Red Hat Bugzilla – Bug 1300000
disabling selinux in kickstartfile did not work correctly when policy packages are not installed
Last modified: 2016-05-26 20:25:33 EDT
Description of problem:
Installing a minimal system with defined "selinux --disabled" in kickstart file and in the %packages section:
lead to "ERR anaconda: Error setting selinux mode: [Errno 2] No such file or directory: '/mnt/sysimage/etc/selinux/config'" during anaconda configuration.
selinux get not disabled.
Version-Release number of selected component (if applicable):
RHEL 7.2 installed from CentOS-7-x86_64-Minimal-1511.iso
It seems to be anaconda bug which tries to read/write to a file which doesn't exists since selinux-policy is probably not installed as requirement for selinux-policy-targeted.
could you please attach logs from the anaconda. They are in /tmp/*.log .
Also please provide me these information:
* Did you use graphical installation?
* Was it automatic kickstart installation?
Ideally attach your kickstart file too.
I can't reproduce it in Rhel yet, so it could be some CentOS specific problem.
Thank you for the bug reporting.
Created attachment 1129665 [details]
content of /var/log/anaconda dir as tar gz
sorry for the delay.
To answer your questions:
* i did not use the graphical installation, i install text based network installation using kickstart file.
I will attach the kickstart file too.
Created attachment 1129671 [details]
kickstart files used for installation
i removed the crypted password
thank you for the logs and KS it helped me a lot. I can now reproduce the issue.
This is not an Anaconda issue. The selinux-policy is not in the core groups in the comps file so it's downloaded and installed only when something will have it as dependency (selinux-policy-targeted or selinux-policy-mls).
When you remove this two then you are using kickstart command which can't be used because the configuration file is not presented and we really can't just create it. We only changing the configuration files but creating them is the package responsibility.
I think this ERROR should be there but the question is if selinux-policy should be in the core comps group. If there is some use-case when we do want selinux-policy without targeted and mls packages.
This is more question for someone who maintains selinux-policy package.
lvrabec could you please give us some answer on this question?
From my POV, the reporter uses "selinux --disabled" and naturally doesn't want selinux-policy packages to be installed. anaconda could correctly handle the error when there's no such file or just not to try to modify non-existing file.
I don't think Anaconda should do that. When you use command to disable selinux you mean to DISABLE selinux, not don't install selinux. These are two different things and different approaches.
To disable selinux you will modify the configuration file to values where installed selinux won't be used but also when you install selinux it will still be disabled by configuration files.
When you don't install selinux but you will install it later in the system it will work as nothing happened which means it will be in enforcing state.
So using selinux command in KS file without the configuration files of selinux leads to different behavior then it should have so it is the error.
So if this is what he wants I should close this bug as NOTABUG.
can you see the error when you use 'bootloader --apend="selinux=0"' instead of 'selinux --disabled' ?
i've add the suggested 'bootloader --append="selinux=0"', but the behavior is still the same.
What i want:
- a system where selinux is not enabled with a minimal set of packages.
- no selinux should be installed
I don't know if this is possible at all
Maybe there is a better way to completely disable selinux and don't install selinux packages.
From my point of view, "selinux --disabled" should be enough to completely disable selinux, even when no policy files are installed. Ending up with a system where selinux is in enforced state is not what i expect - feels like a bug.
I must admit that I haven't try it but it seems to me that anaconda tries to edit the file even when 'selinux --disabled' is not used and selinux is disabled the other way - 'bootloader --append="selinux=0"'.
did you use 'bootloader --append="selinux=0"' without the 'selinux --disabled' command? I didn't see that error without the 'selinux --disabled' command in the KS in my testings.
You still can disable selinux with minimal package set, you still can paste this configuration file in the %post section or as Petr said you can use 'bootloader --append="selinux=0"' in the installation and then the selinux will be disabled from a bootloader.
About the configuration file in post section, I'm not quite sure if that will be the exact behavior what you want. I'm worried that if the configuration file is not installed then it won't be read too. You can try it and you'll see.
Created attachment 1162299 [details]
anaconda.log extracted from anaconda.tar.gz
Created attachment 1162300 [details]
syslog extracted from anaconda.tar.gz
Created attachment 1162301 [details]
program.log extracted from anaconda.tar.gz
Created attachment 1162302 [details]
packaging.log extracted from anaconda.tar.gz
Created attachment 1162303 [details]
storage.log extracted from anaconda.tar.gz
Created attachment 1162304 [details]
ifcfg.log extracted from anaconda.tar.gz
Created attachment 1162305 [details]
journal.log extracted from anaconda.tar.gz
This is operating as expected.
Using selinux --disabled tries to modify the selinux config file and prints the ERR if this fails. It is not fatal and the installation continues.
Installing with no selinux line in the kickstart means that selinux will be setup by the packages you install, and anaconda will not attempt to edit the config file. If you include:
in the %packages the installed system will have selinux disabled.
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.