8

I've been fighting with this one for a bit and it seems that there has been a regression in CentOS 6 as far as anaconda ignoring the selinux --disabled directive. This appears to have first appeared in RHEL 4.8, and then re-appeared in RHEL 5.6.

Now with the previous releases you would just add the sed statement to your %post directive to disable it.

sed -i -e 's/\(^SELINUX=\).*$/\1permissive/' /etc/selinux/config

The problem I'm running into is that new in RHEL/CentOS 6 is the fact that they are setting file system attributes by default so you now have to go and clear those.

I tried running the following command to strip those attributes in my %post section, but it does not have any effect.

find . -exec setfattr -x security.selinux {} \;

My kickstart file is below in case you find it helpful:

#version=RHEL6
install
url --url=http://ny-man01.ds.stackexchange.com/centos/6/os/x86_64
lang en_US.UTF-8
keyboard us
%include /tmp/nic-include
rootpw  --iscrypted <mmm no you don't even get the encrypted version>
firewall --service=ssh,ntp,snmp
authconfig --enableshadow --passalgo=sha512 --enablefingerprint --enablekrb5
selinux --disabled
timezone --utc Etc/UTC
bootloader --location=mbr --driveorder=sda --append="crashkernel=auto rhgb quiet"
# The following is the partition information you requested
# Note that any partitions you deleted are not expressed
# here so unless you clear all partitions first, this is
# not guaranteed to work
clearpart --all --initlabel --drives=sda

part /boot --fstype=ext4 --size=500
part pv.M3dTcp-jomG-l0xc-Zl3I-wqR1-Gcwz-14jidB --grow --size=1
volgroup vg_test --pesize=4096 pv.M3dTcp-jomG-l0xc-Zl3I-wqR1-Gcwz-14jidB
logvol / --fstype=ext4 --name=lv_root --vgname=vg_test --grow --size=1024 --maxsize=51200
logvol swap --name=lv_swap --vgname=vg_test --grow --size=1024 --maxsize=6016

services --enabled ntpd,snmpd,puppet

reboot

repo --name="CentOS"  --baseurl=http://ny-man01.ds.stackexchange.com/centos/6/os/x86_64/ --                                                                                                                                                                                                                                  cost=100
repo --name="EPEL6" --baseurl=http://ny-man01.ds.stackexchange.com/epel/6/x86_64/
repo --name="SEI" --baseurl=http://ny-man01.ds.stackexchange.com/sei/

%packages
@base
@core
@hardware-monitoring
@perl-runtime
@server-policy
@system-admin-tools
pam_krb5
sgpio
perl-DBD-SQLite
epel-release-6-5
net-snmp
ntp
mercurial
puppet

%pre
echo "# `grep /proc/net/dev eth| cut -d: -f1 | cut -d' ' -f3` " >>/tmp/nic-include
echo "# auto generated nic setup" > /tmp/nic-include
for nic in `grep eth /proc/net/dev| cut -d: -f1 | cut -d' ' -f3`
do
        if [ "$nic" = "eth0" ]
        then
                echo "network --device $nic --bootproto dhcp " >> /tmp/nic-include
        else
                echo "network --device $nic --onboot no --bootproto dhcp" >> /tmp/nic-inclu                                                                                                                                                                                                                                  de
        fi
done


%post --log /root/ks-post.log
#sed -i -e 's/\(^SELINUX=\).*$/\1disabled/' /etc/selinux/config
#find / -exec setfattr -x security.selinux {} \;
wget -O- http://10.7.0.50/kickstart/generic-configs/get_files.sh | /bin/bash
cp /tmp/nic-include /root/
Zypher
  • 36,995
  • 5
  • 52
  • 95
  • I haven't had any problems with disabling selinux from my kickstarts in EL5.x or EL6. Is the issue that you have filesystem problems following new installs? – ewwhite Dec 13 '11 at 23:19
  • Nope, after a kickstart install SELinux is still set to 'enforcing' and the file system attributes are still set. – Zypher Dec 13 '11 at 23:35
  • @Zypher, FYI: In your `%pre` stanza you are appending to `/tmp/nic-include` and then clobbering it on the next line. – Belmin Fernandez Dec 14 '11 at 00:11
  • @BeamingMel-Bin oh yea, just debugging code i forgot to take out. – Zypher Dec 14 '11 at 00:25

2 Answers2

6

The CentOS 6 installer loads the policies in permissive mode by default (which I confirmed by running dmesg during the installation). That meant by the post installation step, SELinux is already active. As long as it is running, it doesn't look like you can remove the attributes.

You will have to pass the following someplace prior to the start of the installation (right at the end of kernel the boot loader line):

selinux=0

So something like this:

kernel /boot/vmlinuz-2.4.20-XXXXXXXXX ro root=/dev/hda1 nousb selinux=0

Here is what happens when you attempt to remove the attributes while in permissive mode (forgive the formatting, SF appears to be unhappy):

[root@centos6dev test]# find . -exec setfattr -x security.selinux {} \;
setfattr: .: Permission denied
setfattr: ./test2: Permission denied
setfattr: ./test3: Permission denied
setfattr: ./test: Permission denied

With selinux disabled from grub at boot time:

[root@centos6dev test]# ls -Z
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 test
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 test2
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 test3
[root@centos6dev test]# find . -exec setfattr -x security.selinux {} \;
[root@centos6dev test]# ls -la
total 8
drwxr-xr-x  2 root root 4096 Dec 13 22:27 .
dr-xr-x---. 4 root root 4096 Dec 13 22:27 ..
-rw-r--r--  1 root root    0 Dec 13 22:27 test
-rw-r--r--  1 root root    0 Dec 13 22:27 test2
-rw-r--r--  1 root root    0 Dec 13 22:27 test3
[root@centos6dev test]# ls -Z
-rw-r--r-- root root ?                                test
-rw-r--r-- root root ?                                test2
-rw-r--r-- root root ?                                test3

Based on this as well as this bug report, this probably means you won't be able to remove the attributes in the post install. So as I outlined, you'll need to disable selinux prior to booting up the installation.

(or you can just leave it alone and learn to live with it. :) ).

Rilindo
  • 5,058
  • 5
  • 26
  • 46
  • This combined with the sed line from my post worked like a charm! – Zypher Dec 14 '11 at 17:41
  • Just curious, for my own edification: Why is there a need to remove the extend attributes left by SELinux? – Rilindo Dec 14 '11 at 17:49
  • I've run into issues that for whatever reason when extended attributes + selinux off mean that services can't read files - especially when combining acls and nfs into the mix. Kill the extended attributes and the issue goes away – Zypher Dec 14 '11 at 18:12
2

The 'root cause' of the issue, is that Anaconda implements the selinux attributes during the kickstart process (such that any 'post-install' disabling, is too late).

I have placed the disabling methods in the host configuration files (actually, they were always there):

firewall --disabled
selinux --disabled

BUT, also added the 'selinux=0' string to the PXE boot file:

/tftpboot/pxelinux.cfg>  cat 01-00-24-4f-ab-1e-84

default linux
label linux
  kernel vmlinuz-rhel-6.4-x86_64
  append load_ramdisk=1 initrd=initrd.img-rhel-6.4-x86_64 network selinux=0 ksdevice=eth0 ks=nfs:nolock,rsize=1480,wsize=1480:buildserver:/kickstart/host-configs/myserver-ks.cfg

After rebuilding the system, all of the 'dot' notations were gone !!!