From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: Petr Lautrbach <plautrba@redhat.com>
Cc: SElinux list <selinux@vger.kernel.org>,
Ondrej Mosnacek <omosnace@redhat.com>,
Paul Moore <paul@paul-moore.com>
Subject: Re: [RFC PATCH] selinux: runtime disable is deprecated, add some ssleep() discomfort
Date: Wed, 19 Aug 2020 15:16:34 -0400 [thread overview]
Message-ID: <CAEjxPJ6Kw8i_z_i2Y0A3HcK23DMoazWUZxMtNa7ErQv_bjm=QQ@mail.gmail.com> (raw)
In-Reply-To: <CAEjxPJ54j6PD6oBMWj7wOVskJuUY=BLpMCkdmmqwrP1DGJ0VqA@mail.gmail.com>
On Wed, Aug 19, 2020 at 3:07 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Wed, Aug 19, 2020 at 1:15 PM Petr Lautrbach <plautrba@redhat.com> wrote:
> > I've used kernel built without CONFIG_SECURITY_SELINUX_DISABLE from Ondrej's COPR
> > https://copr.fedorainfracloud.org/coprs/omos/drop-selinux-disable/ and tried few
> > scenarios:
> >
> > 1. selinux=0 on kernel command line
> >
> > everything works as expected
> >
> > 2. SELINUX=disabled in /etc/selinux/config
> >
> > system boots, userspace considers SELinux disabled, /sys/fs/selinux is not
> > mounted. The only noticeable change
> > is in process list:
> >
> > $ ps Z
> > LABEL PID TTY STAT TIME COMMAND
> > kernel 552 pts/0 Ss 0:00 -bash
> > kernel 574 pts/0 R+ 0:00 ps Z
>
> Hmm...is ps checking is_selinux_enabled()? Or just always reading
> /proc/pid/attr/current (or calling getpidcon(3))? Under what
> conditions was it displaying "-" here before?
>
> > If I get it right, SELinux is enabled but it's not initialized and SELinux
> > checks are not processed - always return 0 as allowed. So there should be no
> > real externally visible difference between selinux=0 and SELINUX=disabled
>
> There are some corner cases currently, e.g. you can't remove the
> security.selinux xattr if SELinux is enabled currently, and there are
> various hardcoded error cases in the SELinux hook functions that could
> potentially occur. Beyond that there is the memory and runtime
> overhead. Getting people to start using selinux=0 if they want to
> disable SELinux is definitely preferable.
We could try to eliminate those error cases by checking early for
selinux_initialized(state) in more of the hooks and bailing
immediately with success in that case, but we'd have to go through and
identify where we need that.
>
> > 3. no /etc/selinux/config
> >
> > SELinux is disabled in userspace but /sys/fs/selinux in mounted. It's due to
> > check in libselinux which doesn't umount /sys/fs/selinux when there's no config
> > file. Maybe this could be improved.
>
> Yes, we should fix that.
>
> > So I my findings are correct, it should be quite straight and easy change for
> > the distribution. Even though userspace tools like anaconda and ansible still
> > uses /etc/selinux/config to disable SELinux, it will have similar effect as
> > selinux=0. But it doesn't mean we will not try to change them to set selinux=0.
> >
> >
> > So I've started to compose Fedora Change proposal
> >
> > https://fedoraproject.org/wiki/SELinux/Changes/Disable_CONFIG_SECURITY_SELINUX_DISABLE
> >
> > It's not complete yet, but I believe it contains basic information. I'd
> > appreciate if you can help me with text, phrases and references so that it would
> > be easy to sell it as security feature to Fedora community :)
>
> I'd simplify the Summary to be something like "Remove support for
> SELinux runtime disable so that the LSM hooks can be hardened via
> read-only-after-initialization protections. Migrate users to using
> selinux=0 if they want to disable SELinux."
next prev parent reply other threads:[~2020-08-19 19:16 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-02 12:47 [RFC PATCH] selinux: runtime disable is deprecated, add some ssleep() discomfort Paul Moore
2020-06-02 12:49 ` Paul Moore
2020-06-04 14:49 ` Stephen Smalley
2020-06-08 21:35 ` Paul Moore
2020-06-08 22:13 ` Stephen Smalley
2020-06-08 22:56 ` William Roberts
2020-06-10 14:03 ` Stephen Smalley
2020-06-10 14:11 ` Stephen Smalley
2020-06-11 13:29 ` Ondrej Mosnacek
2020-06-12 19:28 ` Paul Moore
2020-08-19 17:14 ` Petr Lautrbach
2020-08-19 19:07 ` Stephen Smalley
2020-08-19 19:16 ` Stephen Smalley [this message]
2020-08-20 15:41 ` Casey Schaufler
2020-08-20 16:58 ` Stephen Smalley
2020-08-20 20:31 ` Petr Lautrbach
2020-09-10 11:39 ` Ondrej Mosnacek
2020-09-10 12:33 ` Stephen Smalley
2020-09-23 18:32 ` Paul Moore
2020-09-24 23:42 ` Stephen Smalley
2020-09-10 13:31 ` Stephen Smalley
2020-09-10 14:36 ` Stephen Smalley
2020-09-10 14:54 ` Stephen Smalley
2020-06-12 19:00 ` Paul Moore
2020-06-12 18:56 ` Paul Moore
2022-03-01 22:53 Paul Moore
2022-03-01 22:57 ` Paul Moore
2022-03-01 23:02 ` Casey Schaufler
2022-04-04 20:23 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEjxPJ6Kw8i_z_i2Y0A3HcK23DMoazWUZxMtNa7ErQv_bjm=QQ@mail.gmail.com' \
--to=stephen.smalley.work@gmail.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=plautrba@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).