Bug 177639 - Disable SElinux in firstboot fails.
Disable SElinux in firstboot fails.
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Chris Lumens
:
Depends On:
Blocks: FC5Blocker
  Show dependency treegraph
 
Reported: 2006-01-12 11:37 EST by David Woodhouse
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-08 15:09:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Woodhouse 2006-01-12 11:37:31 EST
I asked for no selinux. It seems to have ignored me... I have random failures
which I usually associate with selinux, and this kind of thing in
/var/log/audit/audit.log...


type=AVC msg=audit(1137083751.862:271): avc:  denied  { connectto } for 
pid=2845 comm="cups-config-dae" name="system_bus_socket"
scontext=system_u:system_r:cupsd_config_t:s0
tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=unix_stream_socket

This is still my first boot -- should I have to reboot before SElinux is
disabled? If so, that should be documented (or selinux choice should be done in
anaconda instead of firstboot).
Comment 1 Chris Lumens 2006-01-16 14:13:46 EST
Dan - the problem here is that when someone sets SELinux to disabled from the
default of enforcing in firstboot, I'm not running any sort of program to
disable it.  All that happens is that /etc/sysconfig/selinux is modified so that
it will be disabled on the next reboot.  Is there any action I can take to
disable it immediately?
Comment 2 Daniel Walsh 2006-01-16 22:11:36 EST
No the best you can do is disable enforcing mode until the next reboot.

setenforce 0

Unmount /selinux might also cause is_selinux_enabled to start returning errors
or that it is not enabled, but I am not sure this would be stable.

Dan
Comment 3 David Woodhouse 2006-01-17 04:38:51 EST
This worked perfectly when it was done in anaconda before we booted into the
'live' system. Why was it changed?
Comment 4 David Woodhouse 2006-02-07 04:45:17 EST
Still happening in current rawhide. I turn off selinux in firstboot, but still
am not permitted to things like loading libraries from /lib64...

audit(1139323154.689:89): avc:  denied  { search } for  pid=2652 comm="gpm"
name="lib64" dev=sda5 ino=1729921 scontext=system_u:system_r:gpm_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir

That's a separate selinux bug, of course -- but since I've _never_ had a working
system with selinux, the feature I _really_ want is to be able to just disable it.
Comment 5 Daniel Walsh 2006-02-07 09:46:47 EST
firstboot should force a reboot if you disable selinux, since this is the only
way to disable it once it is running.  It should also setenforce 0, before it
reboots since strange things can happen before the reboot.  

David, 
Please report the bugs that you have had to get your machine running with
SELinux enabled.  If you are hitting these bugs, others are probably as well. 
As far as the AVC message you are showing above, this is a serious problem,
since it indicates /lib64 was never labeled.  Looks like an installation problem
if this is a fresh install.
Comment 6 David Woodhouse 2006-02-07 09:58:43 EST
I think I did report the /lib64 bug already somewhere, or I was told that it had
already been reported. It's a fresh install -- it's easy enough to reproduce. 
Comment 7 David Woodhouse 2006-03-03 08:55:38 EST
firstboot now does seem to want to force a reboot when I disable selinux --
that's fine. But it's also telling me that the entire file system will need to
be relabelled. That's strange, since selinux is being disabled.
Comment 8 Chris Lumens 2006-03-03 09:53:16 EST
That's a generic warning message that appears.  I can change this after FC5 when
we're free to mess with strings again.

Note You need to log in before you can comment on or make changes to this bug.