Generally, I would appreciate if the proposal was more readable to casual Fedora user/developer. I don't think there is clearly described the current state and what is going to be changed. Also, there is a lot of unclear terminology, e.g. I don't have idea what are "LSM hooks". "Migrate users to using ''selinux=0''" probably refers to kernel command line, but why it is not mentioned in the summary. Thanks Vít Dne 08. 09. 20 v 17:28 Ben Cotton napsal(a): > https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable > > == Summary == > Remove support for SELinux runtime disable so that the LSM hooks can > be hardened via read-only-after-initialization protections. > > Migrate users to using ''selinux=0'' if they want to disable SELinux. > > == Owner == > * Name: [[User:plautrba| Petr Lautrbach]] > * Email: plautrba@xxxxxxxxxx > * Name: [[User:omos| Ondrej Mosnacek]] > * Email: omosnace@xxxxxxxxxx > > > == Detailed Description == > Support for SELinux runtime disable via ''/etc/selinux/config'' was > originally developed to make it easier for Linux distributions to > support architectures where adding parameters to the kernel command > line was difficult. > Unfortunately, supporting runtime disable meant we had to make some > security trade-offs when it comes to the kernel LSM hooks. > > Marking the kernel LSM hooks as read only provides some very nice > security benefits, but it does mean that we can no longer disable > SELinux at runtime. > Toggling between enforcing and permissive mode while booted will > remain unaffected and it will still be possible to disable SELinux by > adding ''selinux=0'' to the kernel command line via the boot loader > (GRUB). > > System with ''SELINUX=disabled'' in ''/etc/selinux/config'' will come > up with ''/sys/fs/selinuxfs'' unmounted, > userspace will detect SELinux as disabled. Internally SELinux will be > enabled but not initialized so that there will be no SELinux checks > applied. > > NOTE: Runtime disable is considered deprecated by upstream, and using > it will become increasingly painful (e.g. sleeping/blocking) through > future kernel releases until eventually it is removed completely. > Current kernel reports the following message during runtime disable: > ''SELinux: Runtime disable is deprecated, use selinux=0 on the kernel > cmdline'' > > Additional info: > > * https://lwn.net/Articles/666550 > * https://lore.kernel.org/selinux/159110207843.57260.5661475689740939480.stgit@chester/ > * https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/#t > > == Benefit to Fedora == > Marking the LSM hooks as read-only provides extra security hardening > against certain attacks, e.g. in case an attacker gains ability to > write to random kernel memory locations, with support for disable > SELinux runtime (''CONFIG_SECURITY_SELINUX_DISABLE=y'') they have a > bigger chance to turn off (parts of) SELinux permission checking. > > == Scope == > * Proposal owners: > ** Make sure the kernel is built with > ''CONFIG_SECURITY_SELINUX_DISABLE'' disabled. > ** Make sure the relevant documentation is updated in a way that > ''selinux=0'' on kernel command line is the preferred way to disable > SELinux. > *** https://docs.fedoraproject.org/en-US/quick-docs/changing-selinux-states-and-modes/ > *** ''selinux(8)'' man page > ** Make sure [https://github.com/rhinstaller/anaconda/ the installer] > uses the kernel command line instead of ''/etc/selinux/config'' to > disable SELinux. > ** Optional: [https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/facts/system/selinux.py > ''selinux'' Ansible module] should warn that SELinux needs to be > disabled using ''selinux=0''. > ** Optional: [https://github.com/linux-system-roles/selinux > linux-system-roles.selinux] should disable SELinux using > ''selinux=0''. > > * Other developers: N/A > * Release engineering: https://pagure.io/releng/issue/9742 > * Policies and guidelines: N/A > * Trademark approval: N/A (not needed for this Change) > > > == Upgrade/compatibility impact == > Users should not be directly affected by this change. > > == How To Test == > # Install a kernel built with ''CONFIG_SECURITY_SELINUX_DISABLE'' > disabled, e.g. from > https://copr.fedorainfracloud.org/coprs/omos/drop-selinux-disable/. > # Confirm that SELinux is disabled when ''selinux=0'' is used on > kernel command line. > # Confirm that userspace considers SELinux disabled when > ''SELINUX=disabled'' is used in ''/etc/selinux/config''. > # Confirm that userspace considers SELinux disabled when there is no > ''/etc/selinux/config''. > # Confirm that the system works as expected in all previous cases. > > == User Experience == > There's no visible change for users with SELinux enabled. > > Users with ''SELINUX=disabled'' in ''/etc/selinux/config'' and without > ''selinux=0'' on kernel command line might notice that `ps Z` command > uses ''kernel'' domain for processes, while with ''selinux=0'' `ps Z` > prints '-'. > These users will also be able to load SELinux policy after boot. > > == Dependencies == > Upstream kernel SELinux subsystem waits for this change in order to > remove CONFIG_SECURITY_SELINUX_DISABLE functionality - > https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/#t > > == Contingency Plan == > * Contingency mechanism: Revert the kernel build option change and > build kernel with ''CONFIG_SECURITY_SELINUX_DISABLE=y'' > * Contingency deadline: Beta freeze > * Blocks release? No > > > == Documentation == > TBD > > == Release Notes == > TBD > _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
