Bug 821966 - Anaconda ignores "selinux --disabled" and "firewall --disabled" kickstart options
Summary: Anaconda ignores "selinux --disabled" and "firewall --disabled" kickstart opt...
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
(Show other bugs)
Version: 17
Hardware: x86_64 Linux
unspecified
high
Target Milestone: ---
Assignee: Anaconda Maintenance Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
: 821962 (view as bug list)
Depends On:
Blocks: F17Blocker, F17FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2012-05-15 22:37 UTC by Andrew McNabb
Modified: 2012-05-17 00:18 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-17 00:18:35 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
anaconda.ifcfg.log (2.21 KB, text/plain)
2012-05-16 18:25 UTC, Andrew McNabb
no flags Details
anaconda.log (25.19 KB, text/plain)
2012-05-16 18:25 UTC, Andrew McNabb
no flags Details
anaconda.program.log (62.10 KB, text/plain)
2012-05-16 18:25 UTC, Andrew McNabb
no flags Details
anaconda.storage.log (91.54 KB, text/plain)
2012-05-16 18:26 UTC, Andrew McNabb
no flags Details
anaconda.syslog (59.92 KB, text/plain)
2012-05-16 18:26 UTC, Andrew McNabb
no flags Details
anaconda.xlog (57.89 KB, text/plain)
2012-05-16 18:26 UTC, Andrew McNabb
no flags Details
anaconda.yum.log (278.77 KB, text/plain)
2012-05-16 18:26 UTC, Andrew McNabb
no flags Details
kickstart script (3.94 KB, text/plain)
2012-05-16 18:47 UTC, Andrew McNabb
no flags Details
package list imported in kickstart script (4.00 KB, text/plain)
2012-05-16 18:47 UTC, Andrew McNabb
no flags Details

Description Andrew McNabb 2012-05-15 22:37:00 UTC
With Fedora 17 TC5, Anaconda ignores the "selinux --disabled" and "firewall --disabled" kickstart options. The options get copied through to /root/anaconda-ks.cfg, but selinux and firewalld are enabled on the installed system. For example:

amcnabb@testvm:~ :) selinuxenabled
amcnabb@testvm:~ :) echo $?
0
amcnabb@testvm:~ :) cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 


amcnabb@testvm:~ :)

Comment 1 Andrew McNabb 2012-05-15 22:43:25 UTC
*** Bug 821962 has been marked as a duplicate of this bug. ***

Comment 2 Stephen Gallagher 2012-05-16 11:44:46 UTC
Proposing for F17 blocker under the following rules:

"In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login"[1]. The reason most people would pass 'selinux --disabled' to anaconda would be to avoid AVCs in software they are installing.

"The installer must be able to successfully complete a scripted installation, using the installer's preferred scripting system, which duplicates the default interactive installation as closely as possible"[2]

[1] http://fedoraproject.org/wiki/Fedora_17_Final_Release_Criteria
[2] http://fedoraproject.org/wiki/Fedora_17_Beta_Release_Criteria

Comment 3 Brian Lane 2012-05-16 17:17:05 UTC
Please switch to tty2 (ctrl-alt-f2) and attach the logs from /tmp/*log
to this bug as individual plain/text files.

Comment 4 Andrew McNabb 2012-05-16 17:24:46 UTC
(In reply to comment #3)
> Please switch to tty2 (ctrl-alt-f2) and attach the logs from /tmp/*log
> to this bug as individual plain/text files.

Are you referring to the logs during the install or logs after installation (/root/install.log and /root/install.log.syslog). If during the install, at what stage in the installation process should I copy them over? Thanks.

Comment 5 Adam Williamson 2012-05-16 17:46:32 UTC
So, bcl reckons this happens only when *both* are specified. lokkit will be called to disable the firewall, but not to disable selinux.

If you install firewalld, then disabling of the firewall won't work, because lokkit doesn't control firewalld. But firewalld is no longer the default, so you have to explicitly install firewalld instead of s-c-f/iptables to get that problem. I guess that's really a separate bug that should be filed for F18; the firewall disablement method will need to be changed (or lokkit will need to grow support for firewalld, perhaps).

bcl further states that the first bug here (selinux not being disabled if you specify to disable both selinux and firewall) has been present for a _long_ time.

Given that, and the fact that neither bug in fact hits the criteria (nice try at criteria gymnastics, though :>), I vote -1 blocker.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 6 Brian Lane 2012-05-16 17:52:32 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > Please switch to tty2 (ctrl-alt-f2) and attach the logs from /tmp/*log
> > to this bug as individual plain/text files.
> 
> Are you referring to the logs during the install or logs after installation
> (/root/install.log and /root/install.log.syslog). If during the install, at
> what stage in the installation process should I copy them over? Thanks.

The install logs. You can find them in /var/log/anaconda/ on the installed system or in /tmp/ at the end of the install.


Also, I canont reproduce this using a minimal install from the TC6 dvd. For me selinux and firewall are correctly disabled.

Comment 7 Adam Williamson 2012-05-16 18:07:16 UTC
Andrew, did you tweak your kickstart to install firewalld instead of system-config-firewall / iptables? If so, did your tweak result in lokkit no longer being installed? anaconda uses lokkit to disable selinux and the firewall, so if you use a kickstart which results in lokkit not being enabled, that could explain the failure.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 8 Andrew McNabb 2012-05-16 18:17:23 UTC
(In reply to comment #5)
> If you install firewalld, then disabling of the firewall won't work, because
> lokkit doesn't control firewalld. But firewalld is no longer the default, so
> you have to explicitly install firewalld instead of s-c-f/iptables to get that
> problem. I guess that's really a separate bug that should be filed for F18; the
> firewall disablement method will need to be changed (or lokkit will need to
> grow support for firewalld, perhaps).

Hmm. The kickstart script is definitely not explicitly specifying firewalld, so it must be pulled in as part of a group or as a dependency. That's unfortunate.

> bcl further states that the first bug here (selinux not being disabled if you
> specify to disable both selinux and firewall) has been present for a _long_
> time.

It might be something else, then, because we've used this kickstart script for years without having this problem. We make a few little changes at each release, but it's essentially the same script. I just went through the git logs, and both "firewall --disabled" and "selinux --disabled" have been specified since July 17, 2007. So I'm convinced that this is a new problem.

Comment 9 Andrew McNabb 2012-05-16 18:21:35 UTC
(In reply to comment #7)
> Andrew, did you tweak your kickstart to install firewalld instead of
> system-config-firewall / iptables? If so, did your tweak result in lokkit no
> longer being installed? anaconda uses lokkit to disable selinux and the
> firewall, so if you use a kickstart which results in lokkit not being enabled,
> that could explain the failure.

If I do `rpm -q lokkit`, it reports, "package lokkit is not installed". However, on a Fedora 16 machine with the same kickstart script, the "lokkit" package is also missing, but selinux was correctly disabled.

Perhaps Anaconda in old releases was using a copy of lokkit on the installation media instead of the target filesystem, or there's some other explanation.

Comment 10 Andrew McNabb 2012-05-16 18:24:32 UTC
I'll post the logs momentarily, but it looks like this snippet might be relevant, given Adam's observation in Comment #7.

11:03:04,692 ERR anaconda: Error running /usr/sbin/lokkit: No such file or directory
11:03:04,694 ERR anaconda: lokkit run failed: Error running /usr/sbin/lokkit: No such file or directory
11:03:06,657 ERR anaconda: Error running /usr/sbin/lokkit: No such file or directory
11:03:06,659 ERR anaconda: lokkit run failed: Error running /usr/sbin/lokkit: No such file or directory

Comment 11 Andrew McNabb 2012-05-16 18:25:12 UTC
Created attachment 585031 [details]
anaconda.ifcfg.log

Comment 12 Andrew McNabb 2012-05-16 18:25:30 UTC
Created attachment 585032 [details]
anaconda.log

Comment 13 Andrew McNabb 2012-05-16 18:25:51 UTC
Created attachment 585033 [details]
anaconda.program.log

Comment 14 Andrew McNabb 2012-05-16 18:26:08 UTC
Created attachment 585034 [details]
anaconda.storage.log

Comment 15 Andrew McNabb 2012-05-16 18:26:27 UTC
Created attachment 585035 [details]
anaconda.syslog

Comment 16 Andrew McNabb 2012-05-16 18:26:42 UTC
Created attachment 585036 [details]
anaconda.xlog

Comment 17 Andrew McNabb 2012-05-16 18:26:57 UTC
Created attachment 585037 [details]
anaconda.yum.log

Comment 18 Adam Williamson 2012-05-16 18:32:22 UTC
Can you attach the precise kickstart you used? It seems like it might be needed at this point. Thanks!



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 19 Andrew McNabb 2012-05-16 18:47:28 UTC
Created attachment 585038 [details]
kickstart script

Comment 20 Andrew McNabb 2012-05-16 18:47:53 UTC
Created attachment 585039 [details]
package list imported in kickstart script

Comment 21 Brian Lane 2012-05-16 19:50:33 UTC
lokkit is part of system-config-firewall-base

Comment 22 Brian Lane 2012-05-16 19:54:04 UTC
Your kickstart is pointing to a Beta repo it looks like. Please retest with the main repo. There was some confusion over whether firewalld would be used or not, maybe this is a result of that (in the end firewalld is not being used).

Comment 23 Andrew McNabb 2012-05-16 20:48:49 UTC
(In reply to comment #21)
> lokkit is part of system-config-firewall-base

In that case, system-config-firewall-base is installed on the Fedora 16 machine but not on the Fedora 17 machine.

(In reply to comment #22)
> Your kickstart is pointing to a Beta repo it looks like. Please retest with the
> main repo. There was some confusion over whether firewalld would be used or
> not, maybe this is a result of that (in the end firewalld is not being used).

Would you mind sharing the URL to a public repo for that? I've been pointed to where the vmlinuz and initrd.img files are available online, but these locations don't include the full list of packages. Thanks.

Comment 24 Andrew McNabb 2012-05-16 20:52:56 UTC
By the way, if Anaconda needs the system-config-firewall-base package to be able to set kickstart options, should the package be mandatory in all kickstart installs? It seems like this might solve the problem, although I'm not sure whether it might add any side effects.

Comment 25 Adam Williamson 2012-05-16 21:07:42 UTC
Try http://dl.fedoraproject.org/pub/fedora/linux/development/17/x86_64/os/ (for x86_64, for i686 make the obvious substitution)



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 26 Andrew McNabb 2012-05-16 21:28:03 UTC
(In reply to comment #25)
> Try http://dl.fedoraproject.org/pub/fedora/linux/development/17/x86_64/os/ (for
> x86_64, for i686 make the obvious substitution)

I didn't realize that I should just point at the development repository. Thanks. The installation is running now.

Comment 27 Adam Williamson 2012-05-16 22:06:55 UTC
Given the diagnosis so far and bcl's inability to reproduce, I'm -1 blocker on this at present.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 28 Andrew McNabb 2012-05-17 00:06:39 UTC
With the development repository, the system-config-firewall-base package is installed, and selinux is disabled. So, it looks like this bug will is fixed for Fedora 17 final.

Will Fedora 18 use firewalld instead of system-config-firewall-base? If so, this bug might come back. Would it make sense for Anaconda to force system-config-firewall-base to be installed if "selinux --disabled" is specified?

Comment 29 Adam Williamson 2012-05-17 00:18:35 UTC
yes, the mechanisms will need to be re-evaluated for F18. With 28 comments on this bug, though, it probably makes more sense just to open a new one. I'll close this and open a new one against Rawhide.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers


Note You need to log in before you can comment on or make changes to this bug.