On Fri, Jun 12, 2020 at 03:28:26PM -0400, Paul Moore wrote: > On Thu, Jun 11, 2020 at 9:29 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > Good point about the installer. I have already started working on > > preparing Fedora for the runtime disable removal, but so far I'm only > > at the beginning. Updating anaconda to add selinux=0 to the kernel > > params instead of using /etc/selinux/config will be one of the main > > steps. > > ... > > > I also prefer to rather go somewhere in this direction rather than > > introducing the delay. I was kinda OK with the delay at first, but as > > Stephen points out, it would punish users rather than distros, even > > though users are (normally) not the ones that make a conscious > > decision to use the runtime disable. > > ... > > > Yes, I was under the impression that some changes in libselinux are > > needed before this works transparently, but apparently it already does > > the right thing now. In that case I'd say that it may be better to > > skip adding sleeps etc. and just remove the feature at some point. But > > please let's wait with that for a while longer so we can prepare > > Fedora for it first. It's hard to tell at this point how long that > > will take, but it could be several months. > > > > Then again, the sleep might be helpful to wake up potential non-Fedora > > users (if any) and in Fedora we can always apply a revert as a > > downstream patch until things are sorted. So if you guys really want > > it, I think we can deal with it. > > I'm glad to hear Fedora is making changes to move away from the > runtime disable, please keep us updated about once a month so we know > where things are at with Fedora. > > As I mentioned previously, I'm okay with postponing the delay so long > as Fedora is making progress - and according to Ondrej they are - so > I'm okay with holding off for now. > I've used kernel built without CONFIG_SECURITY_SELINUX_DISABLE from Ondrej's COPR https://copr.fedorainfracloud.org/coprs/omos/drop-selinux-disable/ and tried few scenarios: 1. selinux=0 on kernel command line everything works as expected 2. SELINUX=disabled in /etc/selinux/config system boots, userspace considers SELinux disabled, /sys/fs/selinux is not mounted. The only noticeable change is in process list: $ ps Z LABEL PID TTY STAT TIME COMMAND kernel 552 pts/0 Ss 0:00 -bash kernel 574 pts/0 R+ 0:00 ps Z If I get it right, SELinux is enabled but it's not initialized and SELinux checks are not processed - always return 0 as allowed. So there should be no real externally visible difference between selinux=0 and SELINUX=disabled 3. no /etc/selinux/config SELinux is disabled in userspace but /sys/fs/selinux in mounted. It's due to check in libselinux which doesn't umount /sys/fs/selinux when there's no config file. Maybe this could be improved. So I my findings are correct, it should be quite straight and easy change for the distribution. Even though userspace tools like anaconda and ansible still uses /etc/selinux/config to disable SELinux, it will have similar effect as selinux=0. But it doesn't mean we will not try to change them to set selinux=0. So I've started to compose Fedora Change proposal https://fedoraproject.org/wiki/SELinux/Changes/Disable_CONFIG_SECURITY_SELINUX_DISABLE It's not complete yet, but I believe it contains basic information. I'd appreciate if you can help me with text, phrases and references so that it would be easy to sell it as security feature to Fedora community :) Petr
Attachment:
signature.asc
Description: PGP signature
