Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1882464 - Remove support for SELinux runtime disable
Summary: Remove support for SELinux runtime disable
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: Changes Tracking
Version: 34
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Lautrbach
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: F34Changes
TreeView+ depends on / blocked
 
Reported: 2020-09-24 16:08 UTC by Ben Cotton
Modified: 2021-04-27 14:31 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-04-27 14:31:07 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure fedora-docs/quick-docs pull-request 293 0 None None None 2020-10-29 20:29:06 UTC
Github ansible-collections ansible.posix pull 142 0 None open selinux: update kernel boot params when disabling/re-enabling SELinux 2021-02-22 13:36:59 UTC
Github rhinstaller anaconda pull 2939 0 None closed Add selinux=0 boot parameter when SELinux is set to disabled (#1882464) 2021-02-21 18:43:19 UTC

Description Ben Cotton 2020-09-24 16:08:54 UTC 
This is a tracking bug for Change: Remove support for SELinux runtime disable
For more details, see: https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable

Remove support for SELinux runtime disable so that the LSM hooks can be hardened via read-only-after-initialization protections.
Comment 1 Ondrej Mosnacek 2020-10-01 11:06:57 UTC 
Related (first small step on the journey):
https://src.fedoraproject.org/rpms/selinux-policy/c/4cdd6f833212270c4f54b3be6d1471d825ae910d
Comment 2 Ondrej Mosnacek 2020-10-08 10:33:37 UTC 
Fedora/ARK kernel PR to disable the config option:
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/685
Comment 3 Ondrej Mosnacek 2020-10-21 08:58:23 UTC 
Upstream pull request for Anacoda to disable SELinux via boot param:
https://github.com/rhinstaller/anaconda/pull/2939
Comment 4 Ondrej Mosnacek 2020-10-29 20:29:22 UTC 
PR for Fedora quick-docs update:
https://pagure.io/fedora-docs/quick-docs/pull-request/293
Comment 5 Ondrej Mosnacek 2020-11-11 09:53:13 UTC 
selinux(8) manpage patch (upstream):
https://lore.kernel.org/selinux/20201111095134.481658-1-omosnace@redhat.com/T/
Comment 6 Ondrej Mosnacek 2021-01-26 14:06:18 UTC 
All the important changes have now been applied. The only pending change is updating Ansible's selinux module to disable SELinux via the kernel parameter, but that not a blocker. It has also been suggested to have some warning printed when the system is booted with SELINUX=disabled in the config file, but no selinux=0 on the kernel command-line (e.g. via a one-shot systemd unit), which is again non-blocking.

Based on the above, moving the status to MODIFIED.
Comment 7 Ben Cotton 2021-02-16 15:52:04 UTC 
Reminder: The change complete (100% complete) deadline for Fedora 34 changes is Tuesday 23 February. At that point, changes should be 100% code complete, along with supporting documentation where appropriate. Please indicate this by setting the tracker bug for your change to ON_QA.
Comment 8 Ondrej Mosnacek 2021-02-22 13:36:59 UTC 
The supporting changes to ansible are only in the form of a PR at this point, but otherwise the change can be considered code complete.
Comment 9 Ben Cotton 2021-04-27 14:31:07 UTC 
Closing Changes Tracking bugs for the Fedora Linux 34 release. If your change did not make it into the release, please reopen and needinfo bcotton.
Note You need to log in before you can comment on or make changes to this bug.