Description of problem:
The Linux v4.11 release is expected to mark the kernel's LSM hooks as read-only after the system boots when the kernel is built with CONFIG_SECURITY_SELINUX_DISABLE=n. Marking the LSM hooks as read only provides some very nice security benefits, but it does mean that we can no longer disable SELinux at runtime, e.g. /etc/selinux/config will no longer support "disabled". Toggling between enforcing and permissive mode while booted will remain unaffected and it will still be possible to disable SELinux by adding "selinux=0" to the kernel command line via the boot loader (GRUB).
Petr, Vit, Lukas,
In order to do this we will likely need some sort of upgrade script that will magically fixup /etc/selinux/config and add the selinux=0 to the boot loader.
Some things which came to my mind need to be solved in userspace in regards of this change.
* bootloader - Fedora Arm images uses UBoot instead of GRUB
* Anaconda/kickstart - "selinux --disable" option writes directly to /etc/selinux/config
* Ansible - module "selinux" changes directly "/etc/selinux/config" and there are probably roles in Ansible Galaxy which do the same
* Same for Puppet are other orchestration/deployment tools
* /etc/selinux/config would need to have a BIG WARNING that SELINUX=disabled doesn't work even though the whole internet says it works.
Generally lot of possible problems.
Could this feature to be opt-in? At least for one release? Well documented and available for everybody who wants to harden his system?
(In reply to Petr Lautrbach from comment #2)
> Some things which came to my mind need to be solved in userspace in regards
> of this change ...
Thanks for putting this list together. We definitely have a number of things to consider before changing the kernel configuration; this isn't likely to happen soon, or without a FESCo discussion.
> Could this feature to be opt-in? At least for one release? Well documented
> and available for everybody who wants to harden his system?
Since this is a kernel compile-time option, the only way to make this opt-in would be to provide a separate kernel. Possible, but not very desirable.
QUICK NOTE TO SELF: if we want to make this easily detectable at runtime, we may be able to remove the SEL_DISABLE/"disable" inode in selinuxfs.c (we don't currently do this).
Considering everything that would be required to implement this, I'm going to mark this as closed for now.