SELinux Archive on lore.kernel.org
 help / color / Atom feed
* Changing selinux enforcing mode at runtime
@ 2019-09-09 17:16 Srivatsa Vaddagiri
  2019-09-09 20:05 ` Stephen Smalley
  0 siblings, 1 reply; 4+ messages in thread
From: Srivatsa Vaddagiri @ 2019-09-09 17:16 UTC (permalink / raw)
  To: selinux

Hello,
    I wanted to know the behavior when selinux enforcing mode is
changed at runtime via security_setenforce() API. Lets say we boot
with selinux in permissive mode and after bootup we change it to
enforcing mode. My question is related to the tasks that were created
before we enabled enforcing mode. Would their subsequent file
operations fail once selinux is set to enforcing mode (even though the
policy may have been set to allow their access to say a file)?

Thanks!
vatsa

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Changing selinux enforcing mode at runtime
  2019-09-09 17:16 Changing selinux enforcing mode at runtime Srivatsa Vaddagiri
@ 2019-09-09 20:05 ` Stephen Smalley
  2019-09-10 11:04   ` Srivatsa Vaddagiri
  0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2019-09-09 20:05 UTC (permalink / raw)
  To: Srivatsa Vaddagiri, selinux

On 9/9/19 1:16 PM, Srivatsa Vaddagiri wrote:
> Hello,
>      I wanted to know the behavior when selinux enforcing mode is
> changed at runtime via security_setenforce() API. Lets say we boot
> with selinux in permissive mode and after bootup we change it to
> enforcing mode. My question is related to the tasks that were created
> before we enabled enforcing mode. Would their subsequent file
> operations fail once selinux is set to enforcing mode (even though the
> policy may have been set to allow their access to say a file)?

No, they would not fail if the operation is allowed by the policy.  In 
fact, this scenario is typical; commonly, the init process e.g. systemd 
performs the initial policy load and switches to enforcing mode. 
Further, you can fully boot a Linux distro e.g. Fedora in permissive 
mode and then switch to enforcing mode, and nothing should fail unless 
denied by policy.

The more complicated scenario is tasks created before initial policy 
load, because those may not be assigned the correct security context. To 
avoid this, the init process is typically responsible for loading policy 
initially and then either re-exec'ing itself or dynamically switching 
its own security context to the right value before proceeding.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Changing selinux enforcing mode at runtime
  2019-09-09 20:05 ` Stephen Smalley
@ 2019-09-10 11:04   ` Srivatsa Vaddagiri
  2019-09-10 12:37     ` Stephen Smalley
  0 siblings, 1 reply; 4+ messages in thread
From: Srivatsa Vaddagiri @ 2019-09-10 11:04 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: selinux

> The more complicated scenario is tasks created before initial policy
> load, because those may not be assigned the correct security context.

I think we may be interested in that case (tasks created before
initial policy load). Would those tasks' operations
fail when subsequently selinux policies are loaded and mode set to enforcing?

- vatsa

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Changing selinux enforcing mode at runtime
  2019-09-10 11:04   ` Srivatsa Vaddagiri
@ 2019-09-10 12:37     ` Stephen Smalley
  0 siblings, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2019-09-10 12:37 UTC (permalink / raw)
  To: Srivatsa Vaddagiri; +Cc: selinux

On 9/10/19 7:04 AM, Srivatsa Vaddagiri wrote:
>> The more complicated scenario is tasks created before initial policy
>> load, because those may not be assigned the correct security context.
> 
> I think we may be interested in that case (tasks created before
> initial policy load). Would those tasks' operations
> fail when subsequently selinux policies are loaded and mode set to enforcing?

Tasks created before initial policy load will be running in the kernel 
SID and hence once policy has loaded they will have the kernel context. 
Thus, they can perform whatever actions are allowed to the kernel 
context in the policy.  In the case of the init process, it switches 
from the kernel context into the init context by either re-exec'ing 
itself after policy load or by dynamically setting its context via 
setcon(3) after policy load.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-09 17:16 Changing selinux enforcing mode at runtime Srivatsa Vaddagiri
2019-09-09 20:05 ` Stephen Smalley
2019-09-10 11:04   ` Srivatsa Vaddagiri
2019-09-10 12:37     ` Stephen Smalley

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org selinux@archiver.kernel.org
	public-inbox-index selinux


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/ public-inbox