Bug 1300000 - disabling selinux in kickstartfile did not work correctly when policy packages are not installed
disabling selinux in kickstartfile did not work correctly when policy package...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: anaconda (Show other bugs)
7.2
x86_64 Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Anaconda Maintenance Team
Release Test Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-19 12:30 EST by Daniel Zabel
Modified: 2016-05-26 20:25 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-26 20:25:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
content of /var/log/anaconda dir as tar gz (84.33 KB, application/x-gzip)
2016-02-23 03:23 EST, Daniel Zabel
no flags Details
kickstart files used for installation (2.27 KB, text/plain)
2016-02-23 03:34 EST, Daniel Zabel
no flags Details
anaconda.log extracted from anaconda.tar.gz (6.52 KB, text/plain)
2016-05-26 19:31 EDT, Brian Lane
no flags Details
syslog extracted from anaconda.tar.gz (140.03 KB, text/plain)
2016-05-26 19:31 EDT, Brian Lane
no flags Details
program.log extracted from anaconda.tar.gz (21.94 KB, text/plain)
2016-05-26 19:31 EDT, Brian Lane
no flags Details
packaging.log extracted from anaconda.tar.gz (59.20 KB, text/plain)
2016-05-26 19:32 EDT, Brian Lane
no flags Details
storage.log extracted from anaconda.tar.gz (52.23 KB, text/plain)
2016-05-26 19:32 EDT, Brian Lane
no flags Details
ifcfg.log extracted from anaconda.tar.gz (2.94 KB, text/plain)
2016-05-26 19:32 EDT, Brian Lane
no flags Details
journal.log extracted from anaconda.tar.gz (384.98 KB, text/plain)
2016-05-26 19:32 EDT, Brian Lane
no flags Details

  None (edit)
Description Daniel Zabel 2016-01-19 12:30:38 EST
Description of problem:
Installing a minimal system with defined "selinux --disabled" in kickstart file and in the %packages section:

-selinux-policy-targeted
-selinux-policy-mls

lead to "ERR anaconda: Error setting selinux mode: [Errno 2] No such file or directory: '/mnt/sysimage/etc/selinux/config'" during anaconda configuration.

selinux get not disabled.


Version-Release number of selected component (if applicable):
RHEL 7.2 installed from CentOS-7-x86_64-Minimal-1511.iso

How reproducible:

see above
Comment 1 Petr Lautrbach 2016-01-19 12:37:32 EST
It seems to be anaconda bug which tries to read/write to a file which doesn't exists since  selinux-policy is probably not installed as requirement for selinux-policy-targeted.
Comment 3 Jiri Konecny 2016-02-08 10:22:15 EST
Hello Daniel,

could you please attach logs from the anaconda. They are in /tmp/*.log .

Also please provide me these information:
* Did you use graphical installation?
* Was it automatic kickstart installation?

Ideally attach your kickstart file too.

I can't reproduce it in Rhel yet, so it could be some CentOS specific problem.

Thank you for the bug reporting.
Comment 4 Daniel Zabel 2016-02-23 03:23 EST
Created attachment 1129665 [details]
content of /var/log/anaconda dir as tar gz
Comment 5 Daniel Zabel 2016-02-23 03:26:07 EST
Hi Jiri,

sorry for the delay.

To answer your questions:

* i did not use the graphical installation, i install text based network installation using kickstart file.

I will attach the kickstart file too.
Comment 6 Daniel Zabel 2016-02-23 03:34 EST
Created attachment 1129671 [details]
kickstart files used for installation

i removed the crypted password
Comment 7 Jiri Konecny 2016-02-24 05:51:56 EST
Hello, 
thank you for the logs and KS it helped me a lot. I can now reproduce the issue. 

This is not an Anaconda issue. The selinux-policy is not in the core groups in the comps file so it's downloaded and installed only when something will have it as dependency (selinux-policy-targeted or selinux-policy-mls). 
When you remove this two then you are using kickstart command which can't be used because the configuration file is not presented and we really can't just create it. We only changing the configuration files but creating them is the package responsibility.

I think this ERROR should be there but the question is if selinux-policy should be in the core comps group. If there is some use-case when we do want selinux-policy without targeted and mls packages.

This is more question for someone who maintains selinux-policy package.

lvrabec could you please give us some answer on this question?
Comment 8 Petr Lautrbach 2016-02-24 05:59:17 EST
From my POV, the reporter uses "selinux --disabled" and naturally doesn't want selinux-policy packages to be installed. anaconda could correctly handle the error when there's no such file or just not to try to modify non-existing file.
Comment 9 Jiri Konecny 2016-02-24 06:58:47 EST
Hi Petr,

I don't think Anaconda should do that. When you use command to disable selinux you mean to DISABLE selinux, not don't install selinux. These are two different things and different approaches. 

To disable selinux you will modify the configuration file to values where installed selinux won't be used but also when you install selinux it will still be disabled by configuration files.

When you don't install selinux but you will install it later in the system it will work as nothing happened which means it will be in enforcing state.

So using selinux command in KS file without the configuration files of selinux leads to different behavior then it should have so it is the error.

So if this is what he wants I should close this bug as NOTABUG.
Comment 10 Petr Lautrbach 2016-02-24 07:08:33 EST
Daniel,

can you see the error when you use 'bootloader --apend="selinux=0"' instead of 'selinux --disabled' ?
Comment 12 Daniel Zabel 2016-03-30 11:45:13 EDT
Hi Petr,

i've add the suggested 'bootloader --append="selinux=0"', but the behavior is still the same.

What i want:
- a system where selinux is not enabled with a minimal set of packages.
- no selinux should be installed

I don't know if this is possible at all
Maybe there is a better way to completely disable selinux and don't install selinux packages.

From my point of view, "selinux --disabled" should be enough to completely disable selinux, even when no policy files are installed. Ending up with a system where selinux is in enforced state is not what i expect - feels like a bug.

Cheers,

Daniel
Comment 13 Petr Lautrbach 2016-03-30 11:55:00 EDT
Jiri,

I must admit that I haven't try it but it seems to me that anaconda tries to edit the file even when 'selinux --disabled' is not used and selinux is disabled the other way - 'bootloader --append="selinux=0"'.
Comment 14 Jiri Konecny 2016-04-11 08:18:16 EDT
Hi Daniel,

did you use 'bootloader --append="selinux=0"' without the 'selinux --disabled' command? I didn't see that error without the 'selinux --disabled' command in the KS in my testings.

You still can disable selinux with minimal package set, you still can paste this configuration file in the %post section or as Petr said you can use 'bootloader --append="selinux=0"' in the installation and then the selinux will be disabled from a bootloader.

About the configuration file in post section, I'm not quite sure if that will be the exact behavior what you want. I'm worried that if the configuration file is not installed then it won't be read too. You can try it and you'll see.
Comment 15 Brian Lane 2016-05-26 19:31:46 EDT
Created attachment 1162299 [details]
anaconda.log extracted from anaconda.tar.gz
Comment 16 Brian Lane 2016-05-26 19:31:52 EDT
Created attachment 1162300 [details]
syslog extracted from anaconda.tar.gz
Comment 17 Brian Lane 2016-05-26 19:31:57 EDT
Created attachment 1162301 [details]
program.log extracted from anaconda.tar.gz
Comment 18 Brian Lane 2016-05-26 19:32:03 EDT
Created attachment 1162302 [details]
packaging.log extracted from anaconda.tar.gz
Comment 19 Brian Lane 2016-05-26 19:32:08 EDT
Created attachment 1162303 [details]
storage.log extracted from anaconda.tar.gz
Comment 20 Brian Lane 2016-05-26 19:32:13 EDT
Created attachment 1162304 [details]
ifcfg.log extracted from anaconda.tar.gz
Comment 21 Brian Lane 2016-05-26 19:32:19 EDT
Created attachment 1162305 [details]
journal.log extracted from anaconda.tar.gz
Comment 22 Brian Lane 2016-05-26 20:17:07 EDT
This is operating as expected.

Using selinux --disabled tries to modify the selinux config file and prints the ERR if this fails. It is not fatal and the installation continues.

Installing with no selinux line in the kickstart means that selinux will be setup by the packages you install, and anaconda will not attempt to edit the config file. If you include:

-selinux-policy-targeted
-selinux-policy-mls

in the %packages the installed system will have selinux disabled.
Comment 23 RHEL Product and Program Management 2016-05-26 20:25:33 EDT
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.