[kernel-bugs] [Bug 1176923] New: CONFIG_SECURITY_SELINUX_DISABLE deprecated
https://bugzilla.suse.com/show_bug.cgi?id=1176923 Bug ID: 1176923 Summary: CONFIG_SECURITY_SELINUX_DISABLE deprecated Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: kukuk@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- https://www.phoronix.com/scan.php?page=news_item&px=Fedora-34-Drop-SELinux-Runtime https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Di... https://lwn.net/Articles/831748/ As CONFIG_SECURITY_SELINUX_DISABLE got deprecated with version 5.6, we should disable it, so that, if we restart our SELinux effords now because of CarWos and MicroOS, we do it "right" from the beginning. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1176923 https://bugzilla.suse.com/show_bug.cgi?id=1176923#c1 --- Comment #1 from Johannes Segitz <jsegitz@suse.com> --- read that yesterday. From a security POV this is of course great. It's going to be interesting how well this will be accepted. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1176923 https://bugzilla.suse.com/show_bug.cgi?id=1176923#c2 Jiri Slaby <jslaby@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rgoldwyn@suse.com --- Comment #2 from Jiri Slaby <jslaby@suse.com> --- So can anyone sum up what's needed on the openSUSE side before we disable the kernel option? Do we support selinux at all? Do we need to pass selinux=0 by default? -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1176923 https://bugzilla.suse.com/show_bug.cgi?id=1176923#c3 --- Comment #3 from Michal Kubeček <mkubecek@suse.com> --- IIUC this is about deprecating *runtime* disable of SELinux so it should not affect the kernel command line parameter. IIRC we have inverted the default in our kernels so that even if SELinux is compiled in, it is disabled by default and needs "selinux=1" command line parameter to have it enabled. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1176923 https://bugzilla.suse.com/show_bug.cgi?id=1176923#c4 --- Comment #4 from Thorsten Kukuk <kukuk@suse.com> --- (In reply to Jiri Slaby from comment #2)
So can anyone sum up what's needed on the openSUSE side before we disable the kernel option?
Nothing. One option in /etc/selinux/config will stop working, but since selinux is disabled by default and we do not yet ship a policy, that's not a problem. I doubt that anybody did build it's own policy, installed them, enabled selinux on the commandline only to disable it in userland in a config file shipped with his policy. He will get a warning if he is doing it since some time.
Do we support selinux at all?
We support SELinux since SLE11, even if never really invested into it. SELinux will be mandatory for Carwos and MicroOS, and we hired now somebody who should maintain the policies for this products.
Do we need to pass selinux=0 by default?
For this change, no. The code to disable SELinux at runtime is currently even not part of openSUSE (the config file is missing). -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1176923 https://bugzilla.suse.com/show_bug.cgi?id=1176923#c5 --- Comment #5 from Michal Kubeček <mkubecek@suse.com> --- For the record, according to the documents linked before, /etc/selinux/config is only a userspace configuration file, the actual interface we are talking about is /sys/fs/selinux/disable which, according to the documentation I found (it's long time since I tried to play with SELinux), allows disabling SELinux when 1 is written to it before loading the policy. This sysfs interface is only available when CONFIG_SECURITY_SELINUX_DISABLE is enabled in kernel configuration). -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1176923 https://bugzilla.suse.com/show_bug.cgi?id=1176923#c6 --- Comment #6 from Jiri Slaby <jslaby@suse.com> --- (In reply to Michal Kubeček from comment #3)
IIUC this is about deprecating *runtime* disable of SELinux so it should not affect the kernel command line parameter.
I was not sure about the SUSE's userspace setup, so I was afraid SECURITY_SELINUX_DISABLE=n would enable selinux, but:
IIRC we have inverted the default in our kernels so that even if SELinux is compiled in, it is disabled by default and needs "selinux=1" command line parameter to have it enabled.
So everything should be fine. So I suppose you will switch it in master and I will inherit it into stable on the 5.9 merge (likely next week), right? -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1176923 https://bugzilla.suse.com/show_bug.cgi?id=1176923#c7 --- Comment #7 from Michal Kubeček <mkubecek@suse.com> --- As the plan is to drop the option in mainline (not sure when) and it has been documented as deprecated since 5.6, it makes sense to disable it in master now. I'll disable it in master this week so that Tumbleweed can inherit the change with upgrade to 5.9 (whether it's released this weekend or the week after). -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1176923 https://bugzilla.suse.com/show_bug.cgi?id=1176923#c8 --- Comment #8 from Michal Kubeček <mkubecek@suse.com> --- CONFIG_SECURITY_SELINUX_DISABLE is now disabled in master (all configs). -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1176923 https://bugzilla.suse.com/show_bug.cgi?id=1176923#c9 Jiri Slaby <jslaby@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #9 from Jiri Slaby <jslaby@suse.com> --- (In reply to Michal Kubeček from comment #8)
CONFIG_SECURITY_SELINUX_DISABLE is now disabled in master (all configs).
And in stable too. -- You are receiving this mail because: You are the assignee for the bug.
participants (1)
-
bugzilla_noreply@suse.com