On 8/19/2020 12:16 PM, Stephen Smalley wrote: > On Wed, Aug 19, 2020 at 3:07 PM Stephen Smalley > <stephen.smalley.work@xxxxxxxxx> wrote: >> On Wed, Aug 19, 2020 at 1:15 PM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote: >>> I've used kernel built without CONFIG_SECURITY_SELINUX_DISABLE from Ondrej's COPR >>> https://copr.fedorainfracloud.org/coprs/omos/drop-selinux-disable/ and tried few >>> scenarios: >>> >>> 1. selinux=0 on kernel command line >>> >>> everything works as expected >>> >>> 2. SELINUX=disabled in /etc/selinux/config >>> >>> system boots, userspace considers SELinux disabled, /sys/fs/selinux is not >>> mounted. The only noticeable change >>> is in process list: >>> >>> $ ps Z >>> LABEL PID TTY STAT TIME COMMAND >>> kernel 552 pts/0 Ss 0:00 -bash >>> kernel 574 pts/0 R+ 0:00 ps Z >> Hmm...is ps checking is_selinux_enabled()? Or just always reading >> /proc/pid/attr/current (or calling getpidcon(3))? Under what >> conditions was it displaying "-" here before? The ps utility reads /proc/pid/attr/current directly. As a result, it works for Smack as well as SELinux. Adding an SELinux state check would have to be done carefully so as not to break the Smack functionality. The id utility does an SELinux check that unnecessarily prevents the -Z option from working with Smack. >> >>> If I get it right, SELinux is enabled but it's not initialized and SELinux >>> checks are not processed - always return 0 as allowed. So there should be no >>> real externally visible difference between selinux=0 and SELINUX=disabled >> There are some corner cases currently, e.g. you can't remove the >> security.selinux xattr if SELinux is enabled currently, and there are >> various hardcoded error cases in the SELinux hook functions that could >> potentially occur. Beyond that there is the memory and runtime >> overhead. Getting people to start using selinux=0 if they want to >> disable SELinux is definitely preferable. > We could try to eliminate those error cases by checking early for > selinux_initialized(state) in more of the hooks and bailing > immediately with success in that case, but we'd have to go through and > identify where we need that. > >>> 3. no /etc/selinux/config >>> >>> SELinux is disabled in userspace but /sys/fs/selinux in mounted. It's due to >>> check in libselinux which doesn't umount /sys/fs/selinux when there's no config >>> file. Maybe this could be improved. >> Yes, we should fix that. >> >>> So I my findings are correct, it should be quite straight and easy change for >>> the distribution. Even though userspace tools like anaconda and ansible still >>> uses /etc/selinux/config to disable SELinux, it will have similar effect as >>> selinux=0. But it doesn't mean we will not try to change them to set selinux=0. >>> >>> >>> So I've started to compose Fedora Change proposal >>> >>> https://fedoraproject.org/wiki/SELinux/Changes/Disable_CONFIG_SECURITY_SELINUX_DISABLE >>> >>> It's not complete yet, but I believe it contains basic information. I'd >>> appreciate if you can help me with text, phrases and references so that it would >>> be easy to sell it as security feature to Fedora community :) >> I'd simplify the Summary to be something like "Remove support for >> SELinux runtime disable so that the LSM hooks can be hardened via >> read-only-after-initialization protections. Migrate users to using >> selinux=0 if they want to disable SELinux."
