On Wed, Aug 19, 2020 at 3:07 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > On Wed, Aug 19, 2020 at 1:15 PM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote: > > I've used kernel built without CONFIG_SECURITY_SELINUX_DISABLE from Ondrej's COPR > > https://copr.fedorainfracloud.org/coprs/omos/drop-selinux-disable/ and tried few > > scenarios: > > > > 1. selinux=0 on kernel command line > > > > everything works as expected > > > > 2. SELINUX=disabled in /etc/selinux/config > > > > system boots, userspace considers SELinux disabled, /sys/fs/selinux is not > > mounted. The only noticeable change > > is in process list: > > > > $ ps Z > > LABEL PID TTY STAT TIME COMMAND > > kernel 552 pts/0 Ss 0:00 -bash > > kernel 574 pts/0 R+ 0:00 ps Z > > Hmm...is ps checking is_selinux_enabled()? Or just always reading > /proc/pid/attr/current (or calling getpidcon(3))? Under what > conditions was it displaying "-" here before? > > > If I get it right, SELinux is enabled but it's not initialized and SELinux > > checks are not processed - always return 0 as allowed. So there should be no > > real externally visible difference between selinux=0 and SELINUX=disabled > > There are some corner cases currently, e.g. you can't remove the > security.selinux xattr if SELinux is enabled currently, and there are > various hardcoded error cases in the SELinux hook functions that could > potentially occur. Beyond that there is the memory and runtime > overhead. Getting people to start using selinux=0 if they want to > disable SELinux is definitely preferable. We could try to eliminate those error cases by checking early for selinux_initialized(state) in more of the hooks and bailing immediately with success in that case, but we'd have to go through and identify where we need that. > > > 3. no /etc/selinux/config > > > > SELinux is disabled in userspace but /sys/fs/selinux in mounted. It's due to > > check in libselinux which doesn't umount /sys/fs/selinux when there's no config > > file. Maybe this could be improved. > > Yes, we should fix that. > > > So I my findings are correct, it should be quite straight and easy change for > > the distribution. Even though userspace tools like anaconda and ansible still > > uses /etc/selinux/config to disable SELinux, it will have similar effect as > > selinux=0. But it doesn't mean we will not try to change them to set selinux=0. > > > > > > So I've started to compose Fedora Change proposal > > > > https://fedoraproject.org/wiki/SELinux/Changes/Disable_CONFIG_SECURITY_SELINUX_DISABLE > > > > It's not complete yet, but I believe it contains basic information. I'd > > appreciate if you can help me with text, phrases and references so that it would > > be easy to sell it as security feature to Fedora community :) > > I'd simplify the Summary to be something like "Remove support for > SELinux runtime disable so that the LSM hooks can be hardened via > read-only-after-initialization protections. Migrate users to using > selinux=0 if they want to disable SELinux."
