Bug 145881 - ananconda: no selinux=0 when Disable SELinux is selected
Summary: ananconda: no selinux=0 when Disable SELinux is selected
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda   
(Show other bugs)
Version: 3
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Anaconda Maintenance Team
QA Contact: Mike McLean
Keywords: Reopened
Depends On:
TreeView+ depends on / blocked
Reported: 2005-01-23 00:36 UTC by Jeff Moe (jebba)
Modified: 2009-07-21 14:46 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-21 14:42:29 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Jeff Moe (jebba) 2005-01-23 00:36:36 UTC
Description of problem:
When an install is performed and SELinux is selected to be disabled in
anaconda it does /not/ set "selinux=0" in grub.conf.

Version-Release number of selected component (if applicable):

Steps to Reproduce:
1. Do a fresh install (i did Custom Minimal, fwiw)
2. Select SELinux: Disable
3. Reboot
4. Check grub.conf or dmesg
Actual results:
There is no selinux=0 in /etc/grub.conf. Note, that selinux does get
disabled, but after it initializes and starts in permissive mode.
$ dmesg | grep selinux -i
SELinux:  Initializing
SELinux:  Starting in permissive mode
selinux_register_security:  Registering secondary module capability
SELinux:  Registering netfilter hooks
SELinux:  Disabled at runtime.
SELinux:  Unregistering netfilter hooks

When selinux=0, boot looks like:
$ dmesg | grep selinux -i
SELinux:  Disabled at runtime.
SELinux:  Unregistering netfilter hooks

Note, anaconda-ks.cfg shows that it was selected as disabled:
selinux --disabled

Expected results:
SELinux is completely disabled and never starts or does anything that
could potentially wreak selinux havok.

Or even better, the word "selinux" never appears anywhere on the
system. Even with it disabled, two selinux RPMs are installed. How
about an "selinux --banished" option? ;)

Additional info:
Perhaps the best way to do this is to make:
bootloader --location=mbr --append="rhgb quiet"
bootloader --location=mbr --append="rhgb quiet selinux=0"

Comment 1 Jeremy Katz 2005-01-23 00:48:52 UTC
selinux disabled turns it off in the SELinux config file which then
disables things very early in init before it ever matters.  Boot
loader entries are extremely problematic in a lot of cases.

Comment 2 Jeff Moe (jebba) 2009-07-21 10:24:29 UTC
Actually NOTABUG, turns out to be a bug that gives local root access (without need of suid pulseaudio). Bummer.

Posted Jul 20, 2009 22:15 UTC (Mon) by spender (subscriber, #23067)
In reply to: mmap_min_addr and security modules by corbet
Parent article: Fun with NULL pointers, part 1

That's not the right check. security_file_mmap (which is either set by the capabilities module or overriden by the SELinux module) is what implements the final check. The one you pasted doesn't even apply for MAP_FIXED but is just to ensure that the allocator doesn't choose an address below mmap_min_addr when only a hint is specified.

If SELinux is compiled into the kernel, it needs to be disabled at boot via the kernel command-line, otherwise it registers its hooks with LSM and overrides that of the capabilities module for security_file_mmap which performs the mmap_min_addr check.


Comment 3 Chris Lumens 2009-07-21 14:42:29 UTC
In the very long time since this bug was initially filed, a whole lot of things have changed.  For instance, we no longer offer the SELinux screen in anaconda because it's now an integral component of a Fedora system.  If you pass selinux=0 on the kernel command line when you install, it will get passed to the final installed system.

For this particular SELinux issue, you need to take that up with the SELinux guys.

Note You need to log in before you can comment on or make changes to this bug.