From Fedora Project Wiki
Line 60: Line 60:


<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
Use kernel built with CONFIG_SECURITY_SELINUX_DISABLE=n. CONFIG_SECURITY_SELINUX_DISABLE functionality was originally developed to make it easier for Linux
distributions to support architectures where adding parameters to the
kernel command line was difficult.  Unfortunately, supporting runtime
disable meant we had to make some security trade-offs when it came to
the LSM hooks.


Marking the LSM hooks as read only provides some very nice security benefits, but it does mean that we can no longer disable SELinux at runtime, e.g. /etc/selinux/config will no longer support "disabled". Toggling between enforcing and permissive mode while booted will remain unaffected and it will still be possible to disable SELinux by adding "selinux=0" to the kernel command line via the boot loader (GRUB).
CONFIG_SECURITY_SELINUX_DISABLE functionality was originally developed to make it easier for Linux distributions to support architectures where adding parameters to the kernel command line was difficult.
Unfortunately, supporting runtime disable meant we had to make some security trade-offs when it came to the LSM hooks.
 
Marking the LSM hooks as read only provides some very nice security benefits, but it does mean that we can no longer disable SELinux at runtime.
Toggling between enforcing and permissive mode while booted will remain unaffected and it will still be possible to disable SELinux by adding "selinux=0" to the kernel command line via the boot loader (GRUB).
System with SELINUX=disabled in /etc/selinux/config will come up with selinuxfs unmounted,
userspace will think SELinux is disabled, but internally SELinux will be enabled with no policy so that there will be no SELinux checks applied.


Additional info:
Additional info:

Revision as of 16:21, 19 August 2020

Important.png
Comments and Explanations
The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.
'
Idea.png
Guidance
For details on how to fill out this form, see the documentation.


Disable CONFIG_SECURITY_SELINUX_DISABLE

Summary

Build kernel without CONFIG_SECURITY_SELINUX_DISABLE, disable writing to a selinuxfs node 'disable' and disable SELinux to be disabled at runtime prior to the policy load. Kernel build without CONFIG_SECURITY_SELINUX_DISABLE can use the '__ro_after_init' kernel hardening feature for security hooks.

Owner


Current status

  • Targeted release: Fedora 34
  • Last updated: 2020-08-19
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

CONFIG_SECURITY_SELINUX_DISABLE functionality was originally developed to make it easier for Linux distributions to support architectures where adding parameters to the kernel command line was difficult. Unfortunately, supporting runtime disable meant we had to make some security trade-offs when it came to the LSM hooks.

Marking the LSM hooks as read only provides some very nice security benefits, but it does mean that we can no longer disable SELinux at runtime. Toggling between enforcing and permissive mode while booted will remain unaffected and it will still be possible to disable SELinux by adding "selinux=0" to the kernel command line via the boot loader (GRUB).

System with SELINUX=disabled in /etc/selinux/config will come up with selinuxfs unmounted, userspace will think SELinux is disabled, but internally SELinux will be enabled with no policy so that there will be no SELinux checks applied.

Additional info:

Feedback

Benefit to Fedora

Scope

  • Proposal owners:
  • Other developers: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

N/A (not a System Wide Change)

How To Test

N/A (not a System Wide Change)

User Experience

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No
  • Blocks product? product

Documentation

N/A (not a System Wide Change)

Release Notes