Generally, I would appreciate if the proposal was more readable to
casual Fedora user/developer. I don't think there is clearly described
the current state and what is going to be changed. Also, there is a lot
of unclear terminology, e.g. I don't have idea what are "LSM hooks".
"Migrate users to using ''selinux=0''" probably refers to kernel command
line, but why it is not mentioned in the summary.



Dne 08. 09. 20 v 17:28 Ben Cotton napsal(a):
> == Summary ==
> Remove support for SELinux runtime disable so that the LSM hooks can
> be hardened via read-only-after-initialization protections.
> Migrate users to using ''selinux=0'' if they want to disable SELinux.
> == Owner ==
> * Name: [[User:plautrba| Petr Lautrbach]]
> * Email:
> * Name: [[User:omos| Ondrej Mosnacek]]
> * Email:
> == Detailed Description ==
> Support for SELinux runtime disable via ''/etc/selinux/config'' was
> originally developed to make it easier for Linux distributions to
> support architectures where adding parameters to the kernel command
> line was difficult.
> Unfortunately, supporting runtime disable meant we had to make some
> security trade-offs when it comes to the kernel LSM hooks.
> Marking the kernel LSM hooks as read only provides some very nice
> security benefits, but it does mean that we can no longer disable
> SELinux at runtime.
> Toggling between enforcing and permissive mode while booted will
> remain unaffected and it will still be possible to disable SELinux by
> adding ''selinux=0'' to the kernel command line via the boot loader
> (GRUB).
> System with ''SELINUX=disabled'' in ''/etc/selinux/config'' will come
> up with ''/sys/fs/selinuxfs'' unmounted,
> userspace will detect SELinux as disabled. Internally SELinux will be
> enabled but not initialized so that there will be no SELinux checks
> applied.
> NOTE: Runtime disable is considered deprecated by upstream, and using
> it will become increasingly painful (e.g. sleeping/blocking) through
> future kernel releases until eventually it is removed completely.
> Current kernel reports the following message during runtime disable:
> ''SELinux:  Runtime disable is deprecated, use selinux=0 on the kernel
> cmdline''
> Additional info:
> *
> * 
> * 
> == Benefit to Fedora ==
> Marking the LSM hooks as read-only provides extra security hardening
> against certain attacks, e.g. in case an attacker gains ability to
> write to random kernel memory locations, with support for disable
> SELinux runtime (''CONFIG_SECURITY_SELINUX_DISABLE=y'') they have a
> bigger chance to turn off (parts of) SELinux permission checking.
> == Scope ==
> * Proposal owners:
> ** Make sure the kernel is built with
> ** Make sure the relevant documentation is updated in a way that
> ''selinux=0'' on kernel command line is the preferred way to disable
> SELinux.
> *** 
> *** ''selinux(8)'' man page
> ** Make sure [ the installer]
> uses the kernel command line instead of ''/etc/selinux/config'' to
> disable SELinux.
> ** Optional: 
> [
> ''selinux'' Ansible module] should warn that SELinux needs to be
> disabled using ''selinux=0''.
> ** Optional: [
> linux-system-roles.selinux] should disable SELinux using
> ''selinux=0''.
> * Other developers: N/A
> * Release engineering:
> * Policies and guidelines: N/A
> * Trademark approval: N/A (not needed for this Change)
> == Upgrade/compatibility impact ==
> Users should not be directly affected by this change.
> == How To Test ==
> # Install a kernel built with ''CONFIG_SECURITY_SELINUX_DISABLE''
> disabled, e.g. from
> # Confirm that SELinux is disabled when ''selinux=0'' is used on
> kernel command line.
> # Confirm that userspace considers SELinux disabled when
> ''SELINUX=disabled'' is used in ''/etc/selinux/config''.
> # Confirm that userspace considers SELinux disabled when there is no
> ''/etc/selinux/config''.
> # Confirm that the system works as expected in all previous cases.
> == User Experience ==
> There's no visible change for users with SELinux enabled.
> Users with ''SELINUX=disabled'' in ''/etc/selinux/config'' and without
> ''selinux=0'' on kernel command line might notice that `ps Z` command
> uses ''kernel'' domain for processes, while with ''selinux=0'' `ps Z`
> prints '-'.
> These users will also be able to load SELinux policy after boot.
> == Dependencies ==
> Upstream kernel SELinux subsystem waits for this change in order to
> remove CONFIG_SECURITY_SELINUX_DISABLE functionality -
> == Contingency Plan ==
> * Contingency mechanism:  Revert the kernel build option change and
> build kernel with ''CONFIG_SECURITY_SELINUX_DISABLE=y''
> * Contingency deadline: Beta freeze
> * Blocks release? No
> == Documentation ==
> == Release Notes ==
devel mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:

Reply via email to