CentOS - May 2015 - "selinux --disabled" in kickstart file does NOT disable SELINUX

Which manual?

This could actually be the root of the issue.

https://bugs.centos.org/view.php?id=7910



On 26 May 2015 at 07:56, Jeremy Hoel <jthoel at gmail.com> wrote:
> If the decision was made around the 4.8 time period to not fix the problem,
> why in v6 is it still listed in the manual as being a valid option?
>
> On Mon, May 25, 2015 at 11:49 PM, Andrew Holway <andrew.holway at
gmail.com>
> wrote:
>
> > To set selinux to permissive or disabled mode during a kickstart
> > installation, add the sed -i -e
's/\(^SELINUX=\).*$/\1permissive/'
> > /etc/selinux/config command to the %post section of the kickstart
file.
> > Making sure to replace "permissive" with the required
selinux mode.
> >
> >
> > -- https://bugzilla.redhat.com/show_bug.cgi?id=435300
> >
> > On 26 May 2015 at 04:40, Rob Kampen <rkampen at
kampensonline.com> wrote:
> >
> > > On 05/26/2015 08:32 AM, Charlie Brune wrote:
> > >
> > >> Has the "selinux --disabled" line for kickstart
files been
> depreciated?
> > >>
> > >>     My CentOS 6.6 kickstart file contains the line:
> > >>
> > >>
> > >> selinux --disabled
> > >>
> > >> After the install completes, SELinux is enabled instead of
disabled.
> > >>
> > >>  I believe this has been the default since at least 6.1 - the
version
> I
> > > installed on my workstation about three years ago.
> > > It came up at first reboot with selinux enforcing.
> > > Unlike CentOS 5.x where I used selinux in permissive mode only, I
have
> > > found 6.x seems to work just fine with enforcing mode provided
one sets
> > and
> > > uses the appropriate selinux booleans that are in place for the
> packages
> > > and work scenario that one needs. As far as I recall, I have only
had
> one
> > > or two situations where I've had to follow the the
audittoallow
> > > instructions.
> > >
> > >    /etc/selinux/config contains "SELINUX=enforcing"
instead of
> > >> "SELINUX=disabled".
> > >>
> > >>   Thanks,
> > >>
> > >> Charlie
> > >>
> > >> _______________________________________________
> > >> CentOS mailing list
> > >> CentOS at centos.org
> > >> http://lists.centos.org/mailman/listinfo/centos
> > >>
> > >
> > > _______________________________________________
> > > CentOS mailing list
> > > CentOS at centos.org
> > > http://lists.centos.org/mailman/listinfo/centos
> > >
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

Upstream lists it here -
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s1-kickstart2-options.html

So based on that, it would be assumed it would also work on CentOS.

On Tue, May 26, 2015 at 12:36 AM, Andrew Holway <andrew.holway at
gmail.com>
wrote:
> Which manual?
>
> This could actually be the root of the issue.
>
> https://bugs.centos.org/view.php?id=7910
>
>
>
> On 26 May 2015 at 07:56, Jeremy Hoel <jthoel at gmail.com> wrote:
>
> > If the decision was made around the 4.8 time period to not fix the
> problem,
> > why in v6 is it still listed in the manual as being a valid option?
> >
> > On Mon, May 25, 2015 at 11:49 PM, Andrew Holway <andrew.holway at
gmail.com
> >
> > wrote:
> >
> > > To set selinux to permissive or disabled mode during a kickstart
> > > installation, add the sed -i -e
's/\(^SELINUX=\).*$/\1permissive/'
> > > /etc/selinux/config command to the %post section of the kickstart
file.
> > > Making sure to replace "permissive" with the required
selinux mode.
> > >
> > >
> > > -- https://bugzilla.redhat.com/show_bug.cgi?id=435300
> > >
> > > On 26 May 2015 at 04:40, Rob Kampen <rkampen at
kampensonline.com> wrote:
> > >
> > > > On 05/26/2015 08:32 AM, Charlie Brune wrote:
> > > >
> > > >> Has the "selinux --disabled" line for
kickstart files been
> > depreciated?
> > > >>
> > > >>     My CentOS 6.6 kickstart file contains the line:
> > > >>
> > > >>
> > > >> selinux --disabled
> > > >>
> > > >> After the install completes, SELinux is enabled instead
of disabled.
> > > >>
> > > >>  I believe this has been the default since at least 6.1
- the
> version
> > I
> > > > installed on my workstation about three years ago.
> > > > It came up at first reboot with selinux enforcing.
> > > > Unlike CentOS 5.x where I used selinux in permissive mode
only, I
> have
> > > > found 6.x seems to work just fine with enforcing mode
provided one
> sets
> > > and
> > > > uses the appropriate selinux booleans that are in place for
the
> > packages
> > > > and work scenario that one needs. As far as I recall, I have
only had
> > one
> > > > or two situations where I've had to follow the the
audittoallow
> > > > instructions.
> > > >
> > > >    /etc/selinux/config contains
"SELINUX=enforcing" instead of
> > > >> "SELINUX=disabled".
> > > >>
> > > >>   Thanks,
> > > >>
> > > >> Charlie
> > > >>
> > > >> _______________________________________________
> > > >> CentOS mailing list
> > > >> CentOS at centos.org
> > > >> http://lists.centos.org/mailman/listinfo/centos
> > > >>
> > > >
> > > > _______________________________________________
> > > > CentOS mailing list
> > > > CentOS at centos.org
> > > > http://lists.centos.org/mailman/listinfo/centos
> > > >
> > > _______________________________________________
> > > CentOS mailing list
> > > CentOS at centos.org
> > > http://lists.centos.org/mailman/listinfo/centos
> > >
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

On 05/26/2015 01:36 AM, Andrew Holway wrote:
> Which manual?
> 
> This could actually be the root of the issue.
> 
> https://bugs.centos.org/view.php?id=7910
> 
> 
>
This is indeed the issue, and it is an upstream (Red Hat) bug .. but I
am not sure they are going to fix it, or when:

https://bugzilla.redhat.com/show_bug.cgi?id=1161682

If you add these packages to your kickstart file, things should work as
planned:

authconfig
system-config-firewall-base

Thanks,
Johnny Hughes

> On 26 May 2015 at 07:56, Jeremy Hoel <jthoel at gmail.com> wrote:
> 
>> If the decision was made around the 4.8 time period to not fix the
problem,
>> why in v6 is it still listed in the manual as being a valid option?
>>
>> On Mon, May 25, 2015 at 11:49 PM, Andrew Holway <andrew.holway at
gmail.com>
>> wrote:
>>
>>> To set selinux to permissive or disabled mode during a kickstart
>>> installation, add the sed -i -e
's/\(^SELINUX=\).*$/\1permissive/'
>>> /etc/selinux/config command to the %post section of the kickstart
file.
>>> Making sure to replace "permissive" with the required
selinux mode.
>>>
>>>
>>> -- https://bugzilla.redhat.com/show_bug.cgi?id=435300
>>>
>>> On 26 May 2015 at 04:40, Rob Kampen <rkampen at
kampensonline.com> wrote:
>>>
>>>> On 05/26/2015 08:32 AM, Charlie Brune wrote:
>>>>
>>>>> Has the "selinux --disabled" line for kickstart
files been
>> depreciated?
>>>>>
>>>>>     My CentOS 6.6 kickstart file contains the line:
>>>>>
>>>>>
>>>>> selinux --disabled
>>>>>
>>>>> After the install completes, SELinux is enabled instead of
disabled.
>>>>>
>>>>>  I believe this has been the default since at least 6.1 -
the version
>> I
>>>> installed on my workstation about three years ago.
>>>> It came up at first reboot with selinux enforcing.
>>>> Unlike CentOS 5.x where I used selinux in permissive mode only,
I have
>>>> found 6.x seems to work just fine with enforcing mode provided
one sets
>>> and
>>>> uses the appropriate selinux booleans that are in place for the
>> packages
>>>> and work scenario that one needs. As far as I recall, I have
only had
>> one
>>>> or two situations where I've had to follow the the
audittoallow
>>>> instructions.
>>>>
>>>>    /etc/selinux/config contains "SELINUX=enforcing"
instead of
>>>>> "SELINUX=disabled".
>>>>>
>>>>>   Thanks,
>>>>>
>>>>> Charlie

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20150526/2e01d8a4/attachment-0001.sig>

On 05/26/2015 04:04 AM, Johnny Hughes wrote:
> On 05/26/2015 01:36 AM, Andrew Holway wrote:
>> Which manual?
>>
>> This could actually be the root of the issue.
>>
>> https://bugs.centos.org/view.php?id=7910
>>
>>
>>
> This is indeed the issue, and it is an upstream (Red Hat) bug .. but I
> am not sure they are going to fix it, or when:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1161682
>
> If you add these packages to your kickstart file, things should work as
> planned:
>
> authconfig
> system-config-firewall-base
>
> Thanks,
> Johnny Hughes

Weird.  Was curious and tried to reproduce, but even with a minimal 6.6 
CD, I have selinux disabled with a kickstart file containing only 
"selinux --disabled".

One other thing I usually do (in cases where I don't want/need selinux) 
is to pass "selinux=0" as a boot argument; that way anaconda won't
run
with selinux either and doesn't set the selinux contexts on files to 
begin with...  Perhaps that would help with the original poster's issue?

-Greg