“selinux –disabled” In Kickstart File Does NOT Disable SELINUX

Home » CentOS » “selinux –disabled” In Kickstart File Does NOT Disable SELINUX

May 25, 2015 Charlie Brune CentOS 7 Comments

Has the “selinux –disabled” line for kickstart files been depreciated?

My CentOS 6.6 kickstart file contains the line:

selinux –disabled After the install completes, SELinux is enabled instead of disabled.

/etc/selinux/config contains “SELINUX=enforcing” instead of “SELINUX=disabled”.

Thanks,

Charlie

7 thoughts on - “selinux –disabled” In Kickstart File Does NOT Disable SELINUX

Rob Kampen says:

May 25, 2015 at 9:40 pm

I believe this has been the default since at least 6.1 – the version I
installed on my workstation about three years ago. It came up at first reboot with selinux enforcing. Unlike CentOS 5.x where I used selinux in permissive mode only, I have found 6.x seems to work just fine with enforcing mode provided one sets and uses the appropriate selinux booleans that are in place for the packages and work scenario that one needs. As far as I recall, I have only had one or two situations where I’ve had to follow the the audittoallow instructions.
Andrew Holway says:

May 26, 2015 at 12:49 am

To set selinux to permissive or disabled mode during a kickstart installation, add the sed -i -e ‘s/$^SELINUX=$.*$/\1permissive/’
/etc/selinux/config command to the %post section of the kickstart file. Making sure to replace “permissive” with the required selinux mode.

— https://bugzilla.redhat.com/show_bug.cgi?idC5300
Jeremy Hoel says:

May 26, 2015 at 12:56 am

If the decision was made around the 4.8 time period to not fix the problem, why in v6 is it still listed in the manual as being a valid option?
Andrew Holway says:

May 26, 2015 at 1:36 am

Which manual?

This could actually be the root of the issue.

https://bugs.CentOS.org/view.php?idy10
Jeremy Hoel says:

May 26, 2015 at 2:32 am

Upstream lists it here –
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s1-kickstart2-options.html

So based on that, it would be assumed it would also work on CentOS.
Johnny Hughes says:

May 26, 2015 at 6:04 am

This is indeed the issue, and it is an upstream (Red Hat) bug .. but I
am not sure they are going to fix it, or when:

https://bugzilla.redhat.com/show_bug.cgi?id=1161682

If you add these packages to your kickstart file, things should work as planned:

authconfig system-config-firewall-base

Thanks, Johnny Hughes
Greg Bailey says:

May 26, 2015 at 8:07 am

Weird. Was curious and tried to reproduce, but even with a minimal 6.6
CD, I have selinux disabled with a kickstart file containing only
“selinux –disabled”.

One other thing I usually do (in cases where I don’t want/need selinux)
is to pass “selinux=0” as a boot argument; that way anaconda won’t run with selinux either and doesn’t set the selinux contexts on files to begin with… Perhaps that would help with the original poster’s issue?

-Greg