All of lore.kernel.org
 help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: Stephen Smalley <sds@tycho.nsa.gov>,
	Kees Cook <keescook@chromium.org>,
	Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: James Morris <jmorris@namei.org>,
	linux-security-module <linux-security-module@vger.kernel.org>,
	"kernel-hardening@lists.openwall.com"
	<kernel-hardening@lists.openwall.com>,
	Paul Moore <paul@paul-moore.com>,
	Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [kernel-hardening] Re: [RFC PATCH 2/4] security: mark nf ops in SELinux and Smack as __ro_after_init
Date: Mon, 13 Feb 2017 13:32:41 -0800	[thread overview]
Message-ID: <aa5204ef-8d02-efda-1edb-167cbf8d2e4a@schaufler-ca.com> (raw)
In-Reply-To: <1487019833.9569.66.camel@tycho.nsa.gov>

On 2/13/2017 1:03 PM, Stephen Smalley wrote:
> On Mon, 2017-02-13 at 09:29 -0800, Kees Cook wrote:
>> On Mon, Feb 13, 2017 at 3:29 AM, Tetsuo Handa
>> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>>> James Morris wrote:
>>>> Both SELinux and Smack register Netfilter operations during init,
>>>> which then don't change.  Mark these ops as __ro_after_init.
>>>>
>>>> Signed-off-by: James Morris <james.l.morris@oracle.com>
>>> This patch breaks CONFIG_SECURITY_SELINUX_DISABLE=y +
>>> SELINUX=disabled in /etc/selinux/config case,
>>> doesn't it? Although I heard that SELinux is planning to remove
>>> CONFIG_SECURITY_SELINUX_DISABLE,
>>> CONFIG_SECURITY_SELINUX_DISABLE is valid as of current linux-
>>> security.git#next .
>> We could fold that removal into this series?
> I'm personally in favor of removing it, but that support was originally
> requested by the Fedora distro folks on the grounds that it is too
> painful to manage kernel boot parameters on some platforms, and
> therefore they needed an alternative to booting with selinux=0 on the
> kernel command line.  The documented way to disable SELinux on such
> distros is through the use of /etc/selinux/config SELINUX=disabled,
> which relies on this mechanism.  So you'd have to work through removal
> with the distro folks.
>
> Maybe in the interim we could just wrap the ro-after-init markings
> under a conditional dependent on !CONFIG_SECURITY_SELINUX_DISABLE so
> that systems (e.g. Android) that do not rely on this feature could
> benefit.

If we changed CONFIG_SECURITY_SELINUX_DISABLE to
CONFIG_SECURITY_DYNAMIC_MODULES and put the __ro_after_init
under !CONFIG_SECURITY_DYNAMIC_MODULES we solve both the
current and potential future issues.
 

> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

  reply	other threads:[~2017-02-13 21:32 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-02-13  5:33 [kernel-hardening] [RFC PATCH 2/4] security: mark nf ops in SELinux and Smack as __ro_after_init James Morris
2017-02-13 11:29 ` [kernel-hardening] " Tetsuo Handa
2017-02-13 17:29   ` Kees Cook
2017-02-13 21:03     ` Stephen Smalley
2017-02-13 21:32       ` Casey Schaufler [this message]
2017-02-13 21:49         ` Kees Cook
2017-02-13 22:01           ` Casey Schaufler
2017-02-13 22:05           ` [kernel-hardening] Re: [RFC PATCH 2/4] security: mark nf ops inSELinux " Tetsuo Handa
2017-02-13 22:09             ` Kees Cook
2017-02-13 22:15               ` [kernel-hardening] Re: [RFC PATCH 2/4] security: mark nf ops in SELinux " Tetsuo Handa
2017-02-13 22:26         ` James Morris
2017-02-14  1:58           ` Casey Schaufler
2017-02-14  2:46             ` James Morris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aa5204ef-8d02-efda-1edb-167cbf8d2e4a@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=sds@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.