Bug 1663550 - sestatus and getenforce report incorrect SELinux status if /etc/selinux/config is missing
Summary: sestatus and getenforce report incorrect SELinux status if /etc/selinux/confi...
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libselinux   
(Show other bugs)
Version: 7.6
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Vit Mojzis
QA Contact: Milos Malik
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-04 20:05 UTC by Viliam Pucik
Modified: 2019-02-27 14:10 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2019-02-27 14:10:30 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Viliam Pucik 2019-01-04 20:05:43 UTC
Description of problem:

In case SELinux is already in enforcing or permissive mode and then /etc/selinux/config is removed, then sestatus and getenforce commands incorrectly report that SELinux is disabled.


How reproducible:

Enable SELinux in RHEL 7.x and remove /etc/selinux/config file.


Steps to Reproduce:

1. Verify that the current SELinux mode is enforcing or permissive:

[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31

2. Delete or remove /etc/selinux/config

mv -b /etc/selinux/config /etc/selinux/config.backup

3. Observe that SELinux seems to be disabled however applications are still protected by SELinux as can be seen in /var/log/audit/audit.log:

[root@localhost ~]# getenforce
Disabled
[root@localhost ~]# sestatus
SELinux status: disabled


Actual results:

SELinux is reported as disabled.


Expected results:

The real SELinux mode, in this case enforcing, should be reported.

Comment 2 Daniel Walsh 2019-01-04 20:40:04 UTC
This was a change added by the android team to libselinux to report SELinux is disabled if the config file does not exist.

I believe you can just place an empty file there and the library will report the correct results.

Comment 3 Viliam Pucik 2019-01-04 20:45:42 UTC
Thank you for the explanation!

Is it a correct behavior to report disable SELinux if it is fact SELinux is not in disabled mode?

Maybe it would be better if the android team checks first if the file exists instead of messing with libselinux which has global, system wide impact.

Comment 4 Petr Lautrbach 2019-01-04 21:37:48 UTC
It's a little bit complicated.

First is_selinux_enabled() was changed to check if /sys/fs/selinux is mounted and if it's not mounted, SELinux was considered as disabled - https://github.com/SELinuxProject/selinux/commit/685f4aeeadc0b60f3770404d4f149610d656e3c8

But it broke systems which didn't use selinux=0 or SELINUX=disabled due to the fact that when SELinux is enabled in kernel, /sys/fs/selinux is mounted when there's no selinux=0 and unmounted when SELINUX=disabled is used - https://bugzilla.redhat.com/show_bug.cgi?id=1219045

Therefore there's another check if /etc/selinux/config exists as this file should exist in all standard SELinux enabled systems.

On the other hand, getenforce reads directly /sys/fs/selinux and probably doesn't need to use is_selinux_enabled() and the same statement could be applied to sestatus as well - at least for some parts of the output.

Comment 5 Daniel Walsh 2019-01-04 22:11:55 UTC
Part of this is for containers.  We want libselinux to lie to the processes within a container and tell them SELinux is disabled.

https://danwalsh.livejournal.com/73099.html

Comment 6 Viliam Pucik 2019-01-05 11:45:02 UTC
Many thanks for further explanation and especially for the blog post, Daniel!

What would be a reliable way for system administrators to determine if SELinux is in fact active in their OSes if getenforce/sestatus might purposefully "lie" to them in edge cases? Just asking.

Comment 7 Daniel Walsh 2019-01-05 12:51:35 UTC
Well most systems have /etc/selinux/config.  Why does this system not have it?

cat /proc/self/current/attr

Will show if you have a label.

Comment 8 Viliam Pucik 2019-01-05 13:05:26 UTC
One of the dev VM systems had /etc/selinux/config removed by a previous admin in order to disable SELinux and then a snapshot of the system was taken. The VM was restored from the snapshot couple of times and because the machine was booted, everybody trusted sestatus/getenforce saying SELinux is in disabled mode. As it turned out, SELinux was still in permissive mode and it was hard to find out what was going on.

Comment 9 Zdenek Pytela 2019-02-27 14:10:30 UTC
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.


Note You need to log in before you can comment on or make changes to this bug.