On Thu, Dec 12, 2019 at 12:57 PM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 12/12/19 12:54 PM, Paul Moore wrote: > > On Thu, Dec 12, 2019 at 8:14 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > >> On 12/12/19 6:49 AM, Ondrej Mosnacek wrote: > >>> On Wed, Dec 11, 2019 at 8:12 PM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > >>>> On 12/11/19 1:35 PM, Casey Schaufler wrote: > >>>>> On 12/11/2019 8:42 AM, Kees Cook wrote: > >>>>>> On Wed, Dec 11, 2019 at 09:29:10AM -0500, Stephen Smalley wrote: > >>>>>>> On 12/11/19 9:08 AM, Ondrej Mosnacek wrote: > > > > ... > > > >>>> selinux_state.initialized reflects whether a policy has > >>>> been loaded. With a few exceptions in certain hook functions, it is > >>>> only checked by the security server service functions > >>>> (security/selinux/ss/services.c) prior to accessing the policydb. So > >>>> there is a lot of SELinux processing that would still occur in that > >>>> situation unless we added if (!selinux_state.initialized) return 0; > >>>> checks to all the hook functions, which would create the same exposure > >>>> and would further break the SELinux-enabled case (we need to perform > >>>> some SELinux processing pre-policy-load to allocate blobs and track what > >>>> tasks and objects require delayed security initialization when policy > >>>> load finally occurs). > >>> > >>> I think what Casey was suggesting is to add another flag that would > >>> switch from "no policy loaded, but we expect it to be loaded > >>> eventually" to "no policy loaded and we don't expect/allow it to be > >>> loaded any more", which is essentially equivalent to checking > >>> selinux_enabled in each hook, which you had already brought up. > >> > >> Yep. if (!selinux_enabled) return 0; or if (selinux_state.disabled) > >> return 0; under #ifdef CONFIG_SECURITY_SELINUX_DISABLE in every hook > >> might be the best option until it can be removed altogether; avoids > >> impacting the LSM framework or any other security module, preserves the > >> existing functionality, fairly low overhead on the SELinux-disabled case. > > > > Just so I'm understanding this thread correctly, the above change > > (adding enabled checks to each SELinux hook implementation) is only > > until Fedora can figure out a way to deprecate and remove the runtime > > disable? > > That's my understanding. In the interim, Android kernels should already > be disabling CONFIG_SECURITY_SELINUX_DISABLE and other distros may > choose to disable it as long as they don't care about supporting SELinux > runtime disable. Okay, I just wanted to make sure I wasn't missing something. Honestly, I'd rather Fedora just go ahead and do whatever it is they need to do to turn off CONFIG_SECURITY_SELINUX_DISABLE (it sounds like they have a plan and are working on it), I'm not overly excited about temporarily cluttering up the code with additional "enabled" checks when the status quo works, even if it is less than ideal. -- paul moore www.paul-moore.com