Re: F34 Change proposal: Remove support for SELinux runtime disable (System-Wide Change)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Sep 09, 2020 at 10:24:00AM +0200, Vít Ondruch wrote:
> Generally, I would appreciate if the proposal was more readable to
> casual Fedora user/developer. I don't think there is clearly described
> the current state and what is going to be changed. Also, there is a lot
> of unclear terminology, e.g. I don't have idea what are "LSM hooks".
> "Migrate users to using ''selinux=0''" probably refers to kernel command
> line, but why it is not mentioned in the summary.
> 

I've updated the page to:

- provide links which should descride LSM hooks and read-only-after-initialization protection.
- be more decriptive about the cuurent state and the change


https://fedoraproject.org/w/index.php?title=Changes%2FRemove_Support_For_SELinux_Runtime_Disable&type=revision&diff=587708&oldid=587533

Thanks!

Petr

>
> 
> Dne 08. 09. 20 v 17:28 Ben Cotton napsal(a):
> > https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
> >
> > == Summary ==
> > Remove support for SELinux runtime disable so that the LSM hooks can
> > be hardened via read-only-after-initialization protections.
> >
> > Migrate users to using ''selinux=0'' if they want to disable SELinux.
> >
> > == Owner ==
> > * Name: [[User:plautrba| Petr Lautrbach]]
> > * Email: plautrba@xxxxxxxxxx
> > * Name: [[User:omos| Ondrej Mosnacek]]
> > * Email: omosnace@xxxxxxxxxx
> >
> >
> > == Detailed Description ==
> > Support for SELinux runtime disable via ''/etc/selinux/config'' was
> > originally developed to make it easier for Linux distributions to
> > support architectures where adding parameters to the kernel command
> > line was difficult.
> > Unfortunately, supporting runtime disable meant we had to make some
> > security trade-offs when it comes to the kernel LSM hooks.
> >
> > Marking the kernel LSM hooks as read only provides some very nice
> > security benefits, but it does mean that we can no longer disable
> > SELinux at runtime.
> > Toggling between enforcing and permissive mode while booted will
> > remain unaffected and it will still be possible to disable SELinux by
> > adding ''selinux=0'' to the kernel command line via the boot loader
> > (GRUB).
> >
> > System with ''SELINUX=disabled'' in ''/etc/selinux/config'' will come
> > up with ''/sys/fs/selinuxfs'' unmounted,
> > userspace will detect SELinux as disabled. Internally SELinux will be
> > enabled but not initialized so that there will be no SELinux checks
> > applied.
> >
> > NOTE: Runtime disable is considered deprecated by upstream, and using
> > it will become increasingly painful (e.g. sleeping/blocking) through
> > future kernel releases until eventually it is removed completely.
> > Current kernel reports the following message during runtime disable:
> > ''SELinux:  Runtime disable is deprecated, use selinux=0 on the kernel
> > cmdline''
> >
> > Additional info:
> >
> > * https://lwn.net/Articles/666550
> > * https://lore.kernel.org/selinux/159110207843.57260.5661475689740939480.stgit@chester/
> > * https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/#t
> >
> > == Benefit to Fedora ==
> > Marking the LSM hooks as read-only provides extra security hardening
> > against certain attacks, e.g. in case an attacker gains ability to
> > write to random kernel memory locations, with support for disable
> > SELinux runtime (''CONFIG_SECURITY_SELINUX_DISABLE=y'') they have a
> > bigger chance to turn off (parts of) SELinux permission checking.
> >
> > == Scope ==
> > * Proposal owners:
> > ** Make sure the kernel is built with
> > ''CONFIG_SECURITY_SELINUX_DISABLE'' disabled.
> > ** Make sure the relevant documentation is updated in a way that
> > ''selinux=0'' on kernel command line is the preferred way to disable
> > SELinux.
> > *** https://docs.fedoraproject.org/en-US/quick-docs/changing-selinux-states-and-modes/
> > *** ''selinux(8)'' man page
> > ** Make sure [https://github.com/rhinstaller/anaconda/ the installer]
> > uses the kernel command line instead of ''/etc/selinux/config'' to
> > disable SELinux.
> > ** Optional: [https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/facts/system/selinux.py
> > ''selinux'' Ansible module] should warn that SELinux needs to be
> > disabled using ''selinux=0''.
> > ** Optional: [https://github.com/linux-system-roles/selinux
> > linux-system-roles.selinux] should disable SELinux using
> > ''selinux=0''.
> >
> > * Other developers: N/A
> > * Release engineering: https://pagure.io/releng/issue/9742
> > * Policies and guidelines: N/A
> > * Trademark approval: N/A (not needed for this Change)
> >
> >
> > == Upgrade/compatibility impact ==
> > Users should not be directly affected by this change.
> >
> > == How To Test ==
> > # Install a kernel built with ''CONFIG_SECURITY_SELINUX_DISABLE''
> > disabled, e.g. from
> > https://copr.fedorainfracloud.org/coprs/omos/drop-selinux-disable/.
> > # Confirm that SELinux is disabled when ''selinux=0'' is used on
> > kernel command line.
> > # Confirm that userspace considers SELinux disabled when
> > ''SELINUX=disabled'' is used in ''/etc/selinux/config''.
> > # Confirm that userspace considers SELinux disabled when there is no
> > ''/etc/selinux/config''.
> > # Confirm that the system works as expected in all previous cases.
> >
> > == User Experience ==
> > There's no visible change for users with SELinux enabled.
> >
> > Users with ''SELINUX=disabled'' in ''/etc/selinux/config'' and without
> > ''selinux=0'' on kernel command line might notice that `ps Z` command
> > uses ''kernel'' domain for processes, while with ''selinux=0'' `ps Z`
> > prints '-'.
> > These users will also be able to load SELinux policy after boot.
> >
> > == Dependencies ==
> > Upstream kernel SELinux subsystem waits for this change in order to
> > remove CONFIG_SECURITY_SELINUX_DISABLE functionality -
> > https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/#t
> >
> > == Contingency Plan ==
> > * Contingency mechanism:  Revert the kernel build option change and
> > build kernel with ''CONFIG_SECURITY_SELINUX_DISABLE=y''
> > * Contingency deadline: Beta freeze
> > * Blocks release? No
> >
> >
> > == Documentation ==
> > TBD
> >
> > == Release Notes ==
> > TBD
> >
> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux