Re: [PATCH v2] selinux: deprecate disabling SELinux and runtime

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jan 7, 2020 at 9:34 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> On 1/6/20 10:30 PM, Paul Moore wrote:
> > Deprecate the CONFIG_SECURITY_SELINUX_DISABLE functionality.  The
> > code was originally developed to make it easier for Linux
> > distributions to support architectures where adding parameters to the
> > kernel command line was difficult.  Unfortunately, supporting runtime
> > disable meant we had to make some security trade-offs when it came to
> > the LSM hooks, as documented in the Kconfig help text:
> >
> >    NOTE: selecting this option will disable the '__ro_after_init'
> >    kernel hardening feature for security hooks.   Please consider
> >    using the selinux=0 boot parameter instead of enabling this
> >    option.
> >
> > Fortunately it looks as if that the original motivation for the
> > runtime disable functionality is gone, and Fedora/RHEL appears to be
> > the only major distribution enabling this capability at build time
> > so we are now taking steps to remove it entirely from the kernel.
> > The first step is to mark the functionality as deprecated and print
> > an error when it is used (what this patch is doing).  As Fedora/RHEL
> > makes progress in transitioning the distribution away from runtime
> > disable, we will introduce follow-up patches over several kernel
> > releases which will block for increasing periods of time when the
> > runtime disable is used.  Finally we will remove the option entirely
> > once we believe all users have moved to the kernel cmdline approach.
> >
> > Acked-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
> > Acked-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> > Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
> > Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
>
> checkpatch.pl has two warnings on this patch, one about the new
> Documentation/ABI/obsolete/sysfs-selinux-disable file not being listed
> in MAINTAINERS (looks like others are) and one about the comment block
> style being wrong.

Fixed.

> Also not entirely sure if the file should be
> sysfs-selinux-disable or selinuxfs-disable; it gets mounted under sysfs
> but isn't part of it per se.  Otherwise, LGTM.

I wondered about that too, but decided the selinuxfs vs sysfs
distinction didn't matter much here as /sys/fs/selinux *looks* like
sysfs to admins/users (outside of the separate mount, but that is
typically handled by the distro's init system).

Anyway, it's merged into selinux/next now.

-- 
paul moore
www.paul-moore.com



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux