Bug 1430944

Summary: RFE: disable CONFIG_SECURITY_SELINUX_DISABLE in the kernel
Product: [Fedora] Fedora Reporter: Paul Moore <pmoore>
Component: kernelAssignee: Paul Moore <pmoore>
Status: CLOSED DEFERRED QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: rawhideCC: cz172638, gansalmon, ichavero, itamar, jonathan, kernel-maint, lvrabec, madhu.chinakonda, mchehab, omosnace, plautrba, sdsmall, vmojzis
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-14 01:21:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Moore 2017-03-09 23:33:37 UTC 
Description of problem:
The Linux v4.11 release is expected to mark the kernel's LSM hooks as read-only after the system boots when the kernel is built with CONFIG_SECURITY_SELINUX_DISABLE=n.  Marking the LSM hooks as read only provides some very nice security benefits, but it does mean that we can no longer disable SELinux at runtime, e.g. /etc/selinux/config will no longer support "disabled".  Toggling between enforcing and permissive mode while booted will remain unaffected and it will still be possible to disable SELinux by adding "selinux=0" to the kernel command line via the boot loader (GRUB).

Additional info:

* https://lwn.net/Articles/666550
Comment 1 Paul Moore 2017-03-09 23:53:57 UTC 
Petr, Vit, Lukas,

In order to do this we will likely need some sort of upgrade script that will magically fixup /etc/selinux/config and add the selinux=0 to the boot loader.
Comment 2 Petr Lautrbach 2017-03-13 13:43:24 UTC 
Some things which came to my mind need to be solved in userspace in regards of this change.

* bootloader - Fedora Arm images uses UBoot instead of GRUB
* Anaconda/kickstart - "selinux --disable" option writes directly to /etc/selinux/config
* Ansible - module "selinux" changes directly "/etc/selinux/config" and there are probably roles in Ansible Galaxy which do the same
* Same for Puppet are other orchestration/deployment tools
* /etc/selinux/config would need to have a BIG WARNING that SELINUX=disabled doesn't work even though the whole internet says it works.

Generally lot of possible problems.

Could this feature to be opt-in? At least for one release? Well documented and available for everybody who wants to harden his system?
Comment 3 Paul Moore 2017-03-13 13:51:06 UTC 
(In reply to Petr Lautrbach from comment #2)
> Some things which came to my mind need to be solved in userspace in regards
> of this change ...

Thanks for putting this list together.  We definitely have a number of things to consider before changing the kernel configuration; this isn't likely to happen soon, or without a FESCo discussion.

> Could this feature to be opt-in? At least for one release? Well documented
> and available for everybody who wants to harden his system?

Since this is a kernel compile-time option, the only way to make this opt-in would be to provide a separate kernel.  Possible, but not very desirable.
Comment 4 Paul Moore 2018-01-25 15:50:48 UTC 
QUICK NOTE TO SELF: if we want to make this easily detectable at runtime, we may be able to remove the SEL_DISABLE/"disable" inode in selinuxfs.c (we don't currently do this).
Comment 5 Paul Moore 2018-09-14 01:21:42 UTC 
Considering everything that would be required to implement this, I'm going to mark this as closed for now.