1430944 – RFE: disable CONFIG_SECURITY_SELINUX_DISABLE in the kernel

Bug 1430944 - RFE: disable CONFIG_SECURITY_SELINUX_DISABLE in the kernel

Summary: RFE: disable CONFIG_SECURITY_SELINUX_DISABLE in the kernel

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	---
Assignee:	Paul Moore
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-03-09 23:33 UTC by Paul Moore
Modified:	2019-12-09 13:39 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2018-09-14 01:21:42 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Paul Moore 2017-03-09 23:33:37 UTC

Description of problem:
The Linux v4.11 release is expected to mark the kernel's LSM hooks as read-only after the system boots when the kernel is built with CONFIG_SECURITY_SELINUX_DISABLE=n.  Marking the LSM hooks as read only provides some very nice security benefits, but it does mean that we can no longer disable SELinux at runtime, e.g. /etc/selinux/config will no longer support "disabled".  Toggling between enforcing and permissive mode while booted will remain unaffected and it will still be possible to disable SELinux by adding "selinux=0" to the kernel command line via the boot loader (GRUB).

Additional info:

* https://lwn.net/Articles/666550

Comment 1 Paul Moore 2017-03-09 23:53:57 UTC

Petr, Vit, Lukas,

In order to do this we will likely need some sort of upgrade script that will magically fixup /etc/selinux/config and add the selinux=0 to the boot loader.

Comment 2 Petr Lautrbach 2017-03-13 13:43:24 UTC

Some things which came to my mind need to be solved in userspace in regards of this change.

* bootloader - Fedora Arm images uses UBoot instead of GRUB
* Anaconda/kickstart - "selinux --disable" option writes directly to /etc/selinux/config
* Ansible - module "selinux" changes directly "/etc/selinux/config" and there are probably roles in Ansible Galaxy which do the same
* Same for Puppet are other orchestration/deployment tools
* /etc/selinux/config would need to have a BIG WARNING that SELINUX=disabled doesn't work even though the whole internet says it works.

Generally lot of possible problems.

Could this feature to be opt-in? At least for one release? Well documented and available for everybody who wants to harden his system?

Comment 3 Paul Moore 2017-03-13 13:51:06 UTC

(In reply to Petr Lautrbach from comment #2)
> Some things which came to my mind need to be solved in userspace in regards
> of this change ...

Thanks for putting this list together.  We definitely have a number of things to consider before changing the kernel configuration; this isn't likely to happen soon, or without a FESCo discussion.

> Could this feature to be opt-in? At least for one release? Well documented
> and available for everybody who wants to harden his system?

Since this is a kernel compile-time option, the only way to make this opt-in would be to provide a separate kernel.  Possible, but not very desirable.

Comment 4 Paul Moore 2018-01-25 15:50:48 UTC

QUICK NOTE TO SELF: if we want to make this easily detectable at runtime, we may be able to remove the SEL_DISABLE/"disable" inode in selinuxfs.c (we don't currently do this).

Comment 5 Paul Moore 2018-09-14 01:21:42 UTC

Considering everything that would be required to implement this, I'm going to mark this as closed for now.

Note You need to log in before you can comment on or make changes to this bug.