Description of problem: I have the line selinux --permissive in my kickstart file. This worked well for long time now. But since some time the resulting system has selinux in enforced mode. How reproducible: · Add the line above to a kickstart file · Install the system · look to /etc/selinux/config Actual results: SELINUX=enforcing Expected results: SELINUX=permissive
Can you please attach the kickstart file you're using, as well as /var/log/anaconda.log?
There are two workarounds for this bug and they are: put "setenforce 1" in the %pre section. or, once the system has finished installation execute the `setenforce 1` command. This will not go int 4.8
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.
I know how to work around the bug but that do not fix the bug at all. The problem is that the _documented_ way how to do it does not work anymore. I do not know why you declined the bug but. So please specify it a bit more.
(In reply to comment #4) > The problem is that the _documented_ way how to do it does not work anymore. I > do not know why you declined the bug but. So please specify it a bit more. It's *very* late in RHEL 4.8 release cycle. We are considering release noting this bug.
Release note added. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: For rhel4.8 installations there is a known issue where the system installs with selinux in enforcing mode, even though "selinux --permissive" was present in the kickstart file. If the resulting system needs to be in permissive mode,"setenforce 1" must be added to the %pre section of the kickstart file. Or "setenforce 1" must be executed once the system has finished its reboot after installation.
Release note updated. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,2 +1,21 @@ -For rhel4.8 installations there is a known issue where the system installs with selinux in enforcing mode, even though "selinux --permissive" was present in the kickstart file. +Known Issue: In previous versions of Red Hat Enterprise Linux 4, adding the line -If the resulting system needs to be in permissive mode,"setenforce 1" must be added to the %pre section of the kickstart file. Or "setenforce 1" must be executed once the system has finished its reboot after installation.+ + selinux --permissive + +to a kickstart file sets selinux to permissive mode. However, this line is currently ignored by the installer, leaving selinux set to the default mode: enforcing. + +To set selinux to permissive mode during a kickstart installation, add the + + setenforce 1 + +command to the + + %pre + +section of the kickstart file. + +Alternatively, run + + setenforce 1 + +after installation is complete.
I do not see how using "setenforce 1" anywhere will cause the installed system to modify the default behavior of SELinux. setenforce is used to modify SELinux on a running system, while it is running, but does not have any persistence, nor does ti change the content of any configuration files. To make this change across a system reboot you will need to change the SELINUX= line in /etc/selinux/config with a command similar to: sed -i -e 's/\(^SELINUX=\)enforcing$/\1permissive/' /etc/selinux/config
anaconda always runs in permissive mode, so messing with setenforce in the %pre script isn't going to do anything, just like comment #11 says.
Barry: Thx for the correction.
Release note updated. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -6,16 +6,17 @@ To set selinux to permissive mode during a kickstart installation, add the - setenforce 1 + sed -i -e 's/\(^SELINUX=\)enforcing$/\1permissive/' /etc/selinux/config + command to the - %pre + %post section of the kickstart file. -Alternatively, run +Alternatively, make sure that /etc/selinux/config contains - setenforce 1 +SELINUX=enforcing after installation is complete.
For completeness .. I imagine that the selinux directive as a whole is being ignored, regardless of what mode selinux is being set to, although I have not tested this. In which case, the release note should probably state that the selinux parameter is being ignored and as such to set your system to permissive mode to include: sed -i -e 's/\(^SELINUX=\)enforcing$/\1permissive/' /etc/selinux/config or to set SELinux to disabled mode to include: sed -i -e 's/\(^SELINUX=\)enforcing$/\1disabled/' /etc/selinux/config in the %post section of your kickstart file. In a related note, it may be worth checking to see if this issue occurs in an interactive install, or only in a kickstart.
I believe this should read: Alternatively, make sure that /etc/selinux/config contains SELINUX=permissive or SELINUX=disabled based upon your desired (non-enforcing, non-default) SELinux mode .. making sure that /etc/selinux/config contains SELINUX=enforcing is incorrect.
lokkit --selinux=disabled will do this also, although it might muck around with iptables rules. command looks good.
I still think that giving the user the sed line is very usefull. Instead of just telling him to "make sure" with out giving anymore info. Let me do a little modification to the sed statement.
Release note updated. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -4,19 +4,19 @@ to a kickstart file sets selinux to permissive mode. However, this line is currently ignored by the installer, leaving selinux set to the default mode: enforcing. -To set selinux to permissive mode during a kickstart installation, add the +To set selinux to permissive or disabled mode during a kickstart installation, add the - sed -i -e 's/\(^SELINUX=\)enforcing$/\1permissive/' /etc/selinux/config + sed -i -e 's/\(^SELINUX=\).*$/\1permissive/' /etc/selinux/config command to the %post -section of the kickstart file. +section of the kickstart file. Making sure to replace "permissive" with the required selinux mode. Alternatively, make sure that /etc/selinux/config contains -SELINUX=enforcing +SELINUX=permissive -after installation is complete.+after installation is complete. Again, making sure that "permissive" is replaced with the required selinux mode.