[kernel-bugs] [Bug 1176923] New: CONFIG_SECURITY_SELINUX_DISABLE deprecated
https://bugzilla.suse.com/show_bug.cgi?id=1176923 Bug ID: 1176923 Summary: CONFIG_SECURITY_SELINUX_DISABLE deprecated Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: kukuk@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- https://www.phoronix.com/scan.php?page=news_item&px=Fedora-34-Drop-SELinux-Runtime https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Di... https://lwn.net/Articles/831748/ As CONFIG_SECURITY_SELINUX_DISABLE got deprecated with version 5.6, we should disable it, so that, if we restart our SELinux effords now because of CarWos and MicroOS, we do it "right" from the beginning. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1176923
https://bugzilla.suse.com/show_bug.cgi?id=1176923#c1
--- Comment #1 from Johannes Segitz
https://bugzilla.suse.com/show_bug.cgi?id=1176923
https://bugzilla.suse.com/show_bug.cgi?id=1176923#c2
Jiri Slaby
https://bugzilla.suse.com/show_bug.cgi?id=1176923
https://bugzilla.suse.com/show_bug.cgi?id=1176923#c3
--- Comment #3 from Michal Kubeček
https://bugzilla.suse.com/show_bug.cgi?id=1176923
https://bugzilla.suse.com/show_bug.cgi?id=1176923#c4
--- Comment #4 from Thorsten Kukuk
So can anyone sum up what's needed on the openSUSE side before we disable the kernel option?
Nothing. One option in /etc/selinux/config will stop working, but since selinux is disabled by default and we do not yet ship a policy, that's not a problem. I doubt that anybody did build it's own policy, installed them, enabled selinux on the commandline only to disable it in userland in a config file shipped with his policy. He will get a warning if he is doing it since some time.
Do we support selinux at all?
We support SELinux since SLE11, even if never really invested into it. SELinux will be mandatory for Carwos and MicroOS, and we hired now somebody who should maintain the policies for this products.
Do we need to pass selinux=0 by default?
For this change, no. The code to disable SELinux at runtime is currently even not part of openSUSE (the config file is missing). -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1176923
https://bugzilla.suse.com/show_bug.cgi?id=1176923#c5
--- Comment #5 from Michal Kubeček
https://bugzilla.suse.com/show_bug.cgi?id=1176923
https://bugzilla.suse.com/show_bug.cgi?id=1176923#c6
--- Comment #6 from Jiri Slaby
IIUC this is about deprecating *runtime* disable of SELinux so it should not affect the kernel command line parameter.
I was not sure about the SUSE's userspace setup, so I was afraid SECURITY_SELINUX_DISABLE=n would enable selinux, but:
IIRC we have inverted the default in our kernels so that even if SELinux is compiled in, it is disabled by default and needs "selinux=1" command line parameter to have it enabled.
So everything should be fine. So I suppose you will switch it in master and I will inherit it into stable on the 5.9 merge (likely next week), right? -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1176923
https://bugzilla.suse.com/show_bug.cgi?id=1176923#c7
--- Comment #7 from Michal Kubeček
https://bugzilla.suse.com/show_bug.cgi?id=1176923
https://bugzilla.suse.com/show_bug.cgi?id=1176923#c8
--- Comment #8 from Michal Kubeček
https://bugzilla.suse.com/show_bug.cgi?id=1176923
https://bugzilla.suse.com/show_bug.cgi?id=1176923#c9
Jiri Slaby
CONFIG_SECURITY_SELINUX_DISABLE is now disabled in master (all configs).
And in stable too. -- You are receiving this mail because: You are the assignee for the bug.
participants (1)
-
bugzilla_noreply@suse.com