Bug 477059 - ipa-server-install generates /etc/selinux/config, kernel panics on reboot when no selinux was previously installed
ipa-server-install generates /etc/selinux/config, kernel panics on reboot whe...
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Anaconda Maintenance Team
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-18 16:21 EST by Seva
Modified: 2010-01-20 13:36 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-01-20 13:36:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Seva 2008-12-18 16:21:38 EST
Description of problem:

On Fedora 10, ipa-server-install generates /etc/selinux/config on a system that previously did noth ave /etc/selinux/config at all and has selinux disabled and no policies installed.

on reboot kernel panics as it tries to load selinux

Version-Release number of selected component (if applicable):

ipa-server-1.2.0-3.fc10.x86_64

How reproducible:

Install Fedora 10 w/out selinux or uninstall it.

Steps to Reproduce:
1. ipa-server-install
2. shutdown -r now
  
Actual results:

kernel panic

Expected results:

no kernel panic

Additional info:
Comment 1 Rob Crittenden 2009-01-12 14:31:51 EST
What kernel are you running?
Comment 2 Rob Crittenden 2009-01-12 15:27:49 EST
User reports its 2.6.27.7-134.fc10.x86_64.

Additionally, this host is running as Xen DomU.
Comment 3 Eric Paris 2009-01-12 16:14:42 EST
The real questions are

a) why did you delete /etc/selinux/config?   you're supposed to set SELINUX=disabled if you want to disable selinux, not delete the config file

b) what is actually creating the new config file.  I've no problem with it being created, but if it didn't already exist it certainly shouldn't be creating the new file with SELINUX=enforcing, which is what must have happened to get a panic...
Comment 4 Eric Paris 2009-01-12 16:25:59 EST
Can you help explain how you went about "removing" selinux so I can try to figure out how it got out of whack?  In any case your best fix it to put the config file back with the info telling the system to disable selinux.
Comment 5 Eric Paris 2009-01-12 16:45:29 EST
(The reporter is apparently unable to comment in BZ)

a. I didn't delete it, it was never created, the kickstart contains:

selinux --disabled

And under %packages I have

-selinux-policy
-selinux-policy-targeted

b. ipa-server-install script.

c.

Actually the problem might be that selinux stuff was pulled in by yum
as a dependency of ipa-server and /etc/selinux/config was created at
that point, I also have "selinux=0" in grub.conf

*************

So I guess we really want to stop pulling selinux-policy in on people?  Maybe?  Dan?
Comment 6 Daniel Walsh 2009-01-13 09:59:16 EST
I guess this is really an anaconda problem.

selinux-policy package sets up the /etc/selinux/config file when it gets installed, it is pulled in by the ipa packages, in order for them to install their policy.

anaconda should really execute a 

# lokkit --selinux=disabled

When the user specifies that selinux is disabled, this would create the /etc/selinux/config file with the appropriate flags, and selinux-policy would not override.

Surprised this has never happened before.
Comment 7 Chris Lumens 2009-08-27 16:50:27 EDT
Please retest this with F12 Alpha and if you're still seeing the problem, attach /tmp/program.log to this bug report so we can see how lokkit was run.  anaconda certainly does know how to run lokkit to disable selinux.
Comment 8 Bug Zapper 2009-11-16 04:44:01 EST
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.