Re: [PATCH v2] selinux: deprecate disabling SELinux and runtime

From: Paul Moore <paul@paul-moore.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: Re: [PATCH v2] selinux: deprecate disabling SELinux and runtime
Date: Tue, 7 Jan 2020 10:28:22 -0500	[thread overview]
Message-ID: <CAHC9VhRrCdrb0K-CzxRehDw85cMHM7SJWeWZQJtr64U8Y1THrQ@mail.gmail.com> (raw)
In-Reply-To: <43f27f76-f3ca-7ea2-7820-da56bb53fd0e@tycho.nsa.gov>

On Tue, Jan 7, 2020 at 9:34 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 1/6/20 10:30 PM, Paul Moore wrote:
> > Deprecate the CONFIG_SECURITY_SELINUX_DISABLE functionality.  The
> > code was originally developed to make it easier for Linux
> > distributions to support architectures where adding parameters to the
> > kernel command line was difficult.  Unfortunately, supporting runtime
> > disable meant we had to make some security trade-offs when it came to
> > the LSM hooks, as documented in the Kconfig help text:
> >
> >    NOTE: selecting this option will disable the '__ro_after_init'
> >    kernel hardening feature for security hooks.   Please consider
> >    using the selinux=0 boot parameter instead of enabling this
> >    option.
> >
> > Fortunately it looks as if that the original motivation for the
> > runtime disable functionality is gone, and Fedora/RHEL appears to be
> > the only major distribution enabling this capability at build time
> > so we are now taking steps to remove it entirely from the kernel.
> > The first step is to mark the functionality as deprecated and print
> > an error when it is used (what this patch is doing).  As Fedora/RHEL
> > makes progress in transitioning the distribution away from runtime
> > disable, we will introduce follow-up patches over several kernel
> > releases which will block for increasing periods of time when the
> > runtime disable is used.  Finally we will remove the option entirely
> > once we believe all users have moved to the kernel cmdline approach.
> >
> > Acked-by: Casey Schaufler <casey@schaufler-ca.com>
> > Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
> > Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> > Signed-off-by: Paul Moore <paul@paul-moore.com>
>
> checkpatch.pl has two warnings on this patch, one about the new
> Documentation/ABI/obsolete/sysfs-selinux-disable file not being listed
> in MAINTAINERS (looks like others are) and one about the comment block
> style being wrong.

Fixed.

> Also not entirely sure if the file should be
> sysfs-selinux-disable or selinuxfs-disable; it gets mounted under sysfs
> but isn't part of it per se.  Otherwise, LGTM.

I wondered about that too, but decided the selinuxfs vs sysfs
distinction didn't matter much here as /sys/fs/selinux *looks* like
sysfs to admins/users (outside of the separate mount, but that is
typically handled by the distro's init system).

Anyway, it's merged into selinux/next now.

-- 
paul moore
www.paul-moore.com