From Fedora Project Wiki
Line 122: Line 122:
 
** Make sure the kernel is built with ''CONFIG_SECURITY_SELINUX_DISABLE'' disabled.
 
** Make sure the kernel is built with ''CONFIG_SECURITY_SELINUX_DISABLE'' disabled.
 
** Make sure the relevant documentation is updated in a way that ''selinux=0'' on kernel command line is the preferred way to disable SELinux.
 
** Make sure the relevant documentation is updated in a way that ''selinux=0'' on kernel command line is the preferred way to disable SELinux.
 +
*** https://docs.fedoraproject.org/en-US/quick-docs/changing-selinux-states-and-modes/
 +
*** ''selinux(8)'' man page
 
** Make sure [https://github.com/rhinstaller/anaconda/ the installer] uses the kernel command line instead of ''/etc/selinux/config'' to disable SELinux.
 
** Make sure [https://github.com/rhinstaller/anaconda/ the installer] uses the kernel command line instead of ''/etc/selinux/config'' to disable SELinux.
 
** Optional: [https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/facts/system/selinux.py ''selinux'' Ansible module] should warn that SELinux needs to be disabled using ''selinux=0''.
 
** Optional: [https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/facts/system/selinux.py ''selinux'' Ansible module] should warn that SELinux needs to be disabled using ''selinux=0''.
 
** Optional: [https://github.com/linux-system-roles/selinux linux-system-roles.selinux] should disable SELinux using ''selinux=0''.
 
** Optional: [https://github.com/linux-system-roles/selinux linux-system-roles.selinux] should disable SELinux using ''selinux=0''.
  
 
+
* Other developers: N/A <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
 
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
 
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
  
Line 134: Line 135:
 
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
 
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
  
* Policies and guidelines: Update documentation to use ''selinux=0'' instead of ''SELINUX=disabled'' for disabling SELinux <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
* Policies and guidelines: N/A <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->
 
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->
** https://docs.fedoraproject.org/en-US/quick-docs/changing-selinux-states-and-modes/
 
  
 
* Trademark approval: N/A (not needed for this Change)
 
* Trademark approval: N/A (not needed for this Change)

Revision as of 11:18, 8 September 2020


Remove support for SELinux runtime disable

Summary

Remove support for SELinux runtime disable so that the LSM hooks can be hardened via read-only-after-initialization protections.

Migrate users to using selinux=0 if they want to disable SELinux.


Owner


Current status

  • Targeted release: Fedora 34
  • Last updated: 2020-09-08
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Support for SELinux runtime disable via /etc/selinux/config was originally developed to make it easier for Linux distributions to support architectures where adding parameters to the kernel command line was difficult. Unfortunately, supporting runtime disable meant we had to make some security trade-offs when it comes to the kernel LSM hooks.

Marking the kernel LSM hooks as read only provides some very nice security benefits, but it does mean that we can no longer disable SELinux at runtime. Toggling between enforcing and permissive mode while booted will remain unaffected and it will still be possible to disable SELinux by adding selinux=0 to the kernel command line via the boot loader (GRUB).

System with SELINUX=disabled in /etc/selinux/config will come up with /sys/fs/selinuxfs unmounted, userspace will detect SELinux as disabled. Internally SELinux will be enabled but not initialized so that there will be no SELinux checks applied.

NOTE: Runtime disable is considered deprecated by upstream, and using it will become increasingly painful (e.g. sleeping/blocking) through future kernel releases until eventually it is removed completely. Current kernel reports the following message during runtime disable: SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline

Additional info:

Feedback

Benefit to Fedora

Marking the LSM hooks as read-only provides extra security hardening against certain attacks, e.g. in case an attacker gains ability to write to random kernel memory locations, with support for disable SELinux runtime (CONFIG_SECURITY_SELINUX_DISABLE=y) they have a bigger chance to turn off (parts of) SELinux permission checking.

Scope

  • Other developers: N/A
  • Policies and guidelines: N/A
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

Users should not be directly affected by this change.

How To Test

  1. Install a kernel built with CONFIG_SECURITY_SELINUX_DISABLE disabled, e.g. from https://copr.fedorainfracloud.org/coprs/omos/drop-selinux-disable/.
  2. Confirm that SELinux is disabled when selinux=0 is used on kernel command line.
  3. Confirm that userspace considers SELinux disabled when SELINUX=disabled is used in /etc/selinux/config.
  4. Confirm that userspace considers SELinux disabled when there is no /etc/selinux/config.
  5. Confirm that the system works as expected in all previous cases.

User Experience

There's no visible change for users with SELinux enabled.

Users with SELINUX=disabled in /etc/selinux/config and without selinux=0 on kernel command line might notice that ps Z command uses kernel domain for processes, while with selinux=0 ps Z prints '-'. These users will also be able to load SELinux policy after boot.

Dependencies

Upstream kernel SELinux subsystem waits for this change in order to remove CONFIG_SECURITY_SELINUX_DISABLE functionality - https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/#t

Contingency Plan

  • Contingency mechanism: Revert the kernel build option change and build kernel with CONFIG_SECURITY_SELINUX_DISABLE=y
  • Contingency deadline: Beta freeze
  • Blocks release? No

Documentation

TBD

Release Notes

TBD