On Tue, Sep 8, 2020, at 11:28 AM, Ben Cotton wrote: > https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable > > == Summary == > Remove support for SELinux runtime disable so that the LSM hooks can > be hardened via read-only-after-initialization protections. > > Migrate users to using ''selinux=0'' if they want to disable SELinux. >
I like the proposal. A few thoughts and questions, though: 1. I think systems with SELINUX=disabled without selinux=0 should hard fail very loudly. I've found certain real-time use cases require SELinux to be disabled to meet the real time guarantees. (Permissive doesn't help because it's a timing issue, not permission issue.) 2. Does this affect resetting the root password with init=/bin/bash and using `/sbin/load_policy -i` to avoid a relabel? 3. Generally, forcing things to be cmdline options would benefit from a generic way to configure and manage them, such as using drop-in snippets. Ideally this would work the same way across BIOS and UEFI systems. It's difficult to programmatically manipulate GRUB_CMDLINE_LINUX, which is the current standard configuration method. Thanks for putting the security-enhancing proposal forward! V/r, James Cassell > == Owner == > * Name: [[User:plautrba| Petr Lautrbach]] > * Email: plaut...@redhat.com > * Name: [[User:omos| Ondrej Mosnacek]] > * Email: omosn...@redhat.com > > > == Detailed Description == > Support for SELinux runtime disable via ''/etc/selinux/config'' was > originally developed to make it easier for Linux distributions to > support architectures where adding parameters to the kernel command > line was difficult. > Unfortunately, supporting runtime disable meant we had to make some > security trade-offs when it comes to the kernel LSM hooks. > > Marking the kernel LSM hooks as read only provides some very nice > security benefits, but it does mean that we can no longer disable > SELinux at runtime. > Toggling between enforcing and permissive mode while booted will > remain unaffected and it will still be possible to disable SELinux by > adding ''selinux=0'' to the kernel command line via the boot loader > (GRUB). > > System with ''SELINUX=disabled'' in ''/etc/selinux/config'' will come > up with ''/sys/fs/selinuxfs'' unmounted, > userspace will detect SELinux as disabled. Internally SELinux will be > enabled but not initialized so that there will be no SELinux checks > applied. > > NOTE: Runtime disable is considered deprecated by upstream, and using > it will become increasingly painful (e.g. sleeping/blocking) through > future kernel releases until eventually it is removed completely. > Current kernel reports the following message during runtime disable: > ''SELinux: Runtime disable is deprecated, use selinux=0 on the kernel > cmdline'' > > Additional info: > > * https://lwn.net/Articles/666550 > * > https://lore.kernel.org/selinux/159110207843.57260.5661475689740939480.stgit@chester/ > * > https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/#t > > == Benefit to Fedora == > Marking the LSM hooks as read-only provides extra security hardening > against certain attacks, e.g. in case an attacker gains ability to > write to random kernel memory locations, with support for disable > SELinux runtime (''CONFIG_SECURITY_SELINUX_DISABLE=y'') they have a > bigger chance to turn off (parts of) SELinux permission checking. > > == Scope == > * Proposal owners: > ** Make sure the kernel is built with > ''CONFIG_SECURITY_SELINUX_DISABLE'' disabled. > ** Make sure the relevant documentation is updated in a way that > ''selinux=0'' on kernel command line is the preferred way to disable > SELinux. > *** > https://docs.fedoraproject.org/en-US/quick-docs/changing-selinux-states-and-modes/ > *** ''selinux(8)'' man page > ** Make sure [https://github.com/rhinstaller/anaconda/ the installer] > uses the kernel command line instead of ''/etc/selinux/config'' to > disable SELinux. > ** Optional: > [https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/facts/system/selinux.py > ''selinux'' Ansible module] should warn that SELinux needs to be > disabled using ''selinux=0''. > ** Optional: [https://github.com/linux-system-roles/selinux > linux-system-roles.selinux] should disable SELinux using > ''selinux=0''. > > * Other developers: N/A > * Release engineering: https://pagure.io/releng/issue/9742 > * Policies and guidelines: N/A > * Trademark approval: N/A (not needed for this Change) > > > == Upgrade/compatibility impact == > Users should not be directly affected by this change. > > == How To Test == > # Install a kernel built with ''CONFIG_SECURITY_SELINUX_DISABLE'' > disabled, e.g. from > https://copr.fedorainfracloud.org/coprs/omos/drop-selinux-disable/. > # Confirm that SELinux is disabled when ''selinux=0'' is used on > kernel command line. > # Confirm that userspace considers SELinux disabled when > ''SELINUX=disabled'' is used in ''/etc/selinux/config''. > # Confirm that userspace considers SELinux disabled when there is no > ''/etc/selinux/config''. > # Confirm that the system works as expected in all previous cases. > > == User Experience == > There's no visible change for users with SELinux enabled. > > Users with ''SELINUX=disabled'' in ''/etc/selinux/config'' and without > ''selinux=0'' on kernel command line might notice that `ps Z` command > uses ''kernel'' domain for processes, while with ''selinux=0'' `ps Z` > prints '-'. > These users will also be able to load SELinux policy after boot. > > == Dependencies == > Upstream kernel SELinux subsystem waits for this change in order to > remove CONFIG_SECURITY_SELINUX_DISABLE functionality - > https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/#t > > == Contingency Plan == > * Contingency mechanism: Revert the kernel build option change and > build kernel with ''CONFIG_SECURITY_SELINUX_DISABLE=y'' > * Contingency deadline: Beta freeze > * Blocks release? No > > > == Documentation == > TBD > > == Release Notes == > TBD > > -- > Ben Cotton > He / Him / His > Senior Program Manager, Fedora & CentOS Stream > Red Hat > TZ=America/Indiana/Indianapolis > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
