No selinux whatsoever

Shabazian, Chip Chip.Shabazian at bankofamerica.com
Fri Jan 18 16:55:29 UTC 2008 

You would be amazed at how much stuff you can remove from your system
and still have it work.  Here is what I did some time ago to get a RHEL
3 build to under 200 packages.

First, build a system as minimal as you know you can.

Next, run:
rpm -qa --qf "%{NAME}\n" > rpms
To get a listing of all the rpm's installed on your system.  I suggest
removing things from this list such as kernel, yum, ssh, and rpm itself
if you want a usuable system after you run the next step.

Once you have this "sanitized" list of rpm's, simply remove everything
you can:
for i in `cat rpms`; do rpm -e $i; if [ "$?" -eq 0 ] ; then  echo -e "$i
has been removed" >> removed_rpms.txt ; fi; done
Keep running the above until nothing more is removed.  Reboot the system
and make sure it still works.  If it does, and at a minimimum you can
install new packages, you can take the list of rpm's in the
removed_rpms.txt file and add them to your %packages section with - so
they don't get installed on new builds.

All of the above could be scripted to just keep running, but I only had
to do it the one time so I didn't bother doing anything more with it.


Chip

-----Original Message-----
From: kickstart-list-bounces at redhat.com
[mailto:kickstart-list-bounces at redhat.com] On Behalf Of Gary Thomas
Sent: Friday, January 18, 2008 8:43 AM
To: Discussion list about Kickstart
Subject: Re: No selinux whatsoever

Michael DeHaan wrote:
> Gary Thomas wrote:
>> I'm trying to use anaconda+kickstart to load up a deeply embedded 
>> platform.  This device will never need nor use selinux, so I want to 
>> figure out how to keep it from ever being installed, whatsoever.
>>
>> How do I make this happen in the kickstart file?
>>
>> Note: this is such a resource limited platform that simply installing

>> the "selinux-policy-targetted" RPM takes around
>> 5 hours!  Hence my desire to never even try.
>>
> 
> Just add "selinux disabled" in your kickstart and it will not be 
> enabled and will not be doing anything.
> 
> There isn't a lot of overhead in terms of extra storage to worry about

> AFAIK.
> 
> The policy shouldn't be being applied if don't turn selinux on (either

> in enforcing mode or permissive). I could be wrong about this however,

> have you tried disabling SELinux in your kickstart for starters?

Yes. I have "selinux --disabled" in my kickstart and I start anaconda
with "selinux=0" (don't believe the documentation on this one - trust
the code).  It still loads the selinux packages and the loader/anaconda
still tries to do stuff with selinux, e.g.
from my install log:
   12:38:33 WARNING : Failed to create /etc/selinux/config: Read-only
file system
   12:38:33 WARNING : Failed to create
/etc/selinux/targeted/contexts/customizable_types: Read-only file system
etc.

BTW, my embedded kernel also is tuned for no selinux support, so even if
the packages are installed, nothing happens (they just get in the way
IMO)

I have found that I can simply remove "selinux-policy-targetted"
in my kickstart packages and this makes things much better.

%packages
@base
-selinux-policy-targeted
%end

--
------------------------------------------------------------
Gary Thomas                 |  Consulting for the
MLB Associates              |    Embedded world
------------------------------------------------------------

_______________________________________________
Kickstart-list mailing list
Kickstart-list at redhat.com
https://www.redhat.com/mailman/listinfo/kickstart-list

More information about the Kickstart-list mailing list