FS#37578 - [linux] 3.13 enable SELinux LSM

Attached to Project: Arch Linux
Opened by Timothée Ravier (Siosm) - Friday, 01 November 2013, 10:45 GMT
Last edited by Dave Reisner (falconindy) - Thursday, 24 April 2014, 14:07 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Thomas Bächler (brain0)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 14
Private No

Details

Description:

Enable SELinux LSM in the default Arch Linux kernel (keep DAC as the default). AppArmor and Tomoyo are already enabled, so why not SELinux?
Required userspace tools will stay in AUR for now.

Additional configuration options required:

CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX=n
CONFIG_LSM_MMAP_MIN_ADDR=65536
This task depends upon

Closed by  Dave Reisner (falconindy)
Thursday, 24 April 2014, 14:07 GMT
Reason for closing:  Won't implement
Additional comments about closing:  Support intentionally removed
Comment by Sudhir Khanger (donniezazen) - Friday, 01 November 2013, 13:58 GMT
@Siosm So that you know SELinux is being discussed in arch-general mailing list. https://mailman.archlinux.org/pipermail/arch-general/2013-October/034352.html
Comment by Timothée Ravier (Siosm) - Friday, 01 November 2013, 14:34 GMT
I know, I'm working on a repository with SELinux support for Arch: https://mailman.archlinux.org/pipermail/arch-general/2013-October/034379.html & https://mailman.archlinux.org/pipermail/arch-general/2013-October/034361.html
Comment by Timothée Ravier (Siosm) - Monday, 20 January 2014, 18:35 GMT
Any update on this?
Comment by John (graysky) - Saturday, 01 February 2014, 11:17 GMT
Looks like it is implemented: https://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/linux&id=a1bf3bc4dde855b65095714189f5dccf562b0d9f
Comment by Thomas Bächler (brain0) - Saturday, 01 February 2014, 12:01 GMT
Still waiting if it causes problems, like it did back in the day when we enabled it for a short time.
Comment by Timothée Ravier (Siosm) - Saturday, 01 February 2014, 12:18 GMT
Great! Looks like I missed it when I checked earlier. Is this in the current kernel in testing? I'm at FOSDEM this week end but I'll test this as soon as I get back.
Comment by Nicolas I. (IooNag) - Friday, 28 March 2014, 18:00 GMT
LSM are being removed from the supported kernel configuration in 3.14 for the sake of simplification (https://mailman.archlinux.org/pipermail/arch-general/2014-March/035638.html).

Moreover activating SELinux apparently forced the audit subsystem to be enabled, according to https://mailman.archlinux.org/pipermail/arch-general/2014-March/035679.html. I haven't tested myself and haven't found related bug reports about this specific issue, but enabling the audit subsystem by default is broken: it produces unwanted logs and doesn't work with containers (even though I don't know if containers are officially supported because the official config enables CONFIG_UTS_NS but not CONFIG_USER_NS, and there is a good reason related to security not to enable the latter).
Comment by Timothée Ravier (Siosm) - Sunday, 30 March 2014, 11:25 GMT
The "conflict" between audit and containers has been partially fixed in the 3.13 kernel and the last bit will be fixed in 3.15 (https://bugzilla.redhat.com/show_bug.cgi?id=893751). systemd-nspawn is using libseccomp to trick containers to not use audit (https://plus.google.com/+LennartPoetteringTheOneAndOnly/posts/cF6zVDjKDuu). I should ask on the mailing list about the "enabled by default" audit issue.

I'll write a longer reply about the "LSMs drop" from the default Arch kernel on the mailing list ASAP.

Loading...