David Shea 2015-09-10 19:22:13 UTC

Command line overrides kickstart. On the command line you can use noselinux.

Comment 5 Adam Williamson 2015-09-14 15:38:18 UTC

A.J.: can you confirm that just using the kickstart and not the CLI parameter works? And that using the correct CLI parameter also works? Thanks.

Comment 6 Adam Williamson 2015-09-14 16:59:29 UTC

Discussed at 2015-09-14 blocker review meeting: https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2015-09-14/f23-blocker-review.2015-09-14-16.00.log.txt . Rejected as a blocker: it seems clear that the only thing here that's really a 'bug' is that anaconda doesn't interpret 'selinux=0' as expected, which is unfortunate but we agreed does not violate the criterion.

FWIW the criterion was actually only intended to require that in a 'normal' install, SELinux must be enabled. It wasn't intended to require that it be possible to disable SELinux via the installer, though I admit the wording turned out somewhat ambiguous. In any case, it seems clear that it *is* certainly possible to disable via the installer, A.J. just ran into an unfortunate corner case.

Comment 7 A.J. Werkman 2015-09-14 20:39:38 UTC

Kickstart works without the CLI parameter.

Using noselinux parameter on the commandline also works.

Comment 8 Adam Williamson 2015-09-14 21:31:23 UTC

OK, so updating the description. Thanks!

Comment 9 David Shea 2015-10-16 21:02:09 UTC

https://github.com/rhinstaller/anaconda/pull/413

Note You need to log in before you can comment on or make changes to this bug.