From Fedora Project Wiki
(Created page with "{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To re...")
 
No edit summary
Line 5: Line 5:
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->


= Change Proposal Name <!-- The name of your change proposal --> =
= Disable CONFIG_SECURITY_SELINUX_DISABLE<!-- The name of your change proposal --> =


== Summary ==
== Summary ==
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release.  
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release.  
Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". -->
Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". -->
Use kernel built with CONFIG_SECURITY_SELINUX_DISABLE=n. CONFIG_SECURITY_SELINUX_DISABLE functionality was originally developed to make it easier for Linux
distributions to support architectures where adding parameters to the
kernel command line was difficult.  Unfortunately, supporting runtime
disable meant we had to make some security trade-offs when it came to
the LSM hooks.


== Owner ==
== Owner ==
Line 16: Line 22:
This should link to your home wiki page so we know who you are.  
This should link to your home wiki page so we know who you are.  
-->
-->
* Name: [[User:FASAcountName| Your Name]]
* Name: [[User:plautrba| Petr Lautrbach]]
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
* Email: <your email address so we can contact you, invite you to meetings, etc. Please provide your Bugzilla email address if it is different from your email in FAS>
* Email: plautrba@redhat.com
* Name: [[User:omos| Ondrej Mosnacek]]
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
* Email: omosnace@redhat.com
 
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
Line 35: Line 45:


<!-- Select proper category, default is Self Contained Change -->
<!-- Select proper category, default is Self Contained Change -->
[[Category:SelfContainedChange]]
<!-- [[Category:SelfContainedChange]] -->
<!-- [[Category:SystemWideChange]] -->
[[Category:SystemWideChange]]


* Targeted release: [[Releases/<number> | Fedora <number> ]]  
* Targeted release: [[Releases/34 | Fedora 34 ]]  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Line 54: Line 64:


<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
Use kernel built with CONFIG_SECURITY_SELINUX_DISABLE=n. CONFIG_SECURITY_SELINUX_DISABLE functionality was originally developed to make it easier for Linux
distributions to support architectures where adding parameters to the
kernel command line was difficult.  Unfortunately, supporting runtime
disable meant we had to make some security trade-offs when it came to
the LSM hooks.
Marking the LSM hooks as read only provides some very nice security benefits, but it does mean that we can no longer disable SELinux at runtime, e.g. /etc/selinux/config will no longer support "disabled".  Toggling between enforcing and permissive mode while booted will remain unaffected and it will still be possible to disable SELinux by adding "selinux=0" to the kernel command line via the boot loader (GRUB).
Additional info:
* https://lwn.net/Articles/666550
* https://lore.kernel.org/selinux/159110207843.57260.5661475689740939480.stgit@chester/
* https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/#t


== Feedback ==
== Feedback ==

Revision as of 15:15, 29 July 2020

Important.png
Comments and Explanations
The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.
Idea.png
Guidance
For details on how to fill out this form, see the documentation.


Disable CONFIG_SECURITY_SELINUX_DISABLE

Summary

Use kernel built with CONFIG_SECURITY_SELINUX_DISABLE=n. CONFIG_SECURITY_SELINUX_DISABLE functionality was originally developed to make it easier for Linux distributions to support architectures where adding parameters to the kernel command line was difficult. Unfortunately, supporting runtime disable meant we had to make some security trade-offs when it came to the LSM hooks.

Owner


Current status

  • Targeted release: Fedora 34
  • Last updated: 2020-07-29
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Use kernel built with CONFIG_SECURITY_SELINUX_DISABLE=n. CONFIG_SECURITY_SELINUX_DISABLE functionality was originally developed to make it easier for Linux distributions to support architectures where adding parameters to the kernel command line was difficult. Unfortunately, supporting runtime disable meant we had to make some security trade-offs when it came to the LSM hooks.

Marking the LSM hooks as read only provides some very nice security benefits, but it does mean that we can no longer disable SELinux at runtime, e.g. /etc/selinux/config will no longer support "disabled".  Toggling between enforcing and permissive mode while booted will remain unaffected and it will still be possible to disable SELinux by adding "selinux=0" to the kernel command line via the boot loader (GRUB).

Additional info:

Feedback

Benefit to Fedora

Scope

  • Proposal owners:
  • Other developers: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

N/A (not a System Wide Change)

How To Test

N/A (not a System Wide Change)

User Experience

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No
  • Blocks product? product

Documentation

N/A (not a System Wide Change)

Release Notes