1300000 – disabling selinux in kickstartfile did not work correctly when policy packages are not installed

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1300000 - disabling selinux in kickstartfile did not work correctly when policy packages are not installed

Summary: disabling selinux in kickstartfile did not work correctly when policy package...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	anaconda
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Anaconda Maintenance Team
QA Contact:	Release Test Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-01-19 17:30 UTC by Daniel Zabel
Modified:	2019-11-14 07:20 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-27 00:25:33 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
content of /var/log/anaconda dir as tar gz (84.33 KB, application/x-gzip) 2016-02-23 08:23 UTC, Daniel Zabel	no flags	Details
kickstart files used for installation (2.27 KB, text/plain) 2016-02-23 08:34 UTC, Daniel Zabel	no flags	Details
anaconda.log extracted from anaconda.tar.gz (6.52 KB, text/plain) 2016-05-26 23:31 UTC, Brian Lane	no flags	Details
syslog extracted from anaconda.tar.gz (140.03 KB, text/plain) 2016-05-26 23:31 UTC, Brian Lane	no flags	Details
program.log extracted from anaconda.tar.gz (21.94 KB, text/plain) 2016-05-26 23:31 UTC, Brian Lane	no flags	Details
packaging.log extracted from anaconda.tar.gz (59.20 KB, text/plain) 2016-05-26 23:32 UTC, Brian Lane	no flags	Details
storage.log extracted from anaconda.tar.gz (52.23 KB, text/plain) 2016-05-26 23:32 UTC, Brian Lane	no flags	Details
ifcfg.log extracted from anaconda.tar.gz (2.94 KB, text/plain) 2016-05-26 23:32 UTC, Brian Lane	no flags	Details
journal.log extracted from anaconda.tar.gz (384.98 KB, text/plain) 2016-05-26 23:32 UTC, Brian Lane	no flags	Details
View All

Description Daniel Zabel 2016-01-19 17:30:38 UTC

Description of problem:
Installing a minimal system with defined "selinux --disabled" in kickstart file and in the %packages section:

-selinux-policy-targeted
-selinux-policy-mls

lead to "ERR anaconda: Error setting selinux mode: [Errno 2] No such file or directory: '/mnt/sysimage/etc/selinux/config'" during anaconda configuration.

selinux get not disabled.


Version-Release number of selected component (if applicable):
RHEL 7.2 installed from CentOS-7-x86_64-Minimal-1511.iso

How reproducible:

see above

Comment 1 Petr Lautrbach 2016-01-19 17:37:32 UTC

It seems to be anaconda bug which tries to read/write to a file which doesn't exists since  selinux-policy is probably not installed as requirement for selinux-policy-targeted.

Comment 3 Jiri Konecny 2016-02-08 15:22:15 UTC

Hello Daniel,

could you please attach logs from the anaconda. They are in /tmp/*.log .

Also please provide me these information:
* Did you use graphical installation?
* Was it automatic kickstart installation?

Ideally attach your kickstart file too.

I can't reproduce it in Rhel yet, so it could be some CentOS specific problem.

Thank you for the bug reporting.

Comment 4 Daniel Zabel 2016-02-23 08:23:29 UTC

Created attachment 1129665 [details]
content of /var/log/anaconda dir as tar gz

Comment 5 Daniel Zabel 2016-02-23 08:26:07 UTC

Hi Jiri,

sorry for the delay.

To answer your questions:

* i did not use the graphical installation, i install text based network installation using kickstart file.

I will attach the kickstart file too.

Comment 6 Daniel Zabel 2016-02-23 08:34:59 UTC

Created attachment 1129671 [details]
kickstart files used for installation

i removed the crypted password

Comment 7 Jiri Konecny 2016-02-24 10:51:56 UTC

Hello, 
thank you for the logs and KS it helped me a lot. I can now reproduce the issue. 

This is not an Anaconda issue. The selinux-policy is not in the core groups in the comps file so it's downloaded and installed only when something will have it as dependency (selinux-policy-targeted or selinux-policy-mls). 
When you remove this two then you are using kickstart command which can't be used because the configuration file is not presented and we really can't just create it. We only changing the configuration files but creating them is the package responsibility.

I think this ERROR should be there but the question is if selinux-policy should be in the core comps group. If there is some use-case when we do want selinux-policy without targeted and mls packages.

This is more question for someone who maintains selinux-policy package.

lvrabec could you please give us some answer on this question?

Comment 8 Petr Lautrbach 2016-02-24 10:59:17 UTC

From my POV, the reporter uses "selinux --disabled" and naturally doesn't want selinux-policy packages to be installed. anaconda could correctly handle the error when there's no such file or just not to try to modify non-existing file.

Comment 9 Jiri Konecny 2016-02-24 11:58:47 UTC

Hi Petr,

I don't think Anaconda should do that. When you use command to disable selinux you mean to DISABLE selinux, not don't install selinux. These are two different things and different approaches. 

To disable selinux you will modify the configuration file to values where installed selinux won't be used but also when you install selinux it will still be disabled by configuration files.

When you don't install selinux but you will install it later in the system it will work as nothing happened which means it will be in enforcing state.

So using selinux command in KS file without the configuration files of selinux leads to different behavior then it should have so it is the error.

So if this is what he wants I should close this bug as NOTABUG.

Comment 10 Petr Lautrbach 2016-02-24 12:08:33 UTC

Daniel,

can you see the error when you use 'bootloader --apend="selinux=0"' instead of 'selinux --disabled' ?

Comment 12 Daniel Zabel 2016-03-30 15:45:13 UTC

Hi Petr,

i've add the suggested 'bootloader --append="selinux=0"', but the behavior is still the same.

What i want:
- a system where selinux is not enabled with a minimal set of packages.
- no selinux should be installed

I don't know if this is possible at all
Maybe there is a better way to completely disable selinux and don't install selinux packages.

From my point of view, "selinux --disabled" should be enough to completely disable selinux, even when no policy files are installed. Ending up with a system where selinux is in enforced state is not what i expect - feels like a bug.

Cheers,

Daniel

Comment 13 Petr Lautrbach 2016-03-30 15:55:00 UTC

Jiri,

I must admit that I haven't try it but it seems to me that anaconda tries to edit the file even when 'selinux --disabled' is not used and selinux is disabled the other way - 'bootloader --append="selinux=0"'.

Comment 14 Jiri Konecny 2016-04-11 12:18:16 UTC

Hi Daniel,

did you use 'bootloader --append="selinux=0"' without the 'selinux --disabled' command? I didn't see that error without the 'selinux --disabled' command in the KS in my testings.

You still can disable selinux with minimal package set, you still can paste this configuration file in the %post section or as Petr said you can use 'bootloader --append="selinux=0"' in the installation and then the selinux will be disabled from a bootloader.

About the configuration file in post section, I'm not quite sure if that will be the exact behavior what you want. I'm worried that if the configuration file is not installed then it won't be read too. You can try it and you'll see.

Comment 15 Brian Lane 2016-05-26 23:31:46 UTC

Created attachment 1162299 [details]
anaconda.log extracted from anaconda.tar.gz

Comment 16 Brian Lane 2016-05-26 23:31:52 UTC

Created attachment 1162300 [details]
syslog extracted from anaconda.tar.gz

Comment 17 Brian Lane 2016-05-26 23:31:57 UTC

Created attachment 1162301 [details]
program.log extracted from anaconda.tar.gz

Comment 18 Brian Lane 2016-05-26 23:32:03 UTC

Created attachment 1162302 [details]
packaging.log extracted from anaconda.tar.gz

Comment 19 Brian Lane 2016-05-26 23:32:08 UTC

Created attachment 1162303 [details]
storage.log extracted from anaconda.tar.gz

Comment 20 Brian Lane 2016-05-26 23:32:13 UTC

Created attachment 1162304 [details]
ifcfg.log extracted from anaconda.tar.gz

Comment 21 Brian Lane 2016-05-26 23:32:19 UTC

Created attachment 1162305 [details]
journal.log extracted from anaconda.tar.gz

Comment 22 Brian Lane 2016-05-27 00:17:07 UTC

This is operating as expected.

Using selinux --disabled tries to modify the selinux config file and prints the ERR if this fails. It is not fatal and the installation continues.

Installing with no selinux line in the kickstart means that selinux will be setup by the packages you install, and anaconda will not attempt to edit the config file. If you include:

-selinux-policy-targeted
-selinux-policy-mls

in the %packages the installed system will have selinux disabled.

Comment 23 RHEL Program Management 2016-05-27 00:25:33 UTC

Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.