(→Scope) |
|||
Line 118: | Line 118: | ||
* Proposal owners: | * Proposal owners: | ||
<!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
Make sure kernel is built without CONFIG_SECURITY_SELINUX_DISABLE | |||
* Other developers: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | * Other developers: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> |
Revision as of 16:34, 19 August 2020
Disable CONFIG_SECURITY_SELINUX_DISABLE
Summary
Build kernel without CONFIG_SECURITY_SELINUX_DISABLE, disable writing to a selinuxfs node 'disable' and disable SELinux to be disabled at runtime prior to the policy load. Kernel build without CONFIG_SECURITY_SELINUX_DISABLE can use the '__ro_after_init' kernel hardening feature for security hooks.
Owner
- Name: Petr Lautrbach
- Email: plautrba@redhat.com
- Name: Ondrej Mosnacek
- Email: omosnace@redhat.com
Current status
- Targeted release: Fedora 34
- Last updated: 2020-08-19
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
CONFIG_SECURITY_SELINUX_DISABLE functionality was originally developed to make it easier for Linux distributions to support architectures where adding parameters to the kernel command line was difficult. Unfortunately, supporting runtime disable meant we had to make some security trade-offs when it came to the LSM hooks.
Marking the LSM hooks as read only provides some very nice security benefits, but it does mean that we can no longer disable SELinux at runtime. Toggling between enforcing and permissive mode while booted will remain unaffected and it will still be possible to disable SELinux by adding "selinux=0" to the kernel command line via the boot loader (GRUB).
System with SELINUX=disabled in /etc/selinux/config will come up with selinuxfs unmounted, userspace will think SELinux is disabled, but internally SELinux will be enabled with no policy so that there will be no SELinux checks applied.
NOTE: Runtime disable is considered as deprecated, and using it will become increasingly painful (e.g. sleeping/blocking) through future kernel releases until eventually it is removed completely. Current kernel reports the following message during runtime disable: "SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline"
Additional info:
- https://lwn.net/Articles/666550
- https://lore.kernel.org/selinux/159110207843.57260.5661475689740939480.stgit@chester/
- https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/#t
Feedback
Benefit to Fedora
Marking the LSM hooks as read only provides some very nice security benefits, e.g. in case an attacker gains ability to write to certain kernel memory regions, they have a bigger chance of using side effects of CONFIG_SECURITY_SELINUX_DISABLE to turn off SELinux permission checking.
Scope
- Proposal owners:
Make sure kernel is built without CONFIG_SECURITY_SELINUX_DISABLE
- Other developers: N/A (not a System Wide Change)
- Release engineering: #Releng issue number (a check of an impact with Release Engineering is needed)
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
N/A (not a System Wide Change)
How To Test
N/A (not a System Wide Change)
User Experience
Dependencies
N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
- Blocks product? product
Documentation
N/A (not a System Wide Change)