(Reduce the amount of rules that prevent reporting of SELinux denials pertaining to unlabeled_t. This could influence the amount of SELinux-related logs on some systems, but will not cause any new permission denials.) |
(retargeting change to F42) |
||
(7 intermediate revisions by 2 users not shown) | |||
Line 2: | Line 2: | ||
= Reduce the amount of "dontaudit" rules pertaining to unlabeled_t = | = Reduce the amount of "dontaudit" rules pertaining to unlabeled_t = | ||
== Summary == | == Summary == | ||
Line 12: | Line 10: | ||
* Email: <vmojzis@redhat.com> | * Email: <vmojzis@redhat.com> | ||
* Name: [[User: | * Name: [[User:mmalik| Miloš Malík]] | ||
* Email: < | * Email: <mmalik@redhat.com> | ||
== Current status == | == Current status == | ||
[[Category: | [[Category:ChangeAcceptedF42]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | ||
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) --> | <!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) --> | ||
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete--> | <!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete--> | ||
<!-- Select proper category, default is Self Contained Change --> | <!-- Select proper category, default is Self Contained Change --> | ||
[[Category:SelfContainedChange]] | |||
[[Category:SystemWideChange]] | <!-- [[Category:SystemWideChange]] --> | ||
* Targeted release: [https://docs.fedoraproject.org/en-US/releases/ | * Targeted release: [https://docs.fedoraproject.org/en-US/releases/f42/ Fedora Linux 42] | ||
* Last updated: <!-- this is an automatic macro — you don't need to change this line --> {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}} | * Last updated: <!-- this is an automatic macro — you don't need to change this line --> {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}} | ||
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page | <!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page | ||
Line 35: | Line 32: | ||
ON_QA -> change is fully code complete | ON_QA -> change is fully code complete | ||
--> | --> | ||
* [Announced] | * [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/LZHQ5FCLAI4WWAB76BDUEQNN7JRDRKUF/ Announced] | ||
* [ | * [https://discussion.fedoraproject.org/t/f41-change-proposal-reduce-the-amount-of-dontaudit-rules-pertaining-to-unlabeled-t-self-contained/124332 Discussion thread] | ||
* FESCo issue: | * FESCo issue: [https://pagure.io/fesco/issue/3245 #3245] | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2300338 #2300338] | ||
* Release notes tracker: <will be assigned by the Wrangler> | * Release notes tracker: <will be assigned by the Wrangler> | ||
Line 48: | Line 45: | ||
The primary purpose of these rules is to hide certain false positives or code defects, such as leaked descriptors. | The primary purpose of these rules is to hide certain false positives or code defects, such as leaked descriptors. | ||
The drawback is that, in certain instances, these rules might obscure hints that could expedite debugging and issue resolution. | The drawback is that, in certain instances, these rules might obscure hints that could expedite debugging and issue resolution. | ||
It is possible to disable all dontaudit rules using "semodule -DB", but this usually leads to | It is possible to disable all dontaudit rules using "semodule -DB", but this usually leads to large amounts of benign denials being logged and hence is not practical for long term use. | ||
The goal of this change is to significantly reduce the amount of dontaudit rules suppressing "unlabeled_t" denials, | The goal of this change is to significantly reduce the amount of dontaudit rules suppressing "unlabeled_t" denials, | ||
Line 95: | Line 92: | ||
* Other developers: Report any unlabeled_t AVCs triggered by their software | * Other developers: Report any unlabeled_t AVCs triggered by their software | ||
* Release engineering: | * Release engineering: N/A (not needed for this Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)? Is a mass rebuild required? include a link to the releng issue. | <!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)? Is a mass rebuild required? include a link to the releng issue. | ||
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication --> | The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication --> | ||
Line 167: | Line 164: | ||
== Documentation == | == Documentation == | ||
<!-- Is there upstream documentation on this change, or notes you have written yourself? Link to that material here so other interested developers can get involved. --> | <!-- Is there upstream documentation on this change, or notes you have written yourself? Link to that material here so other interested developers can get involved. --> | ||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | Dontaudit rules can be added selectively using audit2allow: | ||
<code># ausearch -m AVC | grep unlabeled_t | audit2allow -D -M dontaudit_unlabeled </code> | |||
<code># semodule -i dontaudit_unlabeled.pp </code> | |||
All the disabled rules can be re-enabled by switching the "dontaudit_unlabeled_files" boolean (will be added as part of the change). | |||
<code># setsebool -P dontaudit_unlabeled_files 1</code> | |||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | |||
== Release Notes == | == Release Notes == |
Latest revision as of 15:42, 9 September 2024
Reduce the amount of "dontaudit" rules pertaining to unlabeled_t
Summary
Reduce the amount of rules that prevent reporting of SELinux denials pertaining to unlabeled_t. This could influence the amount of SELinux-related logs on some systems, but will not cause any new permission denials.
Owner
- Name: Vít Mojžíš
- Email: <vmojzis@redhat.com>
- Name: Miloš Malík
- Email: <mmalik@redhat.com>
Current status
- Targeted release: Fedora Linux 42
- Last updated: 2024-09-09
- Announced
- Discussion thread
- FESCo issue: #3245
- Tracker bug: #2300338
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
The SELinux security policy primarily comprises allow rules, which permit specific operations on a confined system. However, there are also SELinux rules featuring the "dontaudit" keyword. In general, these rules signify that the described operation is not allowed and will not be logged as a permission denial in audit logs. The primary purpose of these rules is to hide certain false positives or code defects, such as leaked descriptors. The drawback is that, in certain instances, these rules might obscure hints that could expedite debugging and issue resolution. It is possible to disable all dontaudit rules using "semodule -DB", but this usually leads to large amounts of benign denials being logged and hence is not practical for long term use.
The goal of this change is to significantly reduce the amount of dontaudit rules suppressing "unlabeled_t" denials,
which are often caused by miss-labeled filesystems and can usually be easily fixed when noticed by the system administrator.
The rules will not be completely removed from the policy, only disabled by default, so that the change can be reverted by the admin if needed (# setsebool -P dontaudit_unlabeled_files 1
).
The change could influence the amount of SELinux-related logs on some systems, but will not cause any new permission denials.
Feedback
Benefit to Fedora
Access denials caused by labeling issues will more likely be reported by SELinux.
Scope
- Proposal owners: Determine which dontaudit rules are safe to disable by default and wrap them in conditional statements in the policy sources -- changes will be limited to SElinux policy (and possibly setroubleshoot) packages
- Other developers: Report any unlabeled_t AVCs triggered by their software
- Release engineering: N/A (not needed for this Change)
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with the Fedora Strategy: The change aligns with the "accessibility" goal as it simplifies debugging of some labeling issues
Upgrade/compatibility impact
No functionality impact, no configuration or data migration. The change could influence the amount of SELinux-related logs on some systems.
Early Testing (Optional)
Do you require 'QA Blueprint' support? - No
How To Test
Run your testsuite with SELinux enabled (Enforcing or Permissive mode) and record any AVCs containing unlabeld_t keyword.
# ausearch -m AVC,USER_AVC | grep unlabeled_t
User Experience
The change could increase the amount of SELinux-related logs on some systems.
Dependencies
Changes will be limited to SElinux policy (and possibly setroubleshoot) packages.
Contingency Plan
- Contingency mechanism: Do not ship the updated SELinux-policy package
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? No
Documentation
Dontaudit rules can be added selectively using audit2allow:
# ausearch -m AVC | grep unlabeled_t | audit2allow -D -M dontaudit_unlabeled
# semodule -i dontaudit_unlabeled.pp
All the disabled rules can be re-enabled by switching the "dontaudit_unlabeled_files" boolean (will be added as part of the change).
# setsebool -P dontaudit_unlabeled_files 1