| Message ID | 20201111095134.481658-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [userspace] selinux(8): explain that runtime disable is deprecated | expand |
On Wed, Nov 11, 2020 at 10:51:34AM +0100, Ondrej Mosnacek wrote: > Update the main SELinux manpage to explain that runtime disable (i.e. > disabling SELinux using SELINUX=Disabled) is deprecated and recommend > disabling SELinux only via the kernel boot parameter. > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > libselinux/man/man8/selinux.8 | 26 ++++++++++++++++++++++---- > 1 file changed, 22 insertions(+), 4 deletions(-) > > diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 > index 31364271..721a65f4 100644 > --- a/libselinux/man/man8/selinux.8 > +++ b/libselinux/man/man8/selinux.8 > @@ -19,12 +19,12 @@ enabled or disabled, and if enabled, whether SELinux operates in > permissive mode or enforcing mode. The > .B SELINUX > variable may be set to > -any one of disabled, permissive, or enforcing to select one of these > -options. The disabled option completely disables the SELinux kernel > +any one of Disabled, Permissive, or Enforcing to select one of these Is there a reson for these changes? policycoreutils/man/man5/selinux_config.5 aka selinux_config(5) doesn't use capitals: SELINUX = enforcing | permissive | disabled > +options. The Disabled option completely disables the SELinux kernel > and application code, leaving the system running without any SELinux > -protection. The permissive option enables the SELinux code, but > +protection. The Permissive option enables the SELinux code, but > causes it to operate in a mode where accesses that would be denied by > -policy are permitted but audited. The enforcing option enables the > +policy are permitted but audited. The Enforcing option enables the > SELinux code and causes it to enforce access denials as well as > auditing them. Permissive mode may yield a different set of denials > than enforcing mode, both because enforcing mode will prevent an > @@ -32,6 +32,24 @@ operation from proceeding past the first denial and because some > application code will fall back to a less privileged mode of operation > if denied access. > > +.B NOTE: > +Disabling SELinux by setting > +.B SELINUX=Disabled > +in > +.I /etc/selinux/config > +is deprecated and depending on kernel version and configuration it might > +not lead to SELinux being completely disabled. Specifically, the > +SELinux hooks will still be executed internally, but the SELinux policy > +will not be loaded and no operation will be denied. In such state, the > +system will act as if SELinux was disabled, although some operations > +might behave slightly differently. To properly disable SELinux, it is > +recommended to use the > +.B selinux=0 > +kernel boot option instead. In that case SELinux will be disabled > +regardless of what is set in the > +.I /etc/selinux/config > +file. > + > The > .I /etc/selinux/config > configuration file also controls what policy > -- > 2.26.2 >
On Wed, Nov 11, 2020 at 11:07 AM Petr Lautrbach <plautrba@redhat.com> wrote: > On Wed, Nov 11, 2020 at 10:51:34AM +0100, Ondrej Mosnacek wrote: > > Update the main SELinux manpage to explain that runtime disable (i.e. > > disabling SELinux using SELINUX=Disabled) is deprecated and recommend > > disabling SELinux only via the kernel boot parameter. > > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > --- > > libselinux/man/man8/selinux.8 | 26 ++++++++++++++++++++++---- > > 1 file changed, 22 insertions(+), 4 deletions(-) > > > > diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 > > index 31364271..721a65f4 100644 > > --- a/libselinux/man/man8/selinux.8 > > +++ b/libselinux/man/man8/selinux.8 > > @@ -19,12 +19,12 @@ enabled or disabled, and if enabled, whether SELinux operates in > > permissive mode or enforcing mode. The > > .B SELINUX > > variable may be set to > > -any one of disabled, permissive, or enforcing to select one of these > > -options. The disabled option completely disables the SELinux kernel > > +any one of Disabled, Permissive, or Enforcing to select one of these > > Is there a reson for these changes? Just for better readability. Although I should probably just mark them up, as in selinux_config(5)... > policycoreutils/man/man5/selinux_config.5 aka selinux_config(5) doesn't use > capitals: > > SELINUX = enforcing | permissive | disabled Good point, it should be consistent. And also that page will need a similar update. v2 coming soon... > > > +options. The Disabled option completely disables the SELinux kernel > > and application code, leaving the system running without any SELinux > > -protection. The permissive option enables the SELinux code, but > > +protection. The Permissive option enables the SELinux code, but > > causes it to operate in a mode where accesses that would be denied by > > -policy are permitted but audited. The enforcing option enables the > > +policy are permitted but audited. The Enforcing option enables the > > SELinux code and causes it to enforce access denials as well as > > auditing them. Permissive mode may yield a different set of denials > > than enforcing mode, both because enforcing mode will prevent an > > @@ -32,6 +32,24 @@ operation from proceeding past the first denial and because some > > application code will fall back to a less privileged mode of operation > > if denied access. > > > > +.B NOTE: > > +Disabling SELinux by setting > > +.B SELINUX=Disabled > > +in > > +.I /etc/selinux/config > > +is deprecated and depending on kernel version and configuration it might > > +not lead to SELinux being completely disabled. Specifically, the > > +SELinux hooks will still be executed internally, but the SELinux policy > > +will not be loaded and no operation will be denied. In such state, the > > +system will act as if SELinux was disabled, although some operations > > +might behave slightly differently. To properly disable SELinux, it is > > +recommended to use the > > +.B selinux=0 > > +kernel boot option instead. In that case SELinux will be disabled > > +regardless of what is set in the > > +.I /etc/selinux/config > > +file. > > + > > The > > .I /etc/selinux/config > > configuration file also controls what policy > > -- > > 2.26.2 > >
On Wed, Nov 11, 2020 at 5:19 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > On Wed, Nov 11, 2020 at 11:07 AM Petr Lautrbach <plautrba@redhat.com> wrote: > > On Wed, Nov 11, 2020 at 10:51:34AM +0100, Ondrej Mosnacek wrote: > > > Update the main SELinux manpage to explain that runtime disable (i.e. > > > disabling SELinux using SELINUX=Disabled) is deprecated and recommend > > > disabling SELinux only via the kernel boot parameter. > > > > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > > --- > > > libselinux/man/man8/selinux.8 | 26 ++++++++++++++++++++++---- > > > 1 file changed, 22 insertions(+), 4 deletions(-) > > > > > > diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 > > > index 31364271..721a65f4 100644 > > > --- a/libselinux/man/man8/selinux.8 > > > +++ b/libselinux/man/man8/selinux.8 > > > @@ -19,12 +19,12 @@ enabled or disabled, and if enabled, whether SELinux operates in > > > permissive mode or enforcing mode. The > > > .B SELINUX > > > variable may be set to > > > -any one of disabled, permissive, or enforcing to select one of these > > > -options. The disabled option completely disables the SELinux kernel > > > +any one of Disabled, Permissive, or Enforcing to select one of these > > > > Is there a reson for these changes? > > Just for better readability. Although I should probably just mark them > up, as in selinux_config(5)... > > > policycoreutils/man/man5/selinux_config.5 aka selinux_config(5) doesn't use > > capitals: > > > > SELINUX = enforcing | permissive | disabled > > Good point, it should be consistent. And also that page will need a > similar update. v2 coming soon... Thanks!
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 index 31364271..721a65f4 100644 --- a/libselinux/man/man8/selinux.8 +++ b/libselinux/man/man8/selinux.8 @@ -19,12 +19,12 @@ enabled or disabled, and if enabled, whether SELinux operates in permissive mode or enforcing mode. The .B SELINUX variable may be set to -any one of disabled, permissive, or enforcing to select one of these -options. The disabled option completely disables the SELinux kernel +any one of Disabled, Permissive, or Enforcing to select one of these +options. The Disabled option completely disables the SELinux kernel and application code, leaving the system running without any SELinux -protection. The permissive option enables the SELinux code, but +protection. The Permissive option enables the SELinux code, but causes it to operate in a mode where accesses that would be denied by -policy are permitted but audited. The enforcing option enables the +policy are permitted but audited. The Enforcing option enables the SELinux code and causes it to enforce access denials as well as auditing them. Permissive mode may yield a different set of denials than enforcing mode, both because enforcing mode will prevent an @@ -32,6 +32,24 @@ operation from proceeding past the first denial and because some application code will fall back to a less privileged mode of operation if denied access. +.B NOTE: +Disabling SELinux by setting +.B SELINUX=Disabled +in +.I /etc/selinux/config +is deprecated and depending on kernel version and configuration it might +not lead to SELinux being completely disabled. Specifically, the +SELinux hooks will still be executed internally, but the SELinux policy +will not be loaded and no operation will be denied. In such state, the +system will act as if SELinux was disabled, although some operations +might behave slightly differently. To properly disable SELinux, it is +recommended to use the +.B selinux=0 +kernel boot option instead. In that case SELinux will be disabled +regardless of what is set in the +.I /etc/selinux/config +file. + The .I /etc/selinux/config configuration file also controls what policy
Update the main SELinux manpage to explain that runtime disable (i.e. disabling SELinux using SELINUX=Disabled) is deprecated and recommend disabling SELinux only via the kernel boot parameter. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- libselinux/man/man8/selinux.8 | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-)