I've been fighting with this one for a bit and it seems that there has been a regression in CentOS 6 as far as anaconda ignoring the selinux --disabled
directive. This appears to have first appeared in RHEL 4.8, and then re-appeared in RHEL 5.6.
Now with the previous releases you would just add the sed statement to your %post
directive to disable it.
sed -i -e 's/\(^SELINUX=\).*$/\1permissive/' /etc/selinux/config
The problem I'm running into is that new in RHEL/CentOS 6 is the fact that they are setting file system attributes by default so you now have to go and clear those.
I tried running the following command to strip those attributes in my %post
section, but it does not have any effect.
find . -exec setfattr -x security.selinux {} \;
My kickstart file is below in case you find it helpful:
#version=RHEL6
install
url --url=http://ny-man01.ds.stackexchange.com/centos/6/os/x86_64
lang en_US.UTF-8
keyboard us
%include /tmp/nic-include
rootpw --iscrypted <mmm no you don't even get the encrypted version>
firewall --service=ssh,ntp,snmp
authconfig --enableshadow --passalgo=sha512 --enablefingerprint --enablekrb5
selinux --disabled
timezone --utc Etc/UTC
bootloader --location=mbr --driveorder=sda --append="crashkernel=auto rhgb quiet"
# The following is the partition information you requested
# Note that any partitions you deleted are not expressed
# here so unless you clear all partitions first, this is
# not guaranteed to work
clearpart --all --initlabel --drives=sda
part /boot --fstype=ext4 --size=500
part pv.M3dTcp-jomG-l0xc-Zl3I-wqR1-Gcwz-14jidB --grow --size=1
volgroup vg_test --pesize=4096 pv.M3dTcp-jomG-l0xc-Zl3I-wqR1-Gcwz-14jidB
logvol / --fstype=ext4 --name=lv_root --vgname=vg_test --grow --size=1024 --maxsize=51200
logvol swap --name=lv_swap --vgname=vg_test --grow --size=1024 --maxsize=6016
services --enabled ntpd,snmpd,puppet
reboot
repo --name="CentOS" --baseurl=http://ny-man01.ds.stackexchange.com/centos/6/os/x86_64/ -- cost=100
repo --name="EPEL6" --baseurl=http://ny-man01.ds.stackexchange.com/epel/6/x86_64/
repo --name="SEI" --baseurl=http://ny-man01.ds.stackexchange.com/sei/
%packages
@base
@core
@hardware-monitoring
@perl-runtime
@server-policy
@system-admin-tools
pam_krb5
sgpio
perl-DBD-SQLite
epel-release-6-5
net-snmp
ntp
mercurial
puppet
%pre
echo "# `grep /proc/net/dev eth| cut -d: -f1 | cut -d' ' -f3` " >>/tmp/nic-include
echo "# auto generated nic setup" > /tmp/nic-include
for nic in `grep eth /proc/net/dev| cut -d: -f1 | cut -d' ' -f3`
do
if [ "$nic" = "eth0" ]
then
echo "network --device $nic --bootproto dhcp " >> /tmp/nic-include
else
echo "network --device $nic --onboot no --bootproto dhcp" >> /tmp/nic-inclu de
fi
done
%post --log /root/ks-post.log
#sed -i -e 's/\(^SELINUX=\).*$/\1disabled/' /etc/selinux/config
#find / -exec setfattr -x security.selinux {} \;
wget -O- http://10.7.0.50/kickstart/generic-configs/get_files.sh | /bin/bash
cp /tmp/nic-include /root/
The CentOS 6 installer loads the policies in permissive mode by default (which I confirmed by running dmesg during the installation). That meant by the post installation step, SELinux is already active. As long as it is running, it doesn't look like you can remove the attributes.
You will have to pass the following someplace prior to the start of the installation (right at the end of kernel the boot loader line):
So something like this:
Here is what happens when you attempt to remove the attributes while in permissive mode (forgive the formatting, SF appears to be unhappy):
With selinux disabled from grub at boot time:
Based on this as well as this bug report, this probably means you won't be able to remove the attributes in the post install. So as I outlined, you'll need to disable selinux prior to booting up the installation.
(or you can just leave it alone and learn to live with it. :) ).
The 'root cause' of the issue, is that Anaconda implements the selinux attributes during the kickstart process (such that any 'post-install' disabling, is too late).
I have placed the disabling methods in the host configuration files (actually, they were always there):
BUT, also added the 'selinux=0' string to the PXE boot file:
After rebuilding the system, all of the 'dot' notations were gone !!!