On Wed, Aug 19, 2020 at 1:15 PM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote: > I've used kernel built without CONFIG_SECURITY_SELINUX_DISABLE from Ondrej's COPR > https://copr.fedorainfracloud.org/coprs/omos/drop-selinux-disable/ and tried few > scenarios: > > 1. selinux=0 on kernel command line > > everything works as expected > > 2. SELINUX=disabled in /etc/selinux/config > > system boots, userspace considers SELinux disabled, /sys/fs/selinux is not > mounted. The only noticeable change > is in process list: > > $ ps Z > LABEL PID TTY STAT TIME COMMAND > kernel 552 pts/0 Ss 0:00 -bash > kernel 574 pts/0 R+ 0:00 ps Z Hmm...is ps checking is_selinux_enabled()? Or just always reading /proc/pid/attr/current (or calling getpidcon(3))? Under what conditions was it displaying "-" here before? > If I get it right, SELinux is enabled but it's not initialized and SELinux > checks are not processed - always return 0 as allowed. So there should be no > real externally visible difference between selinux=0 and SELINUX=disabled There are some corner cases currently, e.g. you can't remove the security.selinux xattr if SELinux is enabled currently, and there are various hardcoded error cases in the SELinux hook functions that could potentially occur. Beyond that there is the memory and runtime overhead. Getting people to start using selinux=0 if they want to disable SELinux is definitely preferable. > 3. no /etc/selinux/config > > SELinux is disabled in userspace but /sys/fs/selinux in mounted. It's due to > check in libselinux which doesn't umount /sys/fs/selinux when there's no config > file. Maybe this could be improved. Yes, we should fix that. > So I my findings are correct, it should be quite straight and easy change for > the distribution. Even though userspace tools like anaconda and ansible still > uses /etc/selinux/config to disable SELinux, it will have similar effect as > selinux=0. But it doesn't mean we will not try to change them to set selinux=0. > > > So I've started to compose Fedora Change proposal > > https://fedoraproject.org/wiki/SELinux/Changes/Disable_CONFIG_SECURITY_SELINUX_DISABLE > > It's not complete yet, but I believe it contains basic information. I'd > appreciate if you can help me with text, phrases and references so that it would > be easy to sell it as security feature to Fedora community :) I'd simplify the Summary to be something like "Remove support for SELinux runtime disable so that the LSM hooks can be hardened via read-only-after-initialization protections. Migrate users to using selinux=0 if they want to disable SELinux."
