Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751518AbdFFPRM (ORCPT ); Tue, 6 Jun 2017 11:17:12 -0400 Received: from nm23-vm5.bullet.mail.ne1.yahoo.com ([98.138.91.245]:59947 "EHLO nm23-vm5.bullet.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751388AbdFFPRK (ORCPT ); Tue, 6 Jun 2017 11:17:10 -0400 X-Yahoo-Newman-Id: 725781.71898.bm@smtp217.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: IvDfd6QVM1lfDzEqD0ST3tq.TIZ9gI7rg7ebLttt1sUUr10 OThNfPNwfgB5Of5zisGJ6ineBm_HWcRlbI_N1bXr22eWuxLigJ77.BM8IHYS 9arZIFto9yzRG5CZuPwp1e08R0BJkozcr9psVqWLvDIB3HshfDkTU8ybOO3C GPpsFo0gFMNi_8CRIsb5FToc5.87LOWoKS9gRl8zXoF0wBaqCJ8nBfCTMF_I 9tKXtINXT6Cwh83s88f7NnaTFmobmXo2t.H981qtrgOPqdCYy2dF56h3363J FsrF8IRHtlK1KdqlEz.WM.K0jKpkVMVJoKDJ8Q857FMYXByfA1HRBaNMZpWh YkLyfscIP_q8CR_YbxdLgulRu4Ll5l3MTqoWC6h.hj1Yg0MrjhawUqCldCew GdV3w9nQtfOzQc9ETnZ24DwBGwD6cZNniTZBk9eKfGe9LwqCGC644K2jAKk_ pXyxUHK5NfNR.pStR9xjXYjSrzUuVsKs7iQ014yqFJkeSwEFJALd5tWDvWv3 Pm0Lh6zcKGHSvfj8MSPppvmWgo5A8Xd2sI9gcgQjecpdlTctiJuuTXG23FYE B0spr X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Subject: Re: [PATCH 4/5] Make LSM Writable Hooks a command line option To: Igor Stoppa , Tetsuo Handa , keescook@chromium.org, mhocko@kernel.org, jmorris@namei.org Cc: paul@paul-moore.com, sds@tycho.nsa.gov, hch@infradead.org, labbott@redhat.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com References: <201706061954.GBH56755.QSOOFMFLtJFVOH@I-love.SAKURA.ne.jp> <6c807793-6a39-82ef-93d9-29ad2546fc4c@huawei.com> <201706062042.GAC86916.FMtHOOFJOSVLFQ@I-love.SAKURA.ne.jp> <4c3e3b8b-6507-7da5-1537-1e0ce04fcba5@huawei.com> <201706062336.CFE35913.OFFLQOHMtSJFVO@I-love.SAKURA.ne.jp> From: Casey Schaufler Message-ID: <61106c92-ab4c-4bc3-1cb9-d01b1845f670@schaufler-ca.com> Date: Tue, 6 Jun 2017 08:17:01 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2017 Lines: 41 On 6/6/2017 7:51 AM, Igor Stoppa wrote: > On 06/06/17 17:36, Tetsuo Handa wrote: >> Igor Stoppa wrote: >>> For the case at hand, would it work if there was a non-API call that you >>> could use until the API is properly expanded? >> Kernel command line switching (i.e. this patch) is fine for my use cases. >> >> SELinux folks might want >> >> -static int security_debug; >> +static int security_debug = IS_ENABLED(CONFIG_SECURITY_SELINUX_DISABLE); > ok, thanks, I will add this > >> so that those who are using SELINUX=disabled in /etc/selinux/config won't >> get oops upon boot by default. If "unlock the pool" were available, >> SELINUX=enforcing users would be happy. Maybe two modes for rw/ro transition helps. >> >> oneway rw -> ro transition mode: can't be made rw again by calling "unlock the pool" API >> twoway rw <-> ro transition mode: can be made rw again by calling "unlock the pool" API > This was in the first cut of the API, but I was told that it would > require further rework, to make it ok for upstream, so we agreed to do > first the lockdown/destroy only part and the the rewrite. > > Is there really a valid use case for unloading SE Linux? It's used today in the Redhat distros. There is talk of removing it. You can only unload SELinux before policy is loaded, which is sort of saying that you have your system misconfigured but can't figure out how to fix it. You might be able to convince Paul Moore to accelerate the removal of this feature for this worthy cause. > Or any other security module. I suppose that you could argue that if a security module had been in place for 2 years on a system and had never once denied anyone access it should be removed. That's a reasonable use case description, but I doubt you'd encounter it in the real world. Another possibility is a security module that is used during container setup and once the system goes into full operation is no longer needed. Personally, I don't see either of these cases as compelling. "systemctl restart xyzzyd".