Description of problem: A default install of rawhide for Fedora 8 (Oct.19, 2007) has Disabled as the selinux policy. Version-Release number of selected component (if applicable): selinux-policy-3.0.8-24.fc8 How reproducible: always Steps to Reproduce: 1. create install DVD via Example from "man pungi": pungi -c /usr/share/pungi/f8-fedora.ks --destdir=/data/Fedora8 --name Fedora --ver 8 2. burn DVD and install default Internet and Office Productivity 3. boot installed system Actual results: The firstboot screen for choosing SELinux policy has Disabled as the default, and suggests that most people should use the default. After taking the default, then logging in: ----- $ /usr/sbin/selinuxenabled $ echo $? 1 ### disabled $ ----- Expected results: Enabled should be the default policy. Additional info: anaconda-11.3.0.42-1 anaconda-runtime-11.3.0.42-1 pungi-1.1.6-1.fc8
Why is pungi doing this?
pungi isn't. Pungi can't adjust what the package defaults are, or anaconda's defaults. I've done multiple rawhide installs and multiple installs from pungi created trees (which pungi is used to create rawhide) and none of them exhibit this behavior. John, did you use any special boot flags or anything?
Often I append " vga=791" to the boot command line, so that I get 128x48 text console (for longer history on text screen). Otherwise, no other flags. This might be related to Bug # 343861, where anaconda "Can't load policy: no such file or directory" because policycoreutils is not where it needs to be on the DVD. So SELinux would be disabled during the initial install; perhaps this setting carries over into firstboot?
Hrm, did you modify the kickstart file used to create the spin? If there is no policycoreutils then SElinux can't be enabled.
I made two modifications to /usr/share/pungi/f8-fedora.ks of pungi-1.1.6-1.fc8: 1. "part iso --size=677" in order to create CDs <= 709,885,952 bytes. (I also add "--discs=3" to the command line arguments for pungi on x86, and "--discs=4" for x86_64. 2. comment-out all the lines "@ <language>-support". "policycoreutils" does not appear in /usr/share/pungi/f8-fedora.ks . I'll add it (after "kernel*") and re-spin.
Running 'top' on vtty2 during "Starting install process. This make take several minutes...", then I see this command line: ----- /usr/bin/python /usr/bin/ananconda -m cdrom:://scd0:/mnt/source \ --graphical --noselinux ----- What is the "--noselinux" doing there?
that's got to be something generated at compose time. My recent pungi spins show that --selinux is being passed, using the .ks that comes in the current pungi package in rawhide. The machine you're composing on, does it have selinux enabled? It needs to at least be in permissive mode.
I just did a compose for i386 from today's rawhide. pungi-1.1.6-1.fc8, composing with SELinux enabled (/usr/sbin/selinuxenabled gives shell return code of 0, which is *true* in shell). Booting the DVD and installing still shows "--noselinux" as the last parameter on the command line to anaconda. What other inputs determine that last parameter "--noselinux"?
I'm not actually sure. That all falls out of anaconda-runtime. Jeremy, any thoughts here?
I really can't duplicate this issue. My only suggestion is to start with a fresh install or fresh chroot to do the compose.
Please re-open; I can reproduce this every time. I re-ran pungi under a fresh install of released Fedora 8 with default configuration (base Internet plus Office and Productivity; plus "yum install pungi"), and the pungi-generated DVD still installs SELinux disabled as default. The .ks kickstart file for pungi was modified with "part_size=666" to force generation of CDs (although the install was done using the generated DVD), the repos were specified as the Fedora 8 release mirrorlist, and all the "@ <language>-support" lines were commented out with '## ' at the beginning, and "--discs=5" was appended to the Example command line from "man pungi". Here is the output from "ps ax" run as soon as vty2 gives a shell prompt during install from pungi-DVD. Captured by plugging in a USB flash storage device before boot, then mounting the device explicitly on a new directory /mnt/key, changing directory to /mnt/key, and using the command "ps ax > ps_ax-anaconda.out": ----- PID TTY STAT TIME COMMAND 1 tty1 Ss+ 0:00 /init 2 ? S< 0:00 [kthreadd] 3 ? S< 0:00 [migration/0] 4 ? S< 0:00 [ksoftirqd/0] 5 ? S< 0:00 [watchdog/0] 6 ? S< 0:00 [events/0] 7 ? S< 0:00 [khelper] 58 ? S< 0:00 [kblockd/0] 61 ? S< 0:00 [kacpid] 62 ? S< 0:00 [kacpi_notify] 204 ? S< 0:00 [cqueue/0] 206 ? S< 0:00 [ksuspend_usbd] 211 ? S< 0:00 [khubd] 214 ? S< 0:00 [kseriod] 249 ? S 0:00 [pdflush] 250 ? S 0:00 [pdflush] 251 ? S< 0:00 [kswapd0] 303 ? S< 0:00 [aio/0] 397 ? S< 0:00 [khvcd] 462 ? S< 0:00 [kpsmoused] 474 tty1 S+ 0:00 /init 475 tty1 S+ 0:02 /sbin/loader 519 ? S< 0:00 [rpciod/0] 624 ? S< 0:00 [ata/0] 625 ? S< 0:00 [ata_aux] 629 ? S< 0:00 [scsi_eh_1] 630 ? S< 0:00 [scsi_eh_2] 634 ? S< 0:00 [scsi_eh_3] 635 ? S< 0:00 [scsi_eh_4] 639 ? S< 0:00 [scsi_eh_5] 640 ? S< 0:00 [usb-storage] 647 ? S< 0:00 [loop0] 649 tty2 Ss 0:00 -/bin/sh 689 ? S< 0:00 [jfsIO] 690 ? S< 0:00 [jfsCommit] 691 ? S< 0:00 [jfsSync] 695 ? S< 0:00 [xfslogd/0] 696 ? S< 0:00 [xfsdatad/0] 697 ? S< 0:00 [xfs_mru_cache] 710 ? S< 0:00 [ksnapd] 714 ? S< 0:00 [kmpathd/0] 724 ? Ss 0:00 /sbin/loader 725 tty1 S+ 0:03 /usr/bin/python /usr/bin/anaconda -m cdrom://scd1:/mnt/source --graphical --noselinux 726 tty1 S+ 0:00 /usr/bin/python /usr/bin/anaconda -m cdrom://scd1:/mnt/source --graphical --noselinux 727 ? S< 0:00 [kauditd] 729 tty6 Ss+ 0:00 /usr/bin/Xorg -logfile /tmp/ramfs/X.log :1 vt6 -config /tmp/XConfig.test -extension Composite -s 1440 -dpms -v -ac -nolisten tcp -screen Anaconda -dpi 96 -br 731 tty1 S+ 0:00 //usr/bin/mini-wm --display :1 739 tty2 R+ 0:00 ps ax ----- Note the "--noselinux" command line parameter passed to anaconda. I did not specify this. I can reproduce this every time; 4 pungi-created DVD so far, each of which installs SELinux disabled as default. If you want, I'll send one of the pungi-generated physical DVDs by USPS. My cached copy of firstboot-1.4.39-1.fc8.noarch.rpm compares equal to the one on mirrors.cat.pdx.edu.
I have a set of CD .isos for Fedora 8 made by pungi, and a set made by jigdo (fedoraunity.org.) The jigdo set installs SELinux enabled, the pungi set installs SELinux *dis*abled. Doing md5sum of all files on all CDs, and then a logical 'diff' of the two sets, shows that boot.cat, boot.iso, diskboot.img, and isolinux.bin are different. [Also: repoview/*, *sqlite*, initrd.img, .discinfo, initrd.img. Remebmer that I excluded all @<language>-support from my pungi set, while the jigdo set is 100% released Fedora 8.] Why would boot.cat, boot.iso, diskboot.img, isolinux.bin be different? [Also note that only the pungi set gets a message "Can't load policy: no such file or directory" very early after loading drivers. Bug 343861.]
Doing the install in text mode (instead of graphical) makes no difference: the pungi-generated DVD still installs SELinux disabled by default. Appending " vga=791" to the boot command line also makes no difference. I like the larger text console [128x43 ?] in contrast to the default [80x25], but I had to verify that it did not contribute to the problem of installing SELinux disabled by default.
(In reply to comment #11) > 725 tty1 S+ 0:03 /usr/bin/python /usr/bin/anaconda -m > cdrom://scd1:/mnt/source --graphical --noselinux The "--noselinux" parameter is passed from /sbin/loader when /usr/sbin/load_policy exits with return code non-zero. Bug 343861 does apply. Re-running "strace /usr/sbin/load_policy" on vty2 shows that load_policy cannot find /etc/selinux/targeted/policy/policy.21 or any version down to .15. /etc is in /tmp/loop0 which is mounted on /mnt/runtime, a 95680-block squashfs filesystem. So that is stage2.img. Looking at stage2.img, the files in etc/selinux do not have directory targeted/policy. Why? The full file list is: ----- . ./config ./targeted ./targeted/contexts ./targeted/contexts/customizable_types ./targeted/contexts/dbus_contexts ./targeted/contexts/default_contexts ./targeted/contexts/default_type ./targeted/contexts/failsafe_context ./targeted/contexts/files ./targeted/contexts/files/media ./targeted/contexts/initrc_context ./targeted/contexts/removable_context ./targeted/contexts/securetty_types ./targeted/contexts/userhelper_context ./targeted/contexts/users ./targeted/contexts/users/guest_u ./targeted/contexts/users/root ./targeted/contexts/users/staff_u ./targeted/contexts/users/user_u ./targeted/contexts/users/xguest_u ./targeted/modules ./targeted/modules/semanage.read.LOCK ./targeted/modules/semanage.trans.LOCK ./targeted/setrans.conf ----- Notice those .LOCK files, which are strange. So either mksquashfs failed, or the tree did not contain any SELinux policy files. Why?
Are you by chance composing /to/ an NFS or otherwise network share?
No, the destination directory is ext3 filesystem on a local mounted harddrive (sata_nv). Composing is done on Fedora 8 final release (with updates) in SELinux targeted enforcing mode. There were several SELinux alerts; I will attach the log.
Created attachment 263591 [details] saved log of selinux_alert.txt from pungi compose Here is the complete log of selinux_alert.txt from the time that pungi compose was running. System was "otherwise idle" but is a default Fedora 8 (plus updates) install, so cron jobs could account for something.
Just to be sure, you've tried it with permissive or disabled mode? Enforcing may very well get in the way of the compose happening cleanly.
Looks like you have a labeling problem /etc/passwd, /dev/null and files in /var/log are mislabeled. restorecon -R -v /dev/null /etc/passwd /var/log Should fix those. Looks like unconfined_t process (pungi?) is leaking a open file descriptor to the network which can probably be ignored, although the process should not leak, Also unconfined_t is creating a file in /tmp and then redirecting output from the install to that file, and this is generating the AVC messages for unconfined_tmp_t. These can probably be ignored. I think the mislabeled files above are the problem.
Before the last pungi compose, I did "touch /.autorelabel" and rebooted, and a relabeling pass was done by the boot. The SELinux contexts are: ----- # ls -ldZ /dev/null /etc/passwd /var/log crw-rw-rw- root root system_u:object_r:null_device_t:s0 /dev/null -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/passwd drwxr-xr-x root root system_u:object_r:var_log_t:s0 /var/log ----- Running the suggested command from Comment #19: ----- # /sbin/restorecon -R -v /dev/null /etc/passwd /var/log /sbin/restorecon reset /var/log/rpmpkgs context system_u:object_r:cron_log_t:s0->system_u:object_r:rpm_log_t:s0 # ls -ldZ /dev/null /etc/passwd /var/log crw-rw-rw- root root system_u:object_r:null_device_t:s0 /dev/null -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/passwd drwxr-xr-x root root system_u:object_r:var_log_t:s0 /var/log # ----- so it looks to me like the only change was to /var/log/rpmpkgs. I will now try another pungi compose.
Created attachment 263761 [details] selinux_alert.txt for pungi when enforcing=0 Here is the selinux_alert.txt when running pungi on the system booted with " enforcing=0" appended to the kernel command line. (Still 'targeted' mode.) The generated stage2.img does contain /etc/selinux/targeted/policy/policy.21 , so using it should install SELinux enabled as default.
Arrggghhhh! The SELinux alert browser saved only one alert, even though I checked the boxes for all today's alerts.
SO is pungi creating its own /dev/null? It seems to be labeled device_t?
Pungi isn't, but anaconda's buildinstall may be. The entire pile isn't selinux "enabled" really. A lot of time needs to be put into that, and at the same time, that pile of stuff isn't worth a lot of time, as it really needs some present day rewrite love.
Created attachment 263841 [details] selinux_alert.txt for pungi when enforcing=0 Here are all the SELinux alerts for pungi running on a system with enforcing=0, after the relabel of a few Comments ago. The generated stage2.img squashfs has /etc/setlinux/targeted/policy/policy.21, and using the DVD to install gives SELinux enabled by default.
Created attachment 263851 [details] selinux_alert.txt for pungi when enforcing=1 These are the SELinux alerts for pungi when SELinux is enforcing (and targeted). The generated stage2.img has no /etc/selinux/targeted/policy/*, and using the DVD to install gives SELinux disabled by default. So, as a workaround, please add a check in pungi for selinux non-enforcing, just like the existing check for "must be root to run pungi."
An alternative workaround might be to generate /.autorelabel on the installed system, for the case where load_policy fails during install itself, but SELinux Enabled is still selected (by default or otherwise.) As long as the correct SELinux .rpms are installed, then the installed system could have SELinux Enabled by default even though anaconda ran with --noselinux.
I created https://hosted.fedoraproject.org/projects/pungi/ticket/63 to add an selinux check to pungi. I'm going to reassign this bug to anaconda-runtime to work out something there.
Based on the date this bug was created, it appears to have been reported during the development of Fedora 8. In order to refocus our efforts as a project we are changing the version of this bug to '8'. If this bug still exists in rawhide, please change the version back to rawhide. (If you're unable to change the bug's version, add a comment to the bug and someone will change it for you.) Thanks for your help and we apologize for the interruption. The process we're following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again.
This message is a reminder that Fedora 8 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 8. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '8'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 8's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 8 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Dcantrell: Chris said you were looking to rewrite this stuff, so assigning to you.
Today it works for me. Running under targeted enforcing policy on Fedora 10, I used pungi to compose an install DVD for Fedora 10 i386, without turning off selinux before(+during) the compose. The resulting DVD installed a Fedora 10 that had selinux enabled by default. It would be nice to confirm that something intentional made the process work, and then to remove the warning that pungi gives near the beginning about the need to disable selinux. pungi-2.0.8-1.fc10.noarch anaconda-11.4.1.62-1.i386 anaconda-yum-plugins-1.0-3.fc10.noarch busybox-anaconda-1.10.3-3.fc10.i386 libselinux-2.0.73-1.fc10.i386 libselinux-python-2.0.73-1.fc10.i386 libselinux-utils-2.0.73-1.fc10.i386 selinux-policy-3.5.13-18.fc10.noarch selinux-policy-targeted-3.5.13-18.fc10.noarch
You should be able to do livecd creation in F10 without disabling selinux.
Fedora 8 changed to end-of-life (EOL) status on 2009-01-07. Fedora 8 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.