Re: [RFC PATCH] selinux: runtime disable is deprecated, add some ssleep() discomfort

From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: Petr Lautrbach <plautrba@redhat.com>
Cc: SElinux list <selinux@vger.kernel.org>,
	Ondrej Mosnacek <omosnace@redhat.com>,
	Paul Moore <paul@paul-moore.com>
Subject: Re: [RFC PATCH] selinux: runtime disable is deprecated, add some ssleep() discomfort
Date: Wed, 19 Aug 2020 15:16:34 -0400	[thread overview]
Message-ID: <CAEjxPJ6Kw8i_z_i2Y0A3HcK23DMoazWUZxMtNa7ErQv_bjm=QQ@mail.gmail.com> (raw)
In-Reply-To: <CAEjxPJ54j6PD6oBMWj7wOVskJuUY=BLpMCkdmmqwrP1DGJ0VqA@mail.gmail.com>

On Wed, Aug 19, 2020 at 3:07 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Wed, Aug 19, 2020 at 1:15 PM Petr Lautrbach <plautrba@redhat.com> wrote:
> > I've used kernel built without CONFIG_SECURITY_SELINUX_DISABLE from Ondrej's COPR
> > https://copr.fedorainfracloud.org/coprs/omos/drop-selinux-disable/ and tried few
> > scenarios:
> >
> > 1. selinux=0 on kernel command line
> >
> > everything works as expected
> >
> > 2. SELINUX=disabled in /etc/selinux/config
> >
> > system boots, userspace considers SELinux disabled, /sys/fs/selinux is not
> > mounted. The only noticeable change
> > is in process list:
> >
> > $ ps Z
> > LABEL                               PID TTY      STAT   TIME COMMAND
> > kernel                              552 pts/0    Ss     0:00 -bash
> > kernel                              574 pts/0    R+     0:00 ps Z
>
> Hmm...is ps checking is_selinux_enabled()?  Or just always reading
> /proc/pid/attr/current (or calling getpidcon(3))?  Under what
> conditions was it displaying "-" here before?
>
> > If I get it right, SELinux is enabled but it's not initialized and SELinux
> > checks are not processed - always return 0 as allowed. So there should be no
> > real externally visible difference between selinux=0 and SELINUX=disabled
>
> There are some corner cases currently, e.g. you can't remove the
> security.selinux xattr if SELinux is enabled currently, and there are
> various hardcoded error cases in the SELinux hook functions that could
> potentially occur.  Beyond that there is the memory and runtime
> overhead.  Getting people to start using selinux=0 if they want to
> disable SELinux is definitely preferable.

We could try to eliminate those error cases by checking early for
selinux_initialized(state) in more of the hooks and bailing
immediately with success in that case, but we'd have to go through and
identify where we need that.

>
> > 3. no /etc/selinux/config
> >
> > SELinux is disabled in userspace but /sys/fs/selinux in mounted. It's due to
> > check in libselinux which doesn't umount /sys/fs/selinux when there's no config
> > file. Maybe this could be improved.
>
> Yes, we should fix that.
>
> > So I my findings are correct, it should be quite straight and easy change for
> > the distribution. Even though userspace tools like anaconda and ansible still
> > uses /etc/selinux/config to disable SELinux, it will have similar effect as
> > selinux=0. But it doesn't mean we will not try to change them to set selinux=0.
> >
> >
> > So I've started to compose Fedora Change proposal
> >
> > https://fedoraproject.org/wiki/SELinux/Changes/Disable_CONFIG_SECURITY_SELINUX_DISABLE
> >
> > It's not complete yet, but I believe it contains basic information. I'd
> > appreciate if you can help me with text, phrases and references so that it would
> > be easy to sell it as security feature to Fedora community :)
>
> I'd simplify the Summary to be something like "Remove support for
> SELinux runtime disable so that the LSM hooks can be hardened via
> read-only-after-initialization protections.  Migrate users to using
> selinux=0 if they want to disable SELinux."