|Summary:||RFE: Plz add feature to disble selinux *without* dialog box|
|Product:||[Fedora] Fedora||Reporter:||Jeff Moe (jebba) <moe>|
|Component:||anaconda||Assignee:||Anaconda Maintenance Team <anaconda-maint-list>|
|Status:||CLOSED NOTABUG||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-07-07 19:26:23 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Jeff Moe (jebba) 2008-07-07 19:17:41 UTC
Description of problem: Some users, for whatever reason, do not need or want selinux. The latest anaconda removes the dialog box to disble selinux and this has upset a not insignificant number of users. * Red Hat wants to have selinux enabled by default * Red Hat wants as few confusing dialog boxes as possible (especially where the user likely doesnt know what they want) But: * Many users do not want selinux and would like to disable it. So there has been a very long thread on fedora-devel about this and people arguing to have the dialog box back, others saying users that don't want it are confused. I noted (somewhat indirectly) that one Fedora user named Linus happens to disable selinux.... It has resulted in much gnashing of teeth. Version-Release number of selected component (if applicable): Latest rawhide, apparently. How reproducible: Run anaconda, try to disable selinux. Steps to Reproduce: 1. Run install CD from the future (which doesn't yet exist AFIAK) 2. In anaconda disable selinux 3. Fail Actual results: No way to disable selinux. Expected results: SELinux completely disabled. Additional info: I propose the *perfect* solution which is easy and satisfies everyone above. Other obscure setups, such as users that want xfs/reiserfs/jfs filesystems can do so by specifying them at the boot: prompt of the CD. This allows this non-typical setups to be used, without bothering users with dialogs such as "which filesystem do you want? reiser/xfs/jfs? etc". Best of both worlds. The same should be done with selinux. All that would need to be done is: 1) Add documentation to the install manual which says, "If you want to disable SELinux, add 'linux selinux=0' to the boot: line of the install CD" 2) Also add this to the CD's syslinux files (e.g. where you hit F3 or whatever on the install CD and it tells you options). 3) Anaconda would need a small unobtrusive patchlet which sees that selinux=0 has been passed to the install (which I think it does already, so it runs anaconda --disable-selinux or somesuch) and then pass this to grub.conf. The passing to grub would then mean the user wouldn't have to do any post-install configuration either. *WIN* *WIN* *WIN* everyone. :) Thanks.
Comment 1 Jeremy Katz 2008-07-07 19:26:23 UTC
You can already boot with 'selinux=0' and this is even already documented in the command-line.txt document included with the anaconda package (And linked to on the wiki) And this has been the case since the first bits of SELinux support were added about four years ago.
Comment 2 Jeff Moe (jebba) 2008-07-07 21:20:11 UTC
You can boot with selinux=0, but unless I'm mistaken this does not get passed on to the installed system (hence the previous need for a dialog box).
Comment 3 Jeremy Katz 2008-07-07 21:43:38 UTC
If you install with selinux=0, we ensure that disabled gets set in /etc/selinux/config.
Comment 4 Jeff Moe (jebba) 2008-07-07 22:43:21 UTC
Ok, I just tested this with a stock fedora 9 installation--I believe it's the same for rawhide. If you pass selinux=0 to the CD boot: line it does *not* get passed to grub in the final install. It gets disabled in /etc/selinux/config, which is like passing noselinux to anaconda, but it doesn't get passed to grub.conf. They do have different behavior. Concisely: user does: boot: selinux=0 anaconda: anaconda.id.bootloader.args.append("selinux=0") grub then has: selinux=0 Then if any user ever mentions it on fedora-devel again, just say "install with selinux=0 and it will *completely* disable it". Everybody happy. :)