This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 821966 - Anaconda ignores "selinux --disabled" and "firewall --disabled" kickstart options
Anaconda ignores "selinux --disabled" and "firewall --disabled" kickstart opt...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
17
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Anaconda Maintenance Team
Fedora Extras Quality Assurance
:
: 821962 (view as bug list)
Depends On:
Blocks: F17Blocker/F17FinalBlocker
  Show dependency treegraph
 
Reported: 2012-05-15 18:37 EDT by Andrew McNabb
Modified: 2012-05-16 20:18 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-16 20:18:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
anaconda.ifcfg.log (2.21 KB, text/plain)
2012-05-16 14:25 EDT, Andrew McNabb
no flags Details
anaconda.log (25.19 KB, text/plain)
2012-05-16 14:25 EDT, Andrew McNabb
no flags Details
anaconda.program.log (62.10 KB, text/plain)
2012-05-16 14:25 EDT, Andrew McNabb
no flags Details
anaconda.storage.log (91.54 KB, text/plain)
2012-05-16 14:26 EDT, Andrew McNabb
no flags Details
anaconda.syslog (59.92 KB, text/plain)
2012-05-16 14:26 EDT, Andrew McNabb
no flags Details
anaconda.xlog (57.89 KB, text/plain)
2012-05-16 14:26 EDT, Andrew McNabb
no flags Details
anaconda.yum.log (278.77 KB, text/plain)
2012-05-16 14:26 EDT, Andrew McNabb
no flags Details
kickstart script (3.94 KB, text/plain)
2012-05-16 14:47 EDT, Andrew McNabb
no flags Details
package list imported in kickstart script (4.00 KB, text/plain)
2012-05-16 14:47 EDT, Andrew McNabb
no flags Details

  None (edit)
Description Andrew McNabb 2012-05-15 18:37:00 EDT
With Fedora 17 TC5, Anaconda ignores the "selinux --disabled" and "firewall --disabled" kickstart options. The options get copied through to /root/anaconda-ks.cfg, but selinux and firewalld are enabled on the installed system. For example:

amcnabb@testvm:~ :) selinuxenabled
amcnabb@testvm:~ :) echo $?
0
amcnabb@testvm:~ :) cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 


amcnabb@testvm:~ :)
Comment 1 Andrew McNabb 2012-05-15 18:43:25 EDT
*** Bug 821962 has been marked as a duplicate of this bug. ***
Comment 2 Stephen Gallagher 2012-05-16 07:44:46 EDT
Proposing for F17 blocker under the following rules:

"In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login"[1]. The reason most people would pass 'selinux --disabled' to anaconda would be to avoid AVCs in software they are installing.

"The installer must be able to successfully complete a scripted installation, using the installer's preferred scripting system, which duplicates the default interactive installation as closely as possible"[2]

[1] http://fedoraproject.org/wiki/Fedora_17_Final_Release_Criteria
[2] http://fedoraproject.org/wiki/Fedora_17_Beta_Release_Criteria
Comment 3 Brian Lane 2012-05-16 13:17:05 EDT
Please switch to tty2 (ctrl-alt-f2) and attach the logs from /tmp/*log
to this bug as individual plain/text files.
Comment 4 Andrew McNabb 2012-05-16 13:24:46 EDT
(In reply to comment #3)
> Please switch to tty2 (ctrl-alt-f2) and attach the logs from /tmp/*log
> to this bug as individual plain/text files.

Are you referring to the logs during the install or logs after installation (/root/install.log and /root/install.log.syslog). If during the install, at what stage in the installation process should I copy them over? Thanks.
Comment 5 Adam Williamson 2012-05-16 13:46:32 EDT
So, bcl reckons this happens only when *both* are specified. lokkit will be called to disable the firewall, but not to disable selinux.

If you install firewalld, then disabling of the firewall won't work, because lokkit doesn't control firewalld. But firewalld is no longer the default, so you have to explicitly install firewalld instead of s-c-f/iptables to get that problem. I guess that's really a separate bug that should be filed for F18; the firewall disablement method will need to be changed (or lokkit will need to grow support for firewalld, perhaps).

bcl further states that the first bug here (selinux not being disabled if you specify to disable both selinux and firewall) has been present for a _long_ time.

Given that, and the fact that neither bug in fact hits the criteria (nice try at criteria gymnastics, though :>), I vote -1 blocker.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 6 Brian Lane 2012-05-16 13:52:32 EDT
(In reply to comment #4)
> (In reply to comment #3)
> > Please switch to tty2 (ctrl-alt-f2) and attach the logs from /tmp/*log
> > to this bug as individual plain/text files.
> 
> Are you referring to the logs during the install or logs after installation
> (/root/install.log and /root/install.log.syslog). If during the install, at
> what stage in the installation process should I copy them over? Thanks.

The install logs. You can find them in /var/log/anaconda/ on the installed system or in /tmp/ at the end of the install.


Also, I canont reproduce this using a minimal install from the TC6 dvd. For me selinux and firewall are correctly disabled.
Comment 7 Adam Williamson 2012-05-16 14:07:16 EDT
Andrew, did you tweak your kickstart to install firewalld instead of system-config-firewall / iptables? If so, did your tweak result in lokkit no longer being installed? anaconda uses lokkit to disable selinux and the firewall, so if you use a kickstart which results in lokkit not being enabled, that could explain the failure.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 8 Andrew McNabb 2012-05-16 14:17:23 EDT
(In reply to comment #5)
> If you install firewalld, then disabling of the firewall won't work, because
> lokkit doesn't control firewalld. But firewalld is no longer the default, so
> you have to explicitly install firewalld instead of s-c-f/iptables to get that
> problem. I guess that's really a separate bug that should be filed for F18; the
> firewall disablement method will need to be changed (or lokkit will need to
> grow support for firewalld, perhaps).

Hmm. The kickstart script is definitely not explicitly specifying firewalld, so it must be pulled in as part of a group or as a dependency. That's unfortunate.

> bcl further states that the first bug here (selinux not being disabled if you
> specify to disable both selinux and firewall) has been present for a _long_
> time.

It might be something else, then, because we've used this kickstart script for years without having this problem. We make a few little changes at each release, but it's essentially the same script. I just went through the git logs, and both "firewall --disabled" and "selinux --disabled" have been specified since July 17, 2007. So I'm convinced that this is a new problem.
Comment 9 Andrew McNabb 2012-05-16 14:21:35 EDT
(In reply to comment #7)
> Andrew, did you tweak your kickstart to install firewalld instead of
> system-config-firewall / iptables? If so, did your tweak result in lokkit no
> longer being installed? anaconda uses lokkit to disable selinux and the
> firewall, so if you use a kickstart which results in lokkit not being enabled,
> that could explain the failure.

If I do `rpm -q lokkit`, it reports, "package lokkit is not installed". However, on a Fedora 16 machine with the same kickstart script, the "lokkit" package is also missing, but selinux was correctly disabled.

Perhaps Anaconda in old releases was using a copy of lokkit on the installation media instead of the target filesystem, or there's some other explanation.
Comment 10 Andrew McNabb 2012-05-16 14:24:32 EDT
I'll post the logs momentarily, but it looks like this snippet might be relevant, given Adam's observation in Comment #7.

11:03:04,692 ERR anaconda: Error running /usr/sbin/lokkit: No such file or directory
11:03:04,694 ERR anaconda: lokkit run failed: Error running /usr/sbin/lokkit: No such file or directory
11:03:06,657 ERR anaconda: Error running /usr/sbin/lokkit: No such file or directory
11:03:06,659 ERR anaconda: lokkit run failed: Error running /usr/sbin/lokkit: No such file or directory
Comment 11 Andrew McNabb 2012-05-16 14:25:12 EDT
Created attachment 585031 [details]
anaconda.ifcfg.log
Comment 12 Andrew McNabb 2012-05-16 14:25:30 EDT
Created attachment 585032 [details]
anaconda.log
Comment 13 Andrew McNabb 2012-05-16 14:25:51 EDT
Created attachment 585033 [details]
anaconda.program.log
Comment 14 Andrew McNabb 2012-05-16 14:26:08 EDT
Created attachment 585034 [details]
anaconda.storage.log
Comment 15 Andrew McNabb 2012-05-16 14:26:27 EDT
Created attachment 585035 [details]
anaconda.syslog
Comment 16 Andrew McNabb 2012-05-16 14:26:42 EDT
Created attachment 585036 [details]
anaconda.xlog
Comment 17 Andrew McNabb 2012-05-16 14:26:57 EDT
Created attachment 585037 [details]
anaconda.yum.log
Comment 18 Adam Williamson 2012-05-16 14:32:22 EDT
Can you attach the precise kickstart you used? It seems like it might be needed at this point. Thanks!



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 19 Andrew McNabb 2012-05-16 14:47:28 EDT
Created attachment 585038 [details]
kickstart script
Comment 20 Andrew McNabb 2012-05-16 14:47:53 EDT
Created attachment 585039 [details]
package list imported in kickstart script
Comment 21 Brian Lane 2012-05-16 15:50:33 EDT
lokkit is part of system-config-firewall-base
Comment 22 Brian Lane 2012-05-16 15:54:04 EDT
Your kickstart is pointing to a Beta repo it looks like. Please retest with the main repo. There was some confusion over whether firewalld would be used or not, maybe this is a result of that (in the end firewalld is not being used).
Comment 23 Andrew McNabb 2012-05-16 16:48:49 EDT
(In reply to comment #21)
> lokkit is part of system-config-firewall-base

In that case, system-config-firewall-base is installed on the Fedora 16 machine but not on the Fedora 17 machine.

(In reply to comment #22)
> Your kickstart is pointing to a Beta repo it looks like. Please retest with the
> main repo. There was some confusion over whether firewalld would be used or
> not, maybe this is a result of that (in the end firewalld is not being used).

Would you mind sharing the URL to a public repo for that? I've been pointed to where the vmlinuz and initrd.img files are available online, but these locations don't include the full list of packages. Thanks.
Comment 24 Andrew McNabb 2012-05-16 16:52:56 EDT
By the way, if Anaconda needs the system-config-firewall-base package to be able to set kickstart options, should the package be mandatory in all kickstart installs? It seems like this might solve the problem, although I'm not sure whether it might add any side effects.
Comment 25 Adam Williamson 2012-05-16 17:07:42 EDT
Try http://dl.fedoraproject.org/pub/fedora/linux/development/17/x86_64/os/ (for x86_64, for i686 make the obvious substitution)



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 26 Andrew McNabb 2012-05-16 17:28:03 EDT
(In reply to comment #25)
> Try http://dl.fedoraproject.org/pub/fedora/linux/development/17/x86_64/os/ (for
> x86_64, for i686 make the obvious substitution)

I didn't realize that I should just point at the development repository. Thanks. The installation is running now.
Comment 27 Adam Williamson 2012-05-16 18:06:55 EDT
Given the diagnosis so far and bcl's inability to reproduce, I'm -1 blocker on this at present.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 28 Andrew McNabb 2012-05-16 20:06:39 EDT
With the development repository, the system-config-firewall-base package is installed, and selinux is disabled. So, it looks like this bug will is fixed for Fedora 17 final.

Will Fedora 18 use firewalld instead of system-config-firewall-base? If so, this bug might come back. Would it make sense for Anaconda to force system-config-firewall-base to be installed if "selinux --disabled" is specified?
Comment 29 Adam Williamson 2012-05-16 20:18:35 EDT
yes, the mechanisms will need to be re-evaluated for F18. With 28 comments on this bug, though, it probably makes more sense just to open a new one. I'll close this and open a new one against Rawhide.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Note You need to log in before you can comment on or make changes to this bug.