selinux: update kernel boot params when disabling/re-enabling SELinux #142
Conversation
|
recheck |
WOnder93
force-pushed
the
selinux-disable-kernel
branch
2 times, most recently
from
dab5587 to
53a6fa0
Compare
WOnder93
force-pushed
the
selinux-disable-kernel
branch
from
53a6fa0 to
33e33c0
Compare
|
@Akasurde Thanks for the review, both comments should now be addressed. I solved the grubby_bin a little differently, since both the get and set methods need to use it. I also changed it to emit only a warning if the binary is not found (and skip the kernel cmdline config in that case). Please let me know if you're OK with the current code. |
|
cc @quidame @saito-hideki @justjais Could you please review this? Thanks in advance. |
There was a problem hiding this comment.
@WOnder93 thank you for the PR!
I have commented about the module description and the item of the result of the module. I hope this helps!
WOnder93
force-pushed
the
selinux-disable-kernel
branch
from
33e33c0 to
80125f1
Compare
WOnder93
force-pushed
the
selinux-disable-kernel
branch
from
80125f1 to
d465945
Compare
WOnder93
force-pushed
the
selinux-disable-kernel
branch
from
d465945 to
5a8aa73
Compare
|
@Akasurde @saito-hideki @maxamillion Is there anything else to be done before merging this? I'd be glad if i could finally tick this off as done :) |
The ability to disable SELinux from userspace based on the configuration file is being deprecated in favor of the selinux=0 kernel boot parameter. (Note that this affects only the "full" disable; switching to/from permissive mode will work the same as before.) Therefore, add an 'update_kernel_param' module parameter that will cause it to set/unset the kernel command-line parameter using grubby when enabling/disabling SELinux. (An explicit parameter was chosen for backwards compatibility.) More information: https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/ https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable Signed-off-by: Ondrej Mosnacek <[email protected]>
Akasurde
force-pushed
the
selinux-disable-kernel
branch
from
5a8aa73 to
53d47e1
Compare
Sure. I triggered the build. |
|
recheck |
2 similar comments
|
recheck |
|
recheck |
saito-hideki
added
the
gate
![ansible-zuul[bot]](https://avatars.githubusercontent.com/in/27800?s=60&v=4){kind=small}
SUMMARY
The ability to disable SELinux from userspace based on the configuration
file is being deprecated in favor of the selinux=0 kernel boot
parameter. (Note that this affects only the "full" disable; switching
to/from permissive mode will work the same as before.)
Therefore, enhance the selinux module to try to set/unset the kernel
command-line parameter using grubby when enabling/disabling SELinux.
If the grubby package is not present on the system, the module will only
update the config file and report a warning. Note that even with the
runtime disable functionality removed, setting SELINUX=disabled in the
config file will lead to a system with no SELinux policy loaded, which
will behave in a very similar way as if SELinux was fully disabled, only
there could still be some minor performance impact, since the kernel
hooks will still be active.
More information:
https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/
https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
ISSUE TYPE
COMPONENT NAME
selinux module