Bug 145881 - ananconda: no selinux=0 when Disable SELinux is selected
ananconda: no selinux=0 when Disable SELinux is selected
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Anaconda Maintenance Team
Mike McLean
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-22 19:36 EST by Jeff Moe (jebba)
Modified: 2009-07-21 10:46 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-21 10:42:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeff Moe (jebba) 2005-01-22 19:36:36 EST
Description of problem:
When an install is performed and SELinux is selected to be disabled in
anaconda it does /not/ set "selinux=0" in grub.conf.

Version-Release number of selected component (if applicable):
anaconda-10.1.0.2-1

Steps to Reproduce:
1. Do a fresh install (i did Custom Minimal, fwiw)
2. Select SELinux: Disable
3. Reboot
4. Check grub.conf or dmesg
  
Actual results:
There is no selinux=0 in /etc/grub.conf. Note, that selinux does get
disabled, but after it initializes and starts in permissive mode.
$ dmesg | grep selinux -i
SELinux:  Initializing
SELinux:  Starting in permissive mode
selinux_register_security:  Registering secondary module capability
SELinux:  Registering netfilter hooks
SELinux:  Disabled at runtime.
SELinux:  Unregistering netfilter hooks

When selinux=0, boot looks like:
$ dmesg | grep selinux -i
SELinux:  Disabled at runtime.
SELinux:  Unregistering netfilter hooks

Note, anaconda-ks.cfg shows that it was selected as disabled:
selinux --disabled

Expected results:
SELinux is completely disabled and never starts or does anything that
could potentially wreak selinux havok.

Or even better, the word "selinux" never appears anywhere on the
system. Even with it disabled, two selinux RPMs are installed. How
about an "selinux --banished" option? ;)

Additional info:
Perhaps the best way to do this is to make:
bootloader --location=mbr --append="rhgb quiet"
into
bootloader --location=mbr --append="rhgb quiet selinux=0"
Comment 1 Jeremy Katz 2005-01-22 19:48:52 EST
selinux disabled turns it off in the SELinux config file which then
disables things very early in init before it ever matters.  Boot
loader entries are extremely problematic in a lot of cases.
Comment 2 Jeff Moe (jebba) 2009-07-21 06:24:29 EDT
Actually NOTABUG, turns out to be a bug that gives local root access (without need of suid pulseaudio). Bummer.

http://lwn.net/Articles/342460/
Posted Jul 20, 2009 22:15 UTC (Mon) by spender (subscriber, #23067)
In reply to: mmap_min_addr and security modules by corbet
Parent article: Fun with NULL pointers, part 1

That's not the right check. security_file_mmap (which is either set by the capabilities module or overriden by the SELinux module) is what implements the final check. The one you pasted doesn't even apply for MAP_FIXED but is just to ensure that the allocator doesn't choose an address below mmap_min_addr when only a hint is specified.

If SELinux is compiled into the kernel, it needs to be disabled at boot via the kernel command-line, otherwise it registers its hooks with LSM and overrides that of the capabilities module for security_file_mmap which performs the mmap_min_addr check.

-Brad
Comment 3 Chris Lumens 2009-07-21 10:42:29 EDT
In the very long time since this bug was initially filed, a whole lot of things have changed.  For instance, we no longer offer the SELinux screen in anaconda because it's now an integral component of a Fedora system.  If you pass selinux=0 on the kernel command line when you install, it will get passed to the final installed system.

For this particular SELinux issue, you need to take that up with the SELinux guys.

Note You need to log in before you can comment on or make changes to this bug.