Disabling SELinux's runtime disable

By Jonathan Corbet
April 20, 2023

Distributors have been enabling the SELinux security module for nearly 20 years now, and many administrators have been disabling it on their systems for almost as long. There are a few ways in which SELinux can be disabled on any given system, including command-line options, a run-time switch, or simply not loading a policy after boot. One of those ways, however, is about to be disabled itself.

SELinux undoubtedly improves the security of a system; it can confine processes to the resources that they are intended to use. But SELinux can also get in the way, especially in situations where some program does not behave in the way that the policy authors expected. The tools for figuring out where a problem lies and amending SELinux policies have improved over the years but, for many, convincing SELinux to let some task proceed is simply not worth the trouble. These are the people who end up just turning it off altogether.

The kernel provides a set of options for doing that, beyond building a kernel that does not include SELinux at all. The selinux=0 command-line parameter will disable SELinux at boot. Another option is editing /etc/selinux/config, which can have the effect of preventing an SELinux policy from being loaded into the kernel. Without a policy, SELinux deems itself to be in an uninitialized state and will not enforce any restrictions. Finally, writing a zero to /sys/fs/selinux/disable will disable SELinux until the next boot, but only if no policy has yet been loaded.

That last option, however, has been targeted for removal for some time. It was deprecated for the 5.6 release in 2020. The 5.19 kernel saw the addition of a five-second delay whenever this option was used to disable SELinux; that delay was increased to 15 seconds in 6.2 for the benefit of anybody who hadn't gotten the hint so far. Now, a patch disabling /sys/fs/selinux/disable entirely from Paul Moore has landed in linux-next and will almost certainly go upstream during the 6.4 merge window.

One might well wonder why there is so much hostility toward a simple run-time system-configuration option. For developers who are working on the creation of highly secure systems, any sort of an "off" switch is a potential failure point. A system may be locked down with various security policies but, if an attacker can somehow get a zero byte written to /sys/fs/selinux/disable during the boot sequence, the system will run without SELinux enforcement and much of that work will have been for naught. Taking that option away adds one more obstacle to somebody who is trying to circumvent a system's security.

Arguably, though, the more important concern is that, to support the ability to disable (or enable) SELinux at run time, the kernel must be able to write to the structures containing the hook functions used to call into the various security modules. Kernel developers have been working for years to eliminate this kind of writable function vector; each one of them is a tempting target for an attacker. In the case of security modules, protecting those vectors is doubly important; the security policy cannot be enforced without them. The security-module hooks are called from many of the most sensitive places in the kernel; if they can be changed, the result could be anything from the circumvention of the rules for exported kernel symbols to a complete compromise of the system.

To avoid this kind of problem, security-oriented developers would like to store these hooks in post-init read-only memory. Data that is marked with the special __ro_after_init attribute is writable when the system boots, but is changed to read-only at the end of the bootstrap process, before user space is allowed to run. This mechanism allows the kernel to initialize things — such as the active security module(s) — then to lock down the relevant data so that the configuration cannot be (easily) changed.

Moore's patch removes the ability to disable SELinux at run time. The /sys/fs/selinux/disable file will continue to exist and accept writes, but the only effect it will have will be to generate a log message if an attempt to use it to disable SELinux is made. The hook vectors for all in-tree security modules are marked __ro_after_init, ending the ability to make changes after the system has booted.

In a real sense, this is an API-breaking change. Any system that is using this feature, and which is counting on SELinux being disabled afterward, will not function properly with a 6.4 kernel. Chances are, though, that there will be few affected systems. Distributions that enable SELinux at boot, such as Fedora, disabled this feature in their kernel configurations years ago, so affected users should already have noticed the problem. That, Moore says, has not happened:

Finally, in the several years where we have been working on deprecating this functionality, there has only been one instance of someone mentioning any user visible breakage. In this particular case it was an individual's kernel test system, and the workaround documented in the deprecation notice ("selinux=0" on the kernel command line) resolved the issue without problem.

For anybody out there who needs to turn off SELinux on a system where it is enabled by default at boot, the other two options remain open. The best solution is, as mentioned above, to put selinux=0 on the kernel command line. It remains possible to edit /etc/selinux/config but, as Moore notes, doing so does not truly disable SELinux; it just prevents the loading of a policy, meaning that SELinux could be enabled later on by loading a policy.

The result of this change is, hopefully, an inherently more secure kernel and a minimum of disruption for users who need to run without SELinux enabled for whatever reason. Such changes can be hard to make but, as this case shows, they can be possible with enough patience and a willingness to work at both the kernel and distribution levels.

Index entries for this article
Kernel	Releases/6.4
Kernel	Security/Security modules
Kernel	SELinux

Disabling SELinux's runtime disable

Posted Apr 20, 2023 15:00 UTC (Thu) by intelfx (subscriber, #130118) [Link] (4 responses)

Is this the same knob that is controlled by `setenforce`?

Disabling SELinux's runtime disable

Posted Apr 20, 2023 15:16 UTC (Thu) by tialaramex (subscriber, #21167) [Link] (2 responses)

No. You can change the enforcement decision at runtime, and change it back. In fact it's often worth going back into systems where somebody was confused and tried turning "off" SELinux to see if that would solve a problem they don't understand, so as to turn it back "on" again now that any problems have been actually fixed.

Like commented out code, disabled/ permissive SELinux settings in production servers are a bad smell. They say "I don't understand what I'm doing, I just tinker with things until they work and then I leave well alone and pray they keep working" which is presumably a fine way to be a cleric or a guru, but it's not engineering.

Disabling SELinux's runtime disable

Posted Apr 20, 2023 15:45 UTC (Thu) by intelfx (subscriber, #130118) [Link]

> In fact it's often worth going back into systems where somebody was confused and tried turning "off" SELinux to see if that would solve a problem they don't understand, so as to turn it back "on" again now that any problems have been actually fixed.
>
> Like commented out code, disabled/ permissive SELinux settings in production servers are a bad smell. They say "I don't understand what I'm doing, I just tinker with things until they work and then I leave well alone and pray they keep working" which is presumably a fine way to be a cleric or a guru, but it's not engineering.

No contest here. I was just wondering if the enforcement setting and the runtime disable setting were one and the same.

Disabling SELinux's runtime disable

Posted Apr 20, 2023 18:12 UTC (Thu) by mattburgess (subscriber, #143223) [Link]

This is definitely QOTW material:

"I don't understand what I'm doing, I just tinker with things until they work and then I leave well alone and pray they keep working" which is presumably a fine way to be a cleric or a guru, but it's not engineering."

Disabling SELinux's runtime disable

Posted Apr 20, 2023 18:40 UTC (Thu) by nickodell (subscriber, #125165) [Link]

No, that works by writing to /sys/fs/selinux/enforce.

Disabling SELinux's runtime disable

Posted Apr 20, 2023 15:47 UTC (Thu) by mcon147 (subscriber, #56569) [Link] (3 responses)

While I can see that some use-cases benefit from this, it seems user-hostile to remove the option

Disabling SELinux's runtime disable

Posted Apr 20, 2023 17:39 UTC (Thu) by flussence (guest, #85566) [Link] (2 responses)

As the article points out, this is functionally no different to simply not loading a policy. Anyone who has access to early boot to change this setting can also arrange for that to happen in the same place.

The only people this is "hostile" towards are those who are for some reason a) running a system with SELinux they don't have the authority to turn off at boot, b) know enough about the innards of the system to be dangerous, and c) completely, utterly refuse to do even the most rudimentary RTFMing. And after all the BS surrounding systemd, I think people like that have absolutely earned the hostility.

Disabling SELinux's runtime disable

Posted Apr 22, 2023 7:00 UTC (Sat) by amarao (subscriber, #87073) [Link] (1 responses)

Aslo, all newcomers, who read docs about fixing odd bugs by whis, will find than older magic no longer works.

Disabling SELinux's runtime disable

Posted Apr 27, 2023 12:03 UTC (Thu) by edeloget (subscriber, #88392) [Link]

> Aslo, all newcomers, who read docs about fixing odd bugs by whis, will find than older magic no longer works.

Forever lost are the shores of Valinor :)

Disabling SELinux's runtime disable

Posted Apr 20, 2023 16:08 UTC (Thu) by qperret (subscriber, #117873) [Link]

Moving the function vectors to __ro_after_init could probably be done without disabling the entire feature by using a temporary writable alias (a fixmap?) when modifying them, similar to how e.g. the kernel patches its text. That way the window during which an attacker can use an OOB write (for example) to modify those structs will remain small, making exploitation much less practical. Not being familiar with all the history behind the change, I assume this type of approach has been discussed? Would anyone with enough background be able to share more details as to why this wasn't pursued?

Disabling SELinux's runtime disable

Posted Apr 21, 2023 7:48 UTC (Fri) by taladar (subscriber, #68407) [Link] (2 responses)

The thing I personally do not like about SELinux is actually that some distros use SELinux, some use AppArmor, some use neither and if you want to use any sort of config management generated configuration that works on all of them you suddenly have to adjust the pointless differences between distros (e.g. different usernames or paths or config file names) in three or more places (in the actual config and in the policies) instead of just one.

If you forget (or don't know) about adjusting it in one SELinux policy you suddenly have to figure out why your configuration that works perfectly fine on a sane distro doesn't work on "distro that likes to use SELinux but also ancient versions for everything", either because some config option you use isn't supported on that distro or because SELinux blocks it which is often hard to distinguish because the C return code system doesn't give you some proper "blocked by SELinux" error but just some numeric error code that the majority of applications which don't explicitly handle SELinux errors probably logs (if you are lucky) as a generic permission denied or file not found,... error, often without even referencing the operation it tried to perform or the object it tried to perform it on.

Disabling SELinux's runtime disable

Posted Apr 21, 2023 12:30 UTC (Fri) by ceplm (subscriber, #41334) [Link] (1 responses)

https://www.reddit.com/r/openSUSE/comments/118twi8/why_is...

Not speaking for SUSE, but it seems to me that we are switching from AppArmor to SELinux (at least with ALP and MicroOS, I guess Tumbleweed will follow as well, and the system I write this on is MicroOS with SELinux Enforcing and my office computer is Tumbleweed with SELinux also in the Enforcing mode).

It seems that the last stand of AppArmor is now Debian/Ubuntu. Debian has certainly enough strength to keep it alive, but otherwise there is a long list of Ubuntu-only projects which later died and where replaced by the projects used by the rest of the Linux universe.

Disabling SELinux's runtime disable

Posted Apr 21, 2023 14:23 UTC (Fri) by rahulsundaram (subscriber, #21946) [Link]

> Not speaking for SUSE, but it seems to me that we are switching from AppArmor to SELinux (at least with ALP and MicroOS, I guess Tumbleweed will follow as well..

Interesting. Earlier SUSE explicitly noted this:
https://documentation.suse.com/sles/12-SP4/html/SLES-all/...
"Because many organizations are requesting SELinux to be in the Linux distributions they are using, SUSE is offering support for the SELinux framework in SUSE Linux Enterprise Server. This does not mean that the default installation of SUSE Linux Enterprise Server will switch from AppArmor to SELinux in the near future."

I am assuming the situation has evolved since then.

AI concern points

Posted Apr 21, 2023 9:25 UTC (Fri) by jengelh (subscriber, #33263) [Link] (5 responses)

>any sort of an "off" switch is a potential failure point

One system's off switch is another system's safety switch.

AI concern points

Posted Apr 21, 2023 11:40 UTC (Fri) by Wol (subscriber, #4433) [Link] (4 responses)

Do you want to fail open, or fail closed?

Cheers,
Wol

AI concern points

Posted Apr 23, 2023 0:40 UTC (Sun) by jwarnica (subscriber, #27492) [Link] (3 responses)

If I worked in a hospital, I'd want access to patient records.

If I worked in a missile silo, I'd want the drives to cook themselves and the armory to unlock.

AI concern points

Posted Apr 24, 2023 11:02 UTC (Mon) by farnz (subscriber, #17727) [Link] (2 responses)

The hospital one is actually interesting and complex. You don't want access to patient records that you're not supposed to have access to for a variety of reasons: many countries have laws around patient confidentiality that makes it a career-ending move to look at the wrong set of medical records (GDPR in the EU, HIPAA in the USA, as two examples).

There's thus a tension here; you want access to the records of patients you're actively dealing with, but you also want to avoid having any access to records you should not be looking at, so that you can quickly be ruled out of any investigation into a leak of medical data. And for urgent cases, you don't have time to look at records anyway - you're following a pre-established process for handling the emergency in front of you - and thus don't care if you have access.

So even in the hospital case, you may actually want the system to fail closed, so that you don't have medical records access, since the risks presented by records access are higher than the risk of not having access.

AI concern points

Posted May 1, 2023 18:39 UTC (Mon) by bartoc (guest, #124262) [Link] (1 responses)

Are they higher though? In the US the VA has just gone through some horrible trainwreck of a digital records migration and some VA facilities lost access to patient records for a while, I believe it directly caused several deaths. If it fails open then yeah it's a privacy issue but in most cases that can be resolved by making it illegal to access records that you shouldn't have access to and compelling anyone who does to destroy them. Maybe there will be a long and expensive legal process afterwards but nobody will have died.

AI concern points

Posted May 2, 2023 13:57 UTC (Tue) by farnz (subscriber, #17727) [Link]

The trouble is that fails open can also lead to death, as the consequences of people finding out details of medical records includes murder of the patient. So it's not as simple as "fail open == no deaths", because it also results in death.