From Fedora Project Wiki
(Initial version)
 
 
(32 intermediate revisions by 4 users not shown)
Line 1: Line 1:
<!-- Self Contained or System Wide Change Proposal?
<!-- Self Contained or System Wide Change Proposal?
Use this guide to determine to which category your proposed change belongs to.


Self Contained Changes are:
For System Wide Changes all fields on this form are required for FESCo acceptance (when applies).   
* changes to isolated/leaf package without the impact on other packages/rest of the distribution
* limited scope changes without the impact on other packages/rest of the distribution
* coordinated effort within SIG with limited impact outside SIG functional area, accepted by the SIG
 
System Wide Changes are:
* changes that does not fit Self Contained Changes category touching
* changes that require coordination within the distribution (for example mass rebuilds, release engineering or other teams effort etc.)
* changing system defaults
 
For Self Contained Changes, sections marked as "REQUIRED FOR SYSTEM WIDE CHANGES" are OPTIONAL but FESCo/Wrangler can request more details (especially in case the change proposal category is
improper or updated to System Wide category). For System Wide Changes all fields on this form are required for FESCo acceptance (when applies).   


We request that you maintain the same order of sections so that all of the change proposal pages are uniform.
We request that you maintain the same order of sections so that all of the change proposal pages are uniform.
-->
-->
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->


<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
Line 26: Line 12:
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. -->
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. -->


SELinux userspace packages release 2015-02-02 uses includes a change of location of the SELinux module store, which now defaults to /var/lib/selinux/.
The newest SELinux userspace project release 2015-02-02 includes a change of the location of the SELinux policy store, which defaults to /var/lib/selinux/.


== Owner ==
== Owner ==
Line 50: Line 36:
== Current status ==
== Current status ==
* Targeted release: [[Releases/23 | Fedora 23 ]]  
* Targeted release: [[Releases/23 | Fedora 23 ]]  
* Last updated: 2015-06-09
* Last updated: 2015-06-10
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Bugzilla states meaning as usual:
Bugzilla states meaning as usual:
Line 59: Line 45:
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
-->
-->
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1238407 #1238407]


== Detailed Description ==
== Detailed Description ==


The new store supports priority for modules and changes fromat from .pp to CIL language.
SELinux security policy is located in ''/etc/selinux'' directory together with configuration files. In Fedora, we use a modular policy. It means the policy is not one large source policy but it can be built from modules. These modules together with a base policy (contains the mandatory information) are compiled, linked and located in a '''policy store''' where can be built into a binary format and then loaded into the security server. This binary policy is located in ''/etc/selinux/<SELINUXTYPE>/policy/policy.29'' for example.
 
The above mentioned policy store is located at
 
* /etc/selinux/<SELINUXTYPE>/modules - default for systems that support versions < 2.4 of libsemanage, libsepol, and policycoreutils.
 
* /var/lib/selinux/<SELINUXTYPE>/modules - default for systems that support versions >= 2.4 of libsemanage, libsepol, and policycoreutils.
 
This  change builds CIL into libsepol, libsemanage, semodule, semanage to  understand CIL and add ability to manage ''/var/lib/selinux'' as a new store location. It means this new location only matters if a policy is rebuilt or manipulated.
 
The new policy store
 
* has a new complex structure
* supports priority of modules
* the CIL language is used for cached modules
* original modules are converted using an HLL compiler in /usr/libexec/selinux/hll/. The pp compiler converts pp format to CIL language.
 
The following options are added by libsepol(v2.4) with CIL support to ''semanage.conf''
<pre>
store-root = <path>
compiler-directory = <path>
ignore-module-cache = true|false
target-platform = selinux | xen
</pre>
 
''"store-root"'' option can be changed from the default ''/var/lib/selinux'' to a custom location according to distribution requirements.


<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
Line 69: Line 80:
== Benefit to Fedora ==
== Benefit to Fedora ==


The implementations bring some big system/distribution improvements against the current state (policy.29 + Fedora22):
The new store implementation and the CIL language bring improvements to system:
 
* the policy store is moved out of /etc
** can be configured in ''semanage.conf''
<pre>
store-root = <path>
</pre>
* performance improvements
** reduce of memory peak usage
** speed-up of SELinux tools like semodule, semanage, setsebool
 
<pre>
-- rebuild of policy (rawhide VM) --
CIL: real 0m6.171s
REGULAR: real 0m22.414s
 
-- SELinux policy load (rawhide VM) --
CIL: systemd[1]: Successfully loaded SELinux policy in 91.886ms.
REGULAR: systemd[1]: Successfully loaded SELinux policy in 172.393ms.
</pre>


*moving the policy store out of /etc
**user could easily get back Factory setup by removing a directory out of /etc
*performance improvements
**speed-up for SELinux tools like semanage, setsebool
**reduces peak memory usage
<!-- *shrinking SELinux policy
<!-- *shrinking SELinux policy
**CIL grammer should allow us to write more effective policy
** the CIL language allows to write more effective policy
-->
-->
*prioritize of project's policy modules
* cached SELinux policy module can be overwritten by a module with same name and with higher priority
 
** readable CIL format vs. compiled policy modules
** ability to override distribution provided policy!
 
<pre>
semodule --priority 100 --install fedora_distro/openstack.pp
semodule --priority 400 --install custom/openstack.pp
</pre>
 
Both openstack modules are installed in the policy store, but only the custom
openstack module is included in the final kernel binary.
 
See http://blog-bachradsusi.rhcloud.com/2015/06/05/selinux-modules-priority/
 
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->


Line 86: Line 123:
* Proposal owners:
* Proposal owners:
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
** prepare updated SELinux userspace packages
** prepare SELinux userspace packages with the release 2015-02-02
** prepare updated SELinux policy packages with migrated store
** prepare SELinux policy packages with the new store location
** prepare a migration script for users modifications and modules
** prepare a migration script for users modifications and modules
** check if all packages containing SELinux modules use the right location
** check if all SELinux modules used in Fedora packages are compatible with the new SELinux userspace and are convertible to CIL language
* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!--
** check if their packages contain SELinux modules and put them in the correct place /usr/share/selinux/packages
** check if their SELinux modules are compatible with the new SELinux userspace and are convertible to CIL language
-->


* Other developers: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
** Check if their packages contains SELinux modules and put them in the correct place /usr/share/selinux/packages
** Check if their SELinux modules are compatible with the new SELinux userspace and are convertible to CIL language
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


* Release engineering: N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Release engineering: N/A <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  If a rel-eng ticket exists, add a link here.  
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  If a rel-eng ticket exists, add a link here.  
Please work with releng prior to feature submission, and ensure that someone is on board to do any process development work and testing; don't just assume that a bullet point in a change puts someone else on the hook  -->
Please work with releng prior to feature submission, and ensure that someone is on board to do any process development work and testing; don't just assume that a bullet point in a change puts someone else on the hook  -->


* Policies and guidelines: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Policies and guidelines:
** there's no need to update policies
** there might be guidelines which mention the old store location which should be updated <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->


Line 107: Line 151:
== Upgrade/compatibility impact ==
== Upgrade/compatibility impact ==
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
There should be no impact on upgrade. Existing modules should be migrated during user space packages update and SELinux policy package will be migrated by default
There should be no impact on upgrade. Existing modules will be migrated during the update of userspace packages and SELinux policy package will use the new location by default.


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Line 125: Line 169:
3. What are the expected results of those actions?
3. What are the expected results of those actions?
-->
-->
1. boot in enforcing mode without more AVCs than before update
 
2. try semodule -l
* Enable plautrba/selinux COPR repo and update selinux-poloicy
3. try create a module and install it, deinstall it, enable/disable it
 
<pre>
# dnf copr enable plautrba/selinux
 
# dnf update selinux-policy
</pre>
 
 
=== manually ===
 
* Display list of installed modules
<pre># semodule -l</pre>
* Create a policy module and install it.
<pre>
# cat mytestmodule.te
policy_module(mytestmodule, 1.0)
require{
type glusterd_t;
type smbd_t;
}
allow glusterd_t smbd_t:process signal;
 
# dnf install selinux-policy-devel
# make -f /usr/share/selinux/devel/Makefile mytestmodule.pp
# semodule -i mytestmodule.pp
# semodule --list-modules=full |grep mytestmodule
400 mytestmodule      pp
</pre>
 
* Try to disable/enable/remove the existing module (see semodule -h).
<pre>
# semodule -d mytestmodule
# semodule -e mytestmodule
# semodule -r mytestmodule
</pre>
 
* Try to convert compiled policy module to CIL.
<pre>
# cat mytestmodule.pp | /usr/libexec/selinux/hll/pp > mytestmodule.cil
# cat mytestmodule.cil
(roleattributeset cil_gen_require system_r)
(typeattributeset cil_gen_require glusterd_t)
(typeattributeset cil_gen_require smbd_t)
(allow glusterd_t smbd_t (process (signal)))
 
# semodule -i mytestmodule.cil
# semodule --list-modules=full |grep mytestmodule
400 mytestmodule      cil
</pre>
 
=== using Fedora cloud image and SELinuxPolicyStoreMigration-tests ===
 
There is a simple testuite base on beakerlib and virsh available on github. You can find it at
https://github.com/bachradsusi/SELinuxPolicyStoreMigration-tests
 


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Line 143: Line 241:


== Contingency Plan ==
== Contingency Plan ==
* use the current userspace
* use the previous SELinux userspace project release
* use the selinux-policy packages with the module store in /etc/selinux
* use the selinux-policy packages with the policy store located in /etc/selinux


<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
* Contingency mechanism: (What to do?  Who will do it?) N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency mechanism:  
** selinux-policy maintainers will revert selinux-policy spec file changes to use the original store in /etc/selinux
** SELinux userspace maintainers will drop SELinux userspace tools version 2.4 and use tools version 2.3
<!--(What to do?  Who will do it?) N/A (not a System Wide Change)  REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
* Contingency deadline: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency deadline: beta freeze <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
* Blocks release? N/A (not a System Wide Change), Yes/No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Blocks release? Yes <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Blocks product? product <!-- Applicable for Changes that blocks specific product release/Fedora.next -->
* Blocks product? N/A <!-- Applicable for Changes that blocks specific product release/Fedora.next -->


== Documentation ==
== Documentation ==
Line 159: Line 260:


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)
* https://github.com/SELinuxProject/selinux/wiki/Releases
* https://github.com/SELinuxProject/cil/wiki
* https://github.com/SELinuxProject/selinux/wiki/High-Level-Language-Infrastructure
* https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration


== Release Notes ==
== Release Notes ==
Line 168: Line 272:
-->
-->


[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF23]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
Line 175: Line 279:


<!-- Select proper category, default is Self Contained Change -->
<!-- Select proper category, default is Self Contained Change -->
[[Category:SelfContainedChange]]
[[Category:SystemWideChange]]
<!-- [[Category:SystemWideChange]] -->

Latest revision as of 14:34, 14 July 2015


SELinux policy store migration

Summary

The newest SELinux userspace project release 2015-02-02 includes a change of the location of the SELinux policy store, which defaults to /var/lib/selinux/.

Owner

Current status

Detailed Description

SELinux security policy is located in /etc/selinux directory together with configuration files. In Fedora, we use a modular policy. It means the policy is not one large source policy but it can be built from modules. These modules together with a base policy (contains the mandatory information) are compiled, linked and located in a policy store where can be built into a binary format and then loaded into the security server. This binary policy is located in /etc/selinux/<SELINUXTYPE>/policy/policy.29 for example.

The above mentioned policy store is located at

  • /etc/selinux/<SELINUXTYPE>/modules - default for systems that support versions < 2.4 of libsemanage, libsepol, and policycoreutils.
  • /var/lib/selinux/<SELINUXTYPE>/modules - default for systems that support versions >= 2.4 of libsemanage, libsepol, and policycoreutils.

This change builds CIL into libsepol, libsemanage, semodule, semanage to understand CIL and add ability to manage /var/lib/selinux as a new store location. It means this new location only matters if a policy is rebuilt or manipulated.

The new policy store

  • has a new complex structure
  • supports priority of modules
  • the CIL language is used for cached modules
  • original modules are converted using an HLL compiler in /usr/libexec/selinux/hll/. The pp compiler converts pp format to CIL language.

The following options are added by libsepol(v2.4) with CIL support to semanage.conf

store-root = <path>
compiler-directory = <path>
ignore-module-cache = true|false
target-platform = selinux | xen

"store-root" option can be changed from the default /var/lib/selinux to a custom location according to distribution requirements.


Benefit to Fedora

The new store implementation and the CIL language bring improvements to system:

  • the policy store is moved out of /etc
    • can be configured in semanage.conf
store-root = <path>
  • performance improvements
    • reduce of memory peak usage
    • speed-up of SELinux tools like semodule, semanage, setsebool
-- rebuild of policy (rawhide VM) --
CIL: real 0m6.171s
REGULAR: real 0m22.414s

-- SELinux policy load (rawhide VM) --
CIL: systemd[1]: Successfully loaded SELinux policy in 91.886ms.
REGULAR: systemd[1]: Successfully loaded SELinux policy in 172.393ms.
  • cached SELinux policy module can be overwritten by a module with same name and with higher priority
    • readable CIL format vs. compiled policy modules
    • ability to override distribution provided policy!
semodule --priority 100 --install fedora_distro/openstack.pp
semodule --priority 400 --install custom/openstack.pp

Both openstack modules are installed in the policy store, but only the custom openstack module is included in the final kernel binary.

See http://blog-bachradsusi.rhcloud.com/2015/06/05/selinux-modules-priority/


Scope

  • Proposal owners:
    • prepare SELinux userspace packages with the release 2015-02-02
    • prepare SELinux policy packages with the new store location
    • prepare a migration script for users modifications and modules
    • check if all packages containing SELinux modules use the right location
    • check if all SELinux modules used in Fedora packages are compatible with the new SELinux userspace and are convertible to CIL language
  • Other developers:


  • Release engineering: N/A
  • Policies and guidelines:
    • there's no need to update policies
    • there might be guidelines which mention the old store location which should be updated
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

There should be no impact on upgrade. Existing modules will be migrated during the update of userspace packages and SELinux policy package will use the new location by default.


How To Test

  • Enable plautrba/selinux COPR repo and update selinux-poloicy
# dnf copr enable plautrba/selinux

# dnf update selinux-policy


manually

  • Display list of installed modules
# semodule -l
  • Create a policy module and install it.
# cat mytestmodule.te
policy_module(mytestmodule, 1.0)
require{
 type glusterd_t;
 type smbd_t;
}
allow glusterd_t smbd_t:process signal;

# dnf install selinux-policy-devel
# make -f /usr/share/selinux/devel/Makefile mytestmodule.pp
# semodule -i mytestmodule.pp
# semodule --list-modules=full |grep mytestmodule
400 mytestmodule      pp
  • Try to disable/enable/remove the existing module (see semodule -h).
# semodule -d mytestmodule
# semodule -e mytestmodule
# semodule -r mytestmodule
  • Try to convert compiled policy module to CIL.
# cat mytestmodule.pp | /usr/libexec/selinux/hll/pp > mytestmodule.cil
# cat mytestmodule.cil
(roleattributeset cil_gen_require system_r)
(typeattributeset cil_gen_require glusterd_t)
(typeattributeset cil_gen_require smbd_t)
(allow glusterd_t smbd_t (process (signal)))

# semodule -i mytestmodule.cil
# semodule --list-modules=full |grep mytestmodule
400 mytestmodule      cil

using Fedora cloud image and SELinuxPolicyStoreMigration-tests

There is a simple testuite base on beakerlib and virsh available on github. You can find it at https://github.com/bachradsusi/SELinuxPolicyStoreMigration-tests


User Experience

Regular users should not experience any change. The migration should be transparent. There'll be change only for the modules store and operations on SELinux modules should be faster.

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • use the previous SELinux userspace project release
  • use the selinux-policy packages with the policy store located in /etc/selinux
  • Contingency mechanism:
    • selinux-policy maintainers will revert selinux-policy spec file changes to use the original store in /etc/selinux
    • SELinux userspace maintainers will drop SELinux userspace tools version 2.4 and use tools version 2.3
  • Contingency deadline: beta freeze
  • Blocks release? Yes
  • Blocks product? N/A

Documentation

Release Notes