From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Ondrej Mosnacek <omosnace@redhat.com>,
SElinux list <selinux@vger.kernel.org>
Subject: Re: [RFC PATCH] selinux: runtime disable is deprecated, add some ssleep() discomfort
Date: Wed, 10 Jun 2020 10:11:06 -0400 [thread overview]
Message-ID: <CAEjxPJ6KQAc5YmrZNHU=Wr9xZ5+v6o3BYiV4+1NRzpfMhw7BJA@mail.gmail.com> (raw)
In-Reply-To: <CAEjxPJ47H1_PQ1HnJhqV4yWz_u1vvWR=Q6T999Xm92z04OimqQ@mail.gmail.com>
On Wed, Jun 10, 2020 at 10:03 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Mon, Jun 8, 2020 at 6:13 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Mon, Jun 8, 2020 at 5:35 PM Paul Moore <paul@paul-moore.com> wrote:
> > >
> > > On Thu, Jun 4, 2020 at 10:49 AM Stephen Smalley
> > > <stephen.smalley.work@gmail.com> wrote:
> > > > On Tue, Jun 2, 2020 at 8:52 AM Paul Moore <paul@paul-moore.com> wrote:
> > > > > On Tue, Jun 2, 2020 at 8:47 AM Paul Moore <paul@paul-moore.com> wrote:
> > > > > >
> > > > > > We deprecated the SELinux runtime disable functionality in Linux
> > > > > > v5.6, add a five second sleep to anyone using it to help draw their
> > > > > > attention to the deprecation.
> > > > > >
> > > > > > Signed-off-by: Paul Moore <paul@paul-moore.com>
> > > > > > ---
> > > > > > security/selinux/selinuxfs.c | 2 ++
> > > > > > 1 file changed, 2 insertions(+)
> > > > >
> > > > > Warning: while trivial, I've done no testing beyond a quick compile
> > > > > yet. I'm posting this now to see what everyone thinks about starting
> > > > > to make it a bit more painful to use the runtime disable
> > > > > functionality.
> > > >
> > > > I'm concerned about how users will experience and respond to this
> > > > change (and Linus too). Currently SELinux runtime disable is the
> > > > method used by distro installers (at least Fedora/RHEL and
> > > > derivatives) when SELinux-disabled is selected at install time and it
> > > > is the approach documented in distro documentation for how to disable
> > > > SELinux. Hence, we'd be inflicting pain on the end users for what is
> > > > essentially a distro choice.
> > >
> > > I delayed my response in hopes the Fedora folks would also comment,
> > > but I'm not seeing anything.
> > >
> > > All this patch does is start executing on the deprecation path we laid
> > > out when we marked the functionality as deprecated. When we decided
> > > to do this we had buy-in from the Fedora folks (the only ones who
> > > still use this option); if this is a problem for them then I would
> > > like to understand what changed, and why. If it is a matter of this
> > > coming too quickly, that's okay, we can push this out another release
> > > or two. We can even drop the sleep down to a second or two. Both the
> > > timing of introducing the delay, and the length of the delay itself,
> > > aren't important to me; it's the fact that we are adding a delay and
> > > moving forward on the deprecation (just as we said we would).
> > >
> > > What were you envisioning when we marked this as deprecated Stephen?
> > > If not this, what were you thinking we would do?
> >
> > I feel like we've already communicated the fact that it is being
> > deprecated to those who need to know (Fedora maintainers), and we
> > already have it displaying an error message for those who look at
> > kernel logs. So I was fine with just waiting some number of kernel
> > release cycles (not sure what is typical for these kinds of things)
> > and then just changing selinux_write_disable() to just return 0
> > without doing anything and dropping the selinux_disable() code and the
> > config option. I think we'll want it to return 0 rather than an error
> > so that systemd will still unmount selinuxfs and act as if SELinux has
> > been disabled (which in turn will case everything else to act as if
> > SELinux has been disabled). The kernel will be in permissive mode
> > with no policy loaded in that situation, so except for some corner
> > cases everything should just work. That seems the least disruptive
> > path for end users. Distro maintainers will hopefully get around to
> > using selinux=0 instead but that may lag.
>
> I just tested with building a kernel with
> CONFIG_SECURITY_SELINUX_DISABLE=n and setting SELINUX=disabled in
> /etc/selinux/config, and the system came up with selinuxfs unmounted,
> sestatus and friends think SELinux is disabled, but it is enabled just
> permissive with no policy. I double checked the logic in systemd and
> libselinux (selinux_init_load_policy()) and it does handle an error
> return from writing to /sys/fs/selinux/disable gracefully. So I guess
> we can have it return an error without breaking userspace.
Ondrej might want to check that it doesn't break RHEL either but I
wouldn't really expect this to get back-ported to RHEL anyway unless
they want the additional hardening gain from being able to make the
LSM hooks read-only after initialization.
next prev parent reply other threads:[~2020-06-10 14:11 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-02 12:47 [RFC PATCH] selinux: runtime disable is deprecated, add some ssleep() discomfort Paul Moore
2020-06-02 12:49 ` Paul Moore
2020-06-04 14:49 ` Stephen Smalley
2020-06-08 21:35 ` Paul Moore
2020-06-08 22:13 ` Stephen Smalley
2020-06-08 22:56 ` William Roberts
2020-06-10 14:03 ` Stephen Smalley
2020-06-10 14:11 ` Stephen Smalley [this message]
2020-06-11 13:29 ` Ondrej Mosnacek
2020-06-12 19:28 ` Paul Moore
2020-08-19 17:14 ` Petr Lautrbach
2020-08-19 19:07 ` Stephen Smalley
2020-08-19 19:16 ` Stephen Smalley
2020-08-20 15:41 ` Casey Schaufler
2020-08-20 16:58 ` Stephen Smalley
2020-08-20 20:31 ` Petr Lautrbach
2020-09-10 11:39 ` Ondrej Mosnacek
2020-09-10 12:33 ` Stephen Smalley
2020-09-23 18:32 ` Paul Moore
2020-09-24 23:42 ` Stephen Smalley
2020-09-10 13:31 ` Stephen Smalley
2020-09-10 14:36 ` Stephen Smalley
2020-09-10 14:54 ` Stephen Smalley
2020-06-12 19:00 ` Paul Moore
2020-06-12 18:56 ` Paul Moore
2022-03-01 22:53 Paul Moore
2022-03-01 22:57 ` Paul Moore
2022-03-01 23:02 ` Casey Schaufler
2022-04-04 20:23 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEjxPJ6KQAc5YmrZNHU=Wr9xZ5+v6o3BYiV4+1NRzpfMhw7BJA@mail.gmail.com' \
--to=stephen.smalley.work@gmail.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).