Re: F34 Change proposal: Remove support for SELinux runtime disable (System-Wide Change)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Sep 10, 2020 at 11:18 AM Tom Hughes via devel
<devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> On 10/09/2020 09:44, Richard Hughes wrote:
> > On Tue, 8 Sep 2020 at 16:29, Ben Cotton <bcotton@xxxxxxxxxx> wrote:
> >> NOTE: Runtime disable is considered deprecated by upstream, and using
> >> it will become increasingly painful (e.g. sleeping/blocking) through
> >> future kernel releases until eventually it is removed completely.
> >
> > Speaking from personal experience, I've wasted days over the last
> > decade trying to debug a locally installed system service that was not
> > working where there were no messages in any of the logs (e.g. no AVCs)
> > -- and turning off selinux at runtime magically fixed the problem.
>
> Some selinux rules are marked to not generate AVCs...

Yes, these are called "dontaudit" rules. They are used for when the
impact of a failed access check doesn't prevent the application from
functioning and we don't want to allow that access vector (e.g. when
the application just checks to see if it can do some privileged
operation and if not, it continues with some fallback). Unfortunately,
it can happen sometimes that such a rule hides some denial that
actually does break something.

They can be temporarily disabled by running `semodule -DB` and then
re-enabled again with `semodule -B`.

>
> > Whilst I'm of course in favour of fixing the lockdown issue, would it
> > also be fair to say that any selinux regression not triggering an AVC
> > (which is fixed using selinux=0) would block this kind of proposal?
>
> Did "setenforce 0" also fix it?

If the issue is in (or rather hidden by) the dontaudit rules, then
"setenforce 0" should indeed make it work as well.

--
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux