Andrew Holway
2015-May-26 06:36 UTC
[CentOS] "selinux --disabled" in kickstart file does NOT disable SELINUX
Which manual? This could actually be the root of the issue. https://bugs.centos.org/view.php?id=7910 On 26 May 2015 at 07:56, Jeremy Hoel <jthoel at gmail.com> wrote:> If the decision was made around the 4.8 time period to not fix the problem, > why in v6 is it still listed in the manual as being a valid option? > > On Mon, May 25, 2015 at 11:49 PM, Andrew Holway <andrew.holway at gmail.com> > wrote: > > > To set selinux to permissive or disabled mode during a kickstart > > installation, add the sed -i -e 's/\(^SELINUX=\).*$/\1permissive/' > > /etc/selinux/config command to the %post section of the kickstart file. > > Making sure to replace "permissive" with the required selinux mode. > > > > > > -- https://bugzilla.redhat.com/show_bug.cgi?id=435300 > > > > On 26 May 2015 at 04:40, Rob Kampen <rkampen at kampensonline.com> wrote: > > > > > On 05/26/2015 08:32 AM, Charlie Brune wrote: > > > > > >> Has the "selinux --disabled" line for kickstart files been > depreciated? > > >> > > >> My CentOS 6.6 kickstart file contains the line: > > >> > > >> > > >> selinux --disabled > > >> > > >> After the install completes, SELinux is enabled instead of disabled. > > >> > > >> I believe this has been the default since at least 6.1 - the version > I > > > installed on my workstation about three years ago. > > > It came up at first reboot with selinux enforcing. > > > Unlike CentOS 5.x where I used selinux in permissive mode only, I have > > > found 6.x seems to work just fine with enforcing mode provided one sets > > and > > > uses the appropriate selinux booleans that are in place for the > packages > > > and work scenario that one needs. As far as I recall, I have only had > one > > > or two situations where I've had to follow the the audittoallow > > > instructions. > > > > > > /etc/selinux/config contains "SELINUX=enforcing" instead of > > >> "SELINUX=disabled". > > >> > > >> Thanks, > > >> > > >> Charlie > > >> > > >> _______________________________________________ > > >> CentOS mailing list > > >> CentOS at centos.org > > >> http://lists.centos.org/mailman/listinfo/centos > > >> > > > > > > _______________________________________________ > > > CentOS mailing list > > > CentOS at centos.org > > > http://lists.centos.org/mailman/listinfo/centos > > > > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > http://lists.centos.org/mailman/listinfo/centos > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
Jeremy Hoel
2015-May-26 07:31 UTC
[CentOS] "selinux --disabled" in kickstart file does NOT disable SELINUX
Upstream lists it here - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s1-kickstart2-options.html So based on that, it would be assumed it would also work on CentOS. On Tue, May 26, 2015 at 12:36 AM, Andrew Holway <andrew.holway at gmail.com> wrote:> Which manual? > > This could actually be the root of the issue. > > https://bugs.centos.org/view.php?id=7910 > > > > On 26 May 2015 at 07:56, Jeremy Hoel <jthoel at gmail.com> wrote: > > > If the decision was made around the 4.8 time period to not fix the > problem, > > why in v6 is it still listed in the manual as being a valid option? > > > > On Mon, May 25, 2015 at 11:49 PM, Andrew Holway <andrew.holway at gmail.com > > > > wrote: > > > > > To set selinux to permissive or disabled mode during a kickstart > > > installation, add the sed -i -e 's/\(^SELINUX=\).*$/\1permissive/' > > > /etc/selinux/config command to the %post section of the kickstart file. > > > Making sure to replace "permissive" with the required selinux mode. > > > > > > > > > -- https://bugzilla.redhat.com/show_bug.cgi?id=435300 > > > > > > On 26 May 2015 at 04:40, Rob Kampen <rkampen at kampensonline.com> wrote: > > > > > > > On 05/26/2015 08:32 AM, Charlie Brune wrote: > > > > > > > >> Has the "selinux --disabled" line for kickstart files been > > depreciated? > > > >> > > > >> My CentOS 6.6 kickstart file contains the line: > > > >> > > > >> > > > >> selinux --disabled > > > >> > > > >> After the install completes, SELinux is enabled instead of disabled. > > > >> > > > >> I believe this has been the default since at least 6.1 - the > version > > I > > > > installed on my workstation about three years ago. > > > > It came up at first reboot with selinux enforcing. > > > > Unlike CentOS 5.x where I used selinux in permissive mode only, I > have > > > > found 6.x seems to work just fine with enforcing mode provided one > sets > > > and > > > > uses the appropriate selinux booleans that are in place for the > > packages > > > > and work scenario that one needs. As far as I recall, I have only had > > one > > > > or two situations where I've had to follow the the audittoallow > > > > instructions. > > > > > > > > /etc/selinux/config contains "SELINUX=enforcing" instead of > > > >> "SELINUX=disabled". > > > >> > > > >> Thanks, > > > >> > > > >> Charlie > > > >> > > > >> _______________________________________________ > > > >> CentOS mailing list > > > >> CentOS at centos.org > > > >> http://lists.centos.org/mailman/listinfo/centos > > > >> > > > > > > > > _______________________________________________ > > > > CentOS mailing list > > > > CentOS at centos.org > > > > http://lists.centos.org/mailman/listinfo/centos > > > > > > > _______________________________________________ > > > CentOS mailing list > > > CentOS at centos.org > > > http://lists.centos.org/mailman/listinfo/centos > > > > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > http://lists.centos.org/mailman/listinfo/centos > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
Johnny Hughes
2015-May-26 11:04 UTC
[CentOS] "selinux --disabled" in kickstart file does NOT disable SELINUX
On 05/26/2015 01:36 AM, Andrew Holway wrote:> Which manual? > > This could actually be the root of the issue. > > https://bugs.centos.org/view.php?id=7910 > > >This is indeed the issue, and it is an upstream (Red Hat) bug .. but I am not sure they are going to fix it, or when: https://bugzilla.redhat.com/show_bug.cgi?id=1161682 If you add these packages to your kickstart file, things should work as planned: authconfig system-config-firewall-base Thanks, Johnny Hughes> On 26 May 2015 at 07:56, Jeremy Hoel <jthoel at gmail.com> wrote: > >> If the decision was made around the 4.8 time period to not fix the problem, >> why in v6 is it still listed in the manual as being a valid option? >> >> On Mon, May 25, 2015 at 11:49 PM, Andrew Holway <andrew.holway at gmail.com> >> wrote: >> >>> To set selinux to permissive or disabled mode during a kickstart >>> installation, add the sed -i -e 's/\(^SELINUX=\).*$/\1permissive/' >>> /etc/selinux/config command to the %post section of the kickstart file. >>> Making sure to replace "permissive" with the required selinux mode. >>> >>> >>> -- https://bugzilla.redhat.com/show_bug.cgi?id=435300 >>> >>> On 26 May 2015 at 04:40, Rob Kampen <rkampen at kampensonline.com> wrote: >>> >>>> On 05/26/2015 08:32 AM, Charlie Brune wrote: >>>> >>>>> Has the "selinux --disabled" line for kickstart files been >> depreciated? >>>>> >>>>> My CentOS 6.6 kickstart file contains the line: >>>>> >>>>> >>>>> selinux --disabled >>>>> >>>>> After the install completes, SELinux is enabled instead of disabled. >>>>> >>>>> I believe this has been the default since at least 6.1 - the version >> I >>>> installed on my workstation about three years ago. >>>> It came up at first reboot with selinux enforcing. >>>> Unlike CentOS 5.x where I used selinux in permissive mode only, I have >>>> found 6.x seems to work just fine with enforcing mode provided one sets >>> and >>>> uses the appropriate selinux booleans that are in place for the >> packages >>>> and work scenario that one needs. As far as I recall, I have only had >> one >>>> or two situations where I've had to follow the the audittoallow >>>> instructions. >>>> >>>> /etc/selinux/config contains "SELINUX=enforcing" instead of >>>>> "SELINUX=disabled". >>>>> >>>>> Thanks, >>>>> >>>>> Charlie-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20150526/2e01d8a4/attachment-0001.sig>
Greg Bailey
2015-May-26 13:07 UTC
[CentOS] "selinux --disabled" in kickstart file does NOT disable SELINUX
On 05/26/2015 04:04 AM, Johnny Hughes wrote:> On 05/26/2015 01:36 AM, Andrew Holway wrote: >> Which manual? >> >> This could actually be the root of the issue. >> >> https://bugs.centos.org/view.php?id=7910 >> >> >> > This is indeed the issue, and it is an upstream (Red Hat) bug .. but I > am not sure they are going to fix it, or when: > > https://bugzilla.redhat.com/show_bug.cgi?id=1161682 > > If you add these packages to your kickstart file, things should work as > planned: > > authconfig > system-config-firewall-base > > Thanks, > Johnny HughesWeird. Was curious and tried to reproduce, but even with a minimal 6.6 CD, I have selinux disabled with a kickstart file containing only "selinux --disabled". One other thing I usually do (in cases where I don't want/need selinux) is to pass "selinux=0" as a boot argument; that way anaconda won't run with selinux either and doesn't set the selinux contexts on files to begin with... Perhaps that would help with the original poster's issue? -Greg
Possibly Parallel Threads
- "selinux --disabled" in kickstart file does NOT disable SELINUX
- "selinux --disabled" in kickstart file does NOT disable SELINUX
- "selinux --disabled" in kickstart file does NOT disable SELINUX
- "selinux --disabled" in kickstart file does NOT disable SELINUX
- "selinux --disabled" in kickstart file does NOT disable SELINUX