Bug 1882464

Summary: Remove support for SELinux runtime disable
Product: [Fedora] Fedora Reporter: Ben Cotton <bcotton>
Component: Changes TrackingAssignee: Petr Lautrbach <plautrba>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 34CC: bcotton, omosnace
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-27 14:31:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1860440    

Description Ben Cotton 2020-09-24 16:08:54 UTC 
This is a tracking bug for Change: Remove support for SELinux runtime disable
For more details, see: https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable

Remove support for SELinux runtime disable so that the LSM hooks can be hardened via read-only-after-initialization protections.
Comment 1 Ondrej Mosnacek 2020-10-01 11:06:57 UTC 
Related (first small step on the journey):
https://src.fedoraproject.org/rpms/selinux-policy/c/4cdd6f833212270c4f54b3be6d1471d825ae910d
Comment 2 Ondrej Mosnacek 2020-10-08 10:33:37 UTC 
Fedora/ARK kernel PR to disable the config option:
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/685
Comment 3 Ondrej Mosnacek 2020-10-21 08:58:23 UTC 
Upstream pull request for Anacoda to disable SELinux via boot param:
https://github.com/rhinstaller/anaconda/pull/2939
Comment 4 Ondrej Mosnacek 2020-10-29 20:29:22 UTC 
PR for Fedora quick-docs update:
https://pagure.io/fedora-docs/quick-docs/pull-request/293
Comment 5 Ondrej Mosnacek 2020-11-11 09:53:13 UTC 
selinux(8) manpage patch (upstream):
https://lore.kernel.org/selinux/20201111095134.481658-1-omosnace@redhat.com/T/
Comment 6 Ondrej Mosnacek 2021-01-26 14:06:18 UTC 
All the important changes have now been applied. The only pending change is updating Ansible's selinux module to disable SELinux via the kernel parameter, but that not a blocker. It has also been suggested to have some warning printed when the system is booted with SELINUX=disabled in the config file, but no selinux=0 on the kernel command-line (e.g. via a one-shot systemd unit), which is again non-blocking.

Based on the above, moving the status to MODIFIED.
Comment 7 Ben Cotton 2021-02-16 15:52:04 UTC 
Reminder: The change complete (100% complete) deadline for Fedora 34 changes is Tuesday 23 February. At that point, changes should be 100% code complete, along with supporting documentation where appropriate. Please indicate this by setting the tracker bug for your change to ON_QA.
Comment 8 Ondrej Mosnacek 2021-02-22 13:36:59 UTC 
The supporting changes to ansible are only in the form of a PR at this point, but otherwise the change can be considered code complete.
Comment 9 Ben Cotton 2021-04-27 14:31:07 UTC 
Closing Changes Tracking bugs for the Fedora Linux 34 release. If your change did not make it into the release, please reopen and needinfo bcotton.