F34 Change proposal: Remove support for SELinux runtime disable (System-Wide Change)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable

== Summary ==
Remove support for SELinux runtime disable so that the LSM hooks can
be hardened via read-only-after-initialization protections.

Migrate users to using ''selinux=0'' if they want to disable SELinux.

== Owner ==
* Name: [[User:plautrba| Petr Lautrbach]]
* Email: plautrba@xxxxxxxxxx
* Name: [[User:omos| Ondrej Mosnacek]]
* Email: omosnace@xxxxxxxxxx


== Detailed Description ==
Support for SELinux runtime disable via ''/etc/selinux/config'' was
originally developed to make it easier for Linux distributions to
support architectures where adding parameters to the kernel command
line was difficult.
Unfortunately, supporting runtime disable meant we had to make some
security trade-offs when it comes to the kernel LSM hooks.

Marking the kernel LSM hooks as read only provides some very nice
security benefits, but it does mean that we can no longer disable
SELinux at runtime.
Toggling between enforcing and permissive mode while booted will
remain unaffected and it will still be possible to disable SELinux by
adding ''selinux=0'' to the kernel command line via the boot loader
(GRUB).

System with ''SELINUX=disabled'' in ''/etc/selinux/config'' will come
up with ''/sys/fs/selinuxfs'' unmounted,
userspace will detect SELinux as disabled. Internally SELinux will be
enabled but not initialized so that there will be no SELinux checks
applied.

NOTE: Runtime disable is considered deprecated by upstream, and using
it will become increasingly painful (e.g. sleeping/blocking) through
future kernel releases until eventually it is removed completely.
Current kernel reports the following message during runtime disable:
''SELinux:  Runtime disable is deprecated, use selinux=0 on the kernel
cmdline''

Additional info:

* https://lwn.net/Articles/666550
* https://lore.kernel.org/selinux/159110207843.57260.5661475689740939480.stgit@chester/
* https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/#t

== Benefit to Fedora ==
Marking the LSM hooks as read-only provides extra security hardening
against certain attacks, e.g. in case an attacker gains ability to
write to random kernel memory locations, with support for disable
SELinux runtime (''CONFIG_SECURITY_SELINUX_DISABLE=y'') they have a
bigger chance to turn off (parts of) SELinux permission checking.

== Scope ==
* Proposal owners:
** Make sure the kernel is built with
''CONFIG_SECURITY_SELINUX_DISABLE'' disabled.
** Make sure the relevant documentation is updated in a way that
''selinux=0'' on kernel command line is the preferred way to disable
SELinux.
*** https://docs.fedoraproject.org/en-US/quick-docs/changing-selinux-states-and-modes/
*** ''selinux(8)'' man page
** Make sure [https://github.com/rhinstaller/anaconda/ the installer]
uses the kernel command line instead of ''/etc/selinux/config'' to
disable SELinux.
** Optional: [https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/facts/system/selinux.py
''selinux'' Ansible module] should warn that SELinux needs to be
disabled using ''selinux=0''.
** Optional: [https://github.com/linux-system-roles/selinux
linux-system-roles.selinux] should disable SELinux using
''selinux=0''.

* Other developers: N/A
* Release engineering: https://pagure.io/releng/issue/9742
* Policies and guidelines: N/A
* Trademark approval: N/A (not needed for this Change)


== Upgrade/compatibility impact ==
Users should not be directly affected by this change.

== How To Test ==
# Install a kernel built with ''CONFIG_SECURITY_SELINUX_DISABLE''
disabled, e.g. from
https://copr.fedorainfracloud.org/coprs/omos/drop-selinux-disable/.
# Confirm that SELinux is disabled when ''selinux=0'' is used on
kernel command line.
# Confirm that userspace considers SELinux disabled when
''SELINUX=disabled'' is used in ''/etc/selinux/config''.
# Confirm that userspace considers SELinux disabled when there is no
''/etc/selinux/config''.
# Confirm that the system works as expected in all previous cases.

== User Experience ==
There's no visible change for users with SELinux enabled.

Users with ''SELINUX=disabled'' in ''/etc/selinux/config'' and without
''selinux=0'' on kernel command line might notice that `ps Z` command
uses ''kernel'' domain for processes, while with ''selinux=0'' `ps Z`
prints '-'.
These users will also be able to load SELinux policy after boot.

== Dependencies ==
Upstream kernel SELinux subsystem waits for this change in order to
remove CONFIG_SECURITY_SELINUX_DISABLE functionality -
https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/#t

== Contingency Plan ==
* Contingency mechanism:  Revert the kernel build option change and
build kernel with ''CONFIG_SECURITY_SELINUX_DISABLE=y''
* Contingency deadline: Beta freeze
* Blocks release? No


== Documentation ==
TBD

== Release Notes ==
TBD

-- 
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux