Red Hat Bugzilla – Bug 477059
ipa-server-install generates /etc/selinux/config, kernel panics on reboot when no selinux was previously installed
Last modified: 2010-01-20 13:36:57 EST
Description of problem:
On Fedora 10, ipa-server-install generates /etc/selinux/config on a system that previously did noth ave /etc/selinux/config at all and has selinux disabled and no policies installed.
on reboot kernel panics as it tries to load selinux
Version-Release number of selected component (if applicable):
Install Fedora 10 w/out selinux or uninstall it.
Steps to Reproduce:
2. shutdown -r now
no kernel panic
What kernel are you running?
User reports its 126.96.36.199-134.fc10.x86_64.
Additionally, this host is running as Xen DomU.
The real questions are
a) why did you delete /etc/selinux/config? you're supposed to set SELINUX=disabled if you want to disable selinux, not delete the config file
b) what is actually creating the new config file. I've no problem with it being created, but if it didn't already exist it certainly shouldn't be creating the new file with SELINUX=enforcing, which is what must have happened to get a panic...
Can you help explain how you went about "removing" selinux so I can try to figure out how it got out of whack? In any case your best fix it to put the config file back with the info telling the system to disable selinux.
(The reporter is apparently unable to comment in BZ)
a. I didn't delete it, it was never created, the kickstart contains:
And under %packages I have
b. ipa-server-install script.
Actually the problem might be that selinux stuff was pulled in by yum
as a dependency of ipa-server and /etc/selinux/config was created at
that point, I also have "selinux=0" in grub.conf
So I guess we really want to stop pulling selinux-policy in on people? Maybe? Dan?
I guess this is really an anaconda problem.
selinux-policy package sets up the /etc/selinux/config file when it gets installed, it is pulled in by the ipa packages, in order for them to install their policy.
anaconda should really execute a
# lokkit --selinux=disabled
When the user specifies that selinux is disabled, this would create the /etc/selinux/config file with the appropriate flags, and selinux-policy would not override.
Surprised this has never happened before.
Please retest this with F12 Alpha and if you're still seeing the problem, attach /tmp/program.log to this bug report so we can see how lokkit was run. anaconda certainly does know how to run lokkit to disable selinux.
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.
More information and reason for this action is here: