Bug 435300 - anaconda ignores selinux kickstart option
Summary: anaconda ignores selinux kickstart option
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: anaconda
Version: 4.8
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Anaconda Maintenance Team
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: RHEL4u8_relnotes
TreeView+ depends on / blocked
 
Reported: 2008-02-28 15:45 UTC by Klaus Ethgen
Modified: 2018-10-27 15:32 UTC (History)
5 users (show)

(edit)
Known Issue: In previous versions of Red Hat Enterprise Linux 4, adding the line

    selinux --permissive

to a kickstart file sets selinux to permissive mode. However, this line is currently ignored by the installer, leaving selinux set to the default mode: enforcing.

To set selinux to permissive or disabled mode during a kickstart installation, add the


    sed -i -e 's/\(^SELINUX=\).*$/\1permissive/' /etc/selinux/config

command to the

    %post

section of the kickstart file.  Making sure to replace "permissive" with the required selinux mode.

Alternatively, make sure that /etc/selinux/config contains

SELINUX=permissive

after installation is complete.  Again, making sure that "permissive" is replaced with the required selinux mode.
Clone Of:
(edit)
Last Closed: 2010-03-25 14:21:14 UTC


Attachments (Terms of Use)

Description Klaus Ethgen 2008-02-28 15:45:08 UTC
Description of problem:
I have the line
   selinux --permissive
in my kickstart file. This worked well for long time now. But since some time
the resulting system has selinux in enforced mode.

How reproducible:
· Add the line above to a kickstart file
· Install the system
· look to /etc/selinux/config

Actual results:
SELINUX=enforcing

Expected results:
SELINUX=permissive

Comment 1 Andy Lindeberg 2008-07-24 21:57:56 UTC
Can you please attach the kickstart file you're using, as well as
/var/log/anaconda.log?

Comment 2 Joel Andres Granados 2008-09-24 12:17:26 UTC
There are two workarounds for this bug and they are:

put "setenforce 1" in the %pre section.

or, once the system has finished installation execute the `setenforce 1` command.

This will not go int 4.8

Comment 3 RHEL Product and Program Management 2008-09-24 12:38:45 UTC
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.

Comment 4 Klaus Ethgen 2009-05-13 09:23:12 UTC
I know how to work around the bug but that do not fix the bug at all.

The problem is that the _documented_ way how to do it does not work anymore. I do not know why you declined the bug but. So please specify it a bit more.

Comment 6 Ludek Smid 2009-05-13 14:51:02 UTC
(In reply to comment #4)
> The problem is that the _documented_ way how to do it does not work anymore. I
> do not know why you declined the bug but. So please specify it a bit more.  
It's *very* late in RHEL 4.8 release cycle. We are considering release noting this bug.

Comment 8 Joel Andres Granados 2009-05-13 15:12:56 UTC
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
For rhel4.8 installations there is a known issue where the system installs with selinux in enforcing mode, even though "selinux --permissive" was present in the kickstart file.
If the resulting system needs to be in permissive mode,"setenforce 1" must be added to the %pre section of the kickstart file. Or "setenforce 1" must be executed once the system has finished its reboot after installation.

Comment 10 Ryan Lerch 2009-05-14 01:25:00 UTC
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -1,2 +1,21 @@
-For rhel4.8 installations there is a known issue where the system installs with selinux in enforcing mode, even though "selinux --permissive" was present in the kickstart file.
+Known Issue: In previous versions of Red Hat Enterprise Linux 4, adding the line
-If the resulting system needs to be in permissive mode,"setenforce 1" must be added to the %pre section of the kickstart file. Or "setenforce 1" must be executed once the system has finished its reboot after installation.+
+    selinux --permissive
+
+to a kickstart file sets selinux to permissive mode. However, this line is currently ignored by the installer, leaving selinux set to the default mode: enforcing.
+
+To set selinux to permissive mode during a kickstart installation, add the
+
+    setenforce 1
+
+command to the
+
+    %pre
+
+section of the kickstart file.
+
+Alternatively, run
+
+    setenforce 1
+
+after installation is complete.

Comment 11 Barry Brimer 2009-05-18 18:49:01 UTC
I do not see how using "setenforce 1" anywhere will cause the installed system to modify the default behavior of SELinux.  setenforce is used to modify SELinux on a running system, while it is running, but does not have any persistence, nor does ti change the content of any configuration files.  To make this change across a system reboot you will need to change the SELINUX= line in /etc/selinux/config with a command similar to:

sed -i -e 's/\(^SELINUX=\)enforcing$/\1permissive/' /etc/selinux/config

Comment 12 Chris Lumens 2009-05-19 15:12:45 UTC
anaconda always runs in permissive mode, so messing with setenforce in the %pre script isn't going to do anything, just like comment #11 says.

Comment 13 Joel Andres Granados 2009-05-19 15:47:37 UTC
Barry:

Thx for the correction.

Comment 14 Joel Andres Granados 2009-05-19 15:47:37 UTC
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -6,16 +6,17 @@
 
 To set selinux to permissive mode during a kickstart installation, add the
 
-    setenforce 1
 
+    sed -i -e 's/\(^SELINUX=\)enforcing$/\1permissive/' /etc/selinux/config
+
 command to the
 
-    %pre
+    %post
 
 section of the kickstart file.
 
-Alternatively, run
+Alternatively, make sure that /etc/selinux/config contains
 
-    setenforce 1
+SELINUX=enforcing
 
 after installation is complete.

Comment 15 Barry Brimer 2009-05-19 16:36:50 UTC
For completeness .. I imagine that the selinux directive as a whole is being ignored, regardless of what mode selinux is being set to, although I have not tested this.  In which case, the release note should probably state that the selinux parameter is being ignored and as such to set your system to permissive mode to include:

sed -i -e 's/\(^SELINUX=\)enforcing$/\1permissive/' /etc/selinux/config

or to set SELinux to disabled mode to include:

sed -i -e 's/\(^SELINUX=\)enforcing$/\1disabled/' /etc/selinux/config

in the %post section of your kickstart file.

In a related note, it may be worth checking to see if this issue occurs in an interactive install, or only in a kickstart.

Comment 16 Barry Brimer 2009-05-19 17:47:05 UTC
I believe this should read:

Alternatively, make sure that /etc/selinux/config contains

SELINUX=permissive

or

SELINUX=disabled


based upon your desired (non-enforcing, non-default) SELinux mode

.. making sure that /etc/selinux/config contains

SELINUX=enforcing

is incorrect.

Comment 17 Daniel Walsh 2009-05-19 17:52:08 UTC
lokkit --selinux=disabled

will do this also, although it might muck around with iptables rules.


command looks good.

Comment 18 Joel Andres Granados 2009-05-19 17:53:28 UTC
I still think that giving the user the sed line is very usefull.   Instead of
just telling him to "make sure" with out giving anymore info.  Let me do a
little modification to the sed statement.

Comment 19 Joel Andres Granados 2009-05-19 17:58:59 UTC
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -4,19 +4,19 @@
 
 to a kickstart file sets selinux to permissive mode. However, this line is currently ignored by the installer, leaving selinux set to the default mode: enforcing.
 
-To set selinux to permissive mode during a kickstart installation, add the
+To set selinux to permissive or disabled mode during a kickstart installation, add the
 
 
-    sed -i -e 's/\(^SELINUX=\)enforcing$/\1permissive/' /etc/selinux/config
+    sed -i -e 's/\(^SELINUX=\).*$/\1permissive/' /etc/selinux/config
 
 command to the
 
     %post
 
-section of the kickstart file.
+section of the kickstart file.  Making sure to replace "permissive" with the required selinux mode.
 
 Alternatively, make sure that /etc/selinux/config contains
 
-SELINUX=enforcing
+SELINUX=permissive
 
-after installation is complete.+after installation is complete.  Again, making sure that "permissive" is replaced with the required selinux mode.

Comment 20 RHEL Product and Program Management 2010-03-25 14:21:14 UTC
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.


Note You need to log in before you can comment on or make changes to this bug.