On Wed, Sep 09, 2020 at 10:24:00AM +0200, Vít Ondruch wrote: > Generally, I would appreciate if the proposal was more readable to > casual Fedora user/developer. I don't think there is clearly described > the current state and what is going to be changed. Also, there is a lot > of unclear terminology, e.g. I don't have idea what are "LSM hooks". > "Migrate users to using ''selinux=0''" probably refers to kernel command > line, but why it is not mentioned in the summary. > I've updated the page to: - provide links which should descride LSM hooks and read-only-after-initialization protection. - be more decriptive about the cuurent state and the change https://fedoraproject.org/w/index.php?title=Changes%2FRemove_Support_For_SELinux_Runtime_Disable&type=revision&diff=587708&oldid=587533 Thanks! Petr > > > Dne 08. 09. 20 v 17:28 Ben Cotton napsal(a): > > https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable > > > > == Summary == > > Remove support for SELinux runtime disable so that the LSM hooks can > > be hardened via read-only-after-initialization protections. > > > > Migrate users to using ''selinux=0'' if they want to disable SELinux. > > > > == Owner == > > * Name: [[User:plautrba| Petr Lautrbach]] > > * Email: plautrba@xxxxxxxxxx > > * Name: [[User:omos| Ondrej Mosnacek]] > > * Email: omosnace@xxxxxxxxxx > > > > > > == Detailed Description == > > Support for SELinux runtime disable via ''/etc/selinux/config'' was > > originally developed to make it easier for Linux distributions to > > support architectures where adding parameters to the kernel command > > line was difficult. > > Unfortunately, supporting runtime disable meant we had to make some > > security trade-offs when it comes to the kernel LSM hooks. > > > > Marking the kernel LSM hooks as read only provides some very nice > > security benefits, but it does mean that we can no longer disable > > SELinux at runtime. > > Toggling between enforcing and permissive mode while booted will > > remain unaffected and it will still be possible to disable SELinux by > > adding ''selinux=0'' to the kernel command line via the boot loader > > (GRUB). > > > > System with ''SELINUX=disabled'' in ''/etc/selinux/config'' will come > > up with ''/sys/fs/selinuxfs'' unmounted, > > userspace will detect SELinux as disabled. Internally SELinux will be > > enabled but not initialized so that there will be no SELinux checks > > applied. > > > > NOTE: Runtime disable is considered deprecated by upstream, and using > > it will become increasingly painful (e.g. sleeping/blocking) through > > future kernel releases until eventually it is removed completely. > > Current kernel reports the following message during runtime disable: > > ''SELinux: Runtime disable is deprecated, use selinux=0 on the kernel > > cmdline'' > > > > Additional info: > > > > * https://lwn.net/Articles/666550 > > * https://lore.kernel.org/selinux/159110207843.57260.5661475689740939480.stgit@chester/ > > * https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/#t > > > > == Benefit to Fedora == > > Marking the LSM hooks as read-only provides extra security hardening > > against certain attacks, e.g. in case an attacker gains ability to > > write to random kernel memory locations, with support for disable > > SELinux runtime (''CONFIG_SECURITY_SELINUX_DISABLE=y'') they have a > > bigger chance to turn off (parts of) SELinux permission checking. > > > > == Scope == > > * Proposal owners: > > ** Make sure the kernel is built with > > ''CONFIG_SECURITY_SELINUX_DISABLE'' disabled. > > ** Make sure the relevant documentation is updated in a way that > > ''selinux=0'' on kernel command line is the preferred way to disable > > SELinux. > > *** https://docs.fedoraproject.org/en-US/quick-docs/changing-selinux-states-and-modes/ > > *** ''selinux(8)'' man page > > ** Make sure [https://github.com/rhinstaller/anaconda/ the installer] > > uses the kernel command line instead of ''/etc/selinux/config'' to > > disable SELinux. > > ** Optional: [https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/facts/system/selinux.py > > ''selinux'' Ansible module] should warn that SELinux needs to be > > disabled using ''selinux=0''. > > ** Optional: [https://github.com/linux-system-roles/selinux > > linux-system-roles.selinux] should disable SELinux using > > ''selinux=0''. > > > > * Other developers: N/A > > * Release engineering: https://pagure.io/releng/issue/9742 > > * Policies and guidelines: N/A > > * Trademark approval: N/A (not needed for this Change) > > > > > > == Upgrade/compatibility impact == > > Users should not be directly affected by this change. > > > > == How To Test == > > # Install a kernel built with ''CONFIG_SECURITY_SELINUX_DISABLE'' > > disabled, e.g. from > > https://copr.fedorainfracloud.org/coprs/omos/drop-selinux-disable/. > > # Confirm that SELinux is disabled when ''selinux=0'' is used on > > kernel command line. > > # Confirm that userspace considers SELinux disabled when > > ''SELINUX=disabled'' is used in ''/etc/selinux/config''. > > # Confirm that userspace considers SELinux disabled when there is no > > ''/etc/selinux/config''. > > # Confirm that the system works as expected in all previous cases. > > > > == User Experience == > > There's no visible change for users with SELinux enabled. > > > > Users with ''SELINUX=disabled'' in ''/etc/selinux/config'' and without > > ''selinux=0'' on kernel command line might notice that `ps Z` command > > uses ''kernel'' domain for processes, while with ''selinux=0'' `ps Z` > > prints '-'. > > These users will also be able to load SELinux policy after boot. > > > > == Dependencies == > > Upstream kernel SELinux subsystem waits for this change in order to > > remove CONFIG_SECURITY_SELINUX_DISABLE functionality - > > https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/#t > > > > == Contingency Plan == > > * Contingency mechanism: Revert the kernel build option change and > > build kernel with ''CONFIG_SECURITY_SELINUX_DISABLE=y'' > > * Contingency deadline: Beta freeze > > * Blocks release? No > > > > > > == Documentation == > > TBD > > > > == Release Notes == > > TBD > > > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
