No edit summary |
(redirect to the change page that is actually linked to the fesco ticket) Tag: New redirect |
||
(5 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
#REDIRECT [[Changes/Remove_Support_For_SELinux_Runtime_Disable]] | |||
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> | <!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> | ||
Line 7: | Line 9: | ||
Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". --> | Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". --> | ||
Remove support for SELinux runtime disable so that the LSM hooks can be hardened via read-only-after-initialization protections. | Remove support for SELinux runtime disable so that [https://www.kernel.org/doc/html/latest/security/lsm.html the LSM hooks] can be hardened via [https://lore.kernel.org/kernel-hardening/1448494286-16029-1-git-send-email-keescook@chromium.org/ read-only-after-initialization] protections. | ||
Migrate users to using ''selinux=0'' on the kernel command line if they want to disable SELinux. | |||
NOTE: By "disabling SELinux" here we mean that the kernel doesn't call into the SELinux subsystem at all. Switching SELinux between "permissive" and "enforcing" mode using ''setenforce(8)'' (which is often incorrectly called "disabling/enabling SELinux") is not affected and will remain fully functional. There is a nice [https://wiki.gentoo.org/wiki/SELinux/Tutorials/Permissive_versus_enforcing article] on Gentoo wiki explaining the SELinux modes in more detail. | |||
<!-- | <!-- | ||
Line 36: | Line 40: | ||
== Current status == | == Current status == | ||
* Targeted release: [[Releases/34 | Fedora 34 ]] | * Targeted release: [[Releases/34 | Fedora 34 ]] | ||
Line 56: | Line 58: | ||
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | <!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | ||
Currently, SELinux can be disabled | Currently, SELinux can be disabled using ''selinux=0'' on the kernel command line, or in userspace via ''/etc/selinux/config''. | ||
In the latter case, ''/etc/selinux/config'' is read by libselinux userspace library and if it contains ''SELINUX=disabled'', it | In the latter case, ''/etc/selinux/config'' is read by libselinux userspace library during boot and if it contains ''SELINUX=disabled'', it writes ''1'' into ''/sys/fs/selinux/disable'' and unmounts ''/sys/fs/selinux''. | ||
Support for SELinux runtime disable via ''/etc/selinux/config'' was originally developed to make it easier for Linux distributions to support architectures where adding parameters to the kernel command line was difficult. | Support for SELinux runtime disable via ''/etc/selinux/config'' was originally developed to make it easier for Linux distributions to support architectures where adding parameters to the kernel command line was difficult. | ||
Line 65: | Line 67: | ||
Toggling between enforcing and permissive mode while booted will remain unaffected and it will still be possible to disable SELinux by adding ''selinux=0'' to the kernel command line via the boot loader (GRUB). | Toggling between enforcing and permissive mode while booted will remain unaffected and it will still be possible to disable SELinux by adding ''selinux=0'' to the kernel command line via the boot loader (GRUB). | ||
System with ''SELINUX=disabled'' in ''/etc/selinux/config'' will come up with ''/sys/fs/ | System with ''SELINUX=disabled'' in ''/etc/selinux/config'' will come up with ''/sys/fs/selinux'' unmounted, | ||
userspace will detect SELinux as disabled. Internally SELinux will be enabled but not initialized so that there will be no SELinux checks applied. | userspace will detect SELinux as disabled. Internally SELinux will be enabled but not initialized so that there will be no SELinux checks applied. This state is very similar to SELinux disabled - the hooks are active, but they mostly do almost nothing so there should be very little effect on the time spent in syscalls compared to SELinux fully disabled. | ||
Runtime disable is considered deprecated by upstream, and using it will become increasingly painful (e.g. sleeping/blocking) through future kernel releases until eventually it is removed completely. | |||
Current kernel reports the following message during runtime disable: ''SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline'' | Current kernel reports the following message during runtime disable: ''SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline'' | ||
Latest revision as of 12:47, 25 July 2023
Remove support for SELinux runtime disable
Summary
Remove support for SELinux runtime disable so that the LSM hooks can be hardened via read-only-after-initialization protections.
Migrate users to using selinux=0 on the kernel command line if they want to disable SELinux.
NOTE: By "disabling SELinux" here we mean that the kernel doesn't call into the SELinux subsystem at all. Switching SELinux between "permissive" and "enforcing" mode using setenforce(8) (which is often incorrectly called "disabling/enabling SELinux") is not affected and will remain fully functional. There is a nice article on Gentoo wiki explaining the SELinux modes in more detail.
Owner
- Name: Petr Lautrbach
- Email: plautrba@redhat.com
- Name: Ondrej Mosnacek
- Email: omosnace@redhat.com
Current status
- Targeted release: Fedora 34
- Last updated: 2023-07-25
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Currently, SELinux can be disabled using selinux=0 on the kernel command line, or in userspace via /etc/selinux/config. In the latter case, /etc/selinux/config is read by libselinux userspace library during boot and if it contains SELINUX=disabled, it writes 1 into /sys/fs/selinux/disable and unmounts /sys/fs/selinux.
Support for SELinux runtime disable via /etc/selinux/config was originally developed to make it easier for Linux distributions to support architectures where adding parameters to the kernel command line was difficult. Unfortunately, supporting runtime disable meant we had to make some security trade-offs when it comes to the kernel LSM hooks.
Marking the kernel LSM hooks as read only provides some very nice security benefits, but it does mean that we can no longer disable SELinux at runtime. Toggling between enforcing and permissive mode while booted will remain unaffected and it will still be possible to disable SELinux by adding selinux=0 to the kernel command line via the boot loader (GRUB).
System with SELINUX=disabled in /etc/selinux/config will come up with /sys/fs/selinux unmounted, userspace will detect SELinux as disabled. Internally SELinux will be enabled but not initialized so that there will be no SELinux checks applied. This state is very similar to SELinux disabled - the hooks are active, but they mostly do almost nothing so there should be very little effect on the time spent in syscalls compared to SELinux fully disabled.
Runtime disable is considered deprecated by upstream, and using it will become increasingly painful (e.g. sleeping/blocking) through future kernel releases until eventually it is removed completely. Current kernel reports the following message during runtime disable: SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline
Additional info:
- https://lwn.net/Articles/666550
- https://lore.kernel.org/selinux/159110207843.57260.5661475689740939480.stgit@chester/
- https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/#t
Feedback
Benefit to Fedora
Marking the LSM hooks as read-only provides extra security hardening against certain attacks, e.g. in case an attacker gains ability to write to random kernel memory locations, with support for disable SELinux runtime (CONFIG_SECURITY_SELINUX_DISABLE=y) they have a bigger chance to turn off (parts of) SELinux permission checking.
Scope
- Proposal owners:
- Make sure the kernel is built with CONFIG_SECURITY_SELINUX_DISABLE disabled.
- Make sure the relevant documentation is updated in a way that selinux=0 on kernel command line is the preferred way to disable SELinux.
- Make sure the installer uses the kernel command line instead of /etc/selinux/config to disable SELinux.
- Optional: selinux Ansible module should warn that SELinux needs to be disabled using selinux=0.
- Optional: linux-system-roles.selinux should disable SELinux using selinux=0.
- Other developers: N/A
- Release engineering: #9742 (a check of an impact with Release Engineering is needed)
- Policies and guidelines: N/A
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
Users should not be directly affected by this change.
How To Test
- Install a kernel built with CONFIG_SECURITY_SELINUX_DISABLE disabled, e.g. from https://copr.fedorainfracloud.org/coprs/omos/drop-selinux-disable/.
- Confirm that SELinux is disabled when selinux=0 is used on kernel command line.
- Confirm that userspace considers SELinux disabled when SELINUX=disabled is used in /etc/selinux/config.
- Confirm that userspace considers SELinux disabled when there is no /etc/selinux/config.
- Confirm that the system works as expected in all previous cases.
User Experience
There's no visible change for users with SELinux enabled.
Users with SELINUX=disabled in /etc/selinux/config and without selinux=0 on kernel command line might notice that ps Z
command uses kernel domain for processes, while with selinux=0 ps Z
prints '-'.
These users will also be able to load SELinux policy after boot.
Dependencies
Upstream kernel SELinux subsystem waits for this change in order to remove CONFIG_SECURITY_SELINUX_DISABLE functionality - https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/#t
Contingency Plan
- Contingency mechanism: Revert the kernel build option change and build kernel with CONFIG_SECURITY_SELINUX_DISABLE=y
- Contingency deadline: Beta freeze
- Blocks release? No
Documentation
TBD
Release Notes
TBD