Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 454338 - RFE: Plz add feature to disble selinux *without* dialog box
Summary: RFE: Plz add feature to disble selinux *without* dialog box
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Anaconda Maintenance Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-07 19:17 UTC by Jeff Moe (jebba)
Modified: 2008-07-07 22:43 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-07 19:26:23 UTC


Attachments (Terms of Use)

Description Jeff Moe (jebba) 2008-07-07 19:17:41 UTC
Description of problem:
Some users, for whatever reason, do not need or want selinux. The latest
anaconda removes the dialog box to disble selinux and this has upset a not
insignificant number of users.

* Red Hat wants to have selinux enabled by default
* Red Hat wants as few confusing dialog boxes as possible (especially where the
user likely doesnt know what they want)

But:
* Many users do not want selinux and would like to disable it.

So there has been a very long thread on fedora-devel about this and people
arguing to have the dialog box back, others saying users that don't want it are
confused. I noted (somewhat indirectly) that one Fedora user named Linus happens
to disable selinux.... It has resulted in much gnashing of teeth.


Version-Release number of selected component (if applicable):
Latest rawhide, apparently.


How reproducible:
Run anaconda, try to disable selinux.


Steps to Reproduce:
1. Run install CD from the future (which doesn't yet exist AFIAK)
2. In anaconda disable selinux
3. Fail
  

Actual results:
No way to disable selinux.


Expected results:
SELinux completely disabled.


Additional info:

I propose the *perfect* solution which is easy and satisfies everyone above.

Other obscure setups, such as users that want xfs/reiserfs/jfs filesystems can
do so by specifying them at the boot: prompt of the CD. This allows this
non-typical setups to be used, without bothering users with dialogs such as
"which filesystem do you want? reiser/xfs/jfs? etc". Best of both worlds. The
same should be done with selinux.

All that would need to be done is:

1) Add documentation to the install manual which says, "If you want to disable
SELinux, add 'linux selinux=0' to the boot: line of the install CD"

2) Also add this to the CD's syslinux files (e.g. where you hit F3 or whatever
on the install CD and it tells you options).

3) Anaconda would need a small unobtrusive patchlet which sees that selinux=0
has been passed to the install (which I think it does already, so it runs
anaconda --disable-selinux or somesuch) and then pass this to grub.conf. The
passing to grub would then mean the user wouldn't have to do any post-install
configuration either.

*WIN* *WIN* *WIN* everyone.  :)

Thanks.

Comment 1 Jeremy Katz 2008-07-07 19:26:23 UTC
You can already boot with 'selinux=0' and this is even already documented in the
command-line.txt document included with the anaconda package (And linked to on
the wiki)

And this has been the case since the first bits of SELinux support were added
about four years ago.

Comment 2 Jeff Moe (jebba) 2008-07-07 21:20:11 UTC
You can boot with selinux=0, but unless I'm mistaken this does not get passed on
to the installed system (hence the previous need for a dialog box).

Comment 3 Jeremy Katz 2008-07-07 21:43:38 UTC
If you install with selinux=0, we ensure that disabled gets set in
/etc/selinux/config.

Comment 4 Jeff Moe (jebba) 2008-07-07 22:43:21 UTC
Ok, I just tested this with a stock fedora 9 installation--I believe it's the
same for rawhide. If you pass selinux=0 to the CD boot: line it does *not* get
passed to grub in the final install.


It gets disabled in /etc/selinux/config, which is like passing noselinux to
anaconda, but it doesn't get passed to grub.conf. They do have different behavior.

Concisely:
user does:   boot: selinux=0
anaconda: anaconda.id.bootloader.args.append("selinux=0")
grub then has:  selinux=0


Then if any user ever mentions it on fedora-devel again, just say "install with
selinux=0 and it will *completely* disable it".  Everybody happy. :)


Note You need to log in before you can comment on or make changes to this bug.