From e7dbfb26056688ac63ee53a04b974c709e86df0f Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Thu, 13 May 2021 16:23:31 +0200 Subject: [PATCH] Add a systemd service to check that SELinux is disabled properly As an additional sanity check to support the removal of runtime disabling of SELinux [1], add a simple oneshot service to the selinux-policy package that will print a warning to system journal when it detects on boot that the system has been booted with SELINUX=disabled in /etc/selinux/config, but without selinux=0 on the kernel command line. Note that as per [2], in order for the service to be enabled by default, it needs to be added to the Fedora presets. [1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable [2] https://docs.fedoraproject.org/en-US/packaging-guidelines/DefaultServices/#_how_to_enable_a_service_by_default Signed-off-by: Ondrej Mosnacek Resolves: rhbz#2082524 --- selinux-check-proper-disable.service | 15 +++++++++++++++ selinux-policy.spec | 12 ++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 selinux-check-proper-disable.service diff --git a/selinux-check-proper-disable.service b/selinux-check-proper-disable.service new file mode 100644 index 0000000..8f3b4da --- /dev/null +++ b/selinux-check-proper-disable.service @@ -0,0 +1,15 @@ +[Unit] +Description=Check that SELinux is not disabled the unsafe way +ConditionKernelCommandLine=!selinux=0 +After=sysinit.target + +[Service] +Type=oneshot +EnvironmentFile=/etc/selinux/config +ExecCondition=test "$SELINUX" = disabled +ExecStart=/usr/bin/echo 'SELINUX=disabled in /etc/selinux/config, but no selinux=0 on kernel command line - SELinux may not be fully disabled. Please update bootloader configuration to pass selinux=0 to kernel at boot.' +StandardOutput=journal+console +SyslogLevel=warning + +[Install] +WantedBy=multi-user.target diff --git a/selinux-policy.spec b/selinux-policy.spec index 998357c..c9f0fe6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -59,6 +59,8 @@ Source33: macro-expander # Git repo: https://github.com/containers/container-selinux.git Source35: container-selinux.tgz +Source36: selinux-check-proper-disable.service + # Provide rpm macros for packages installing SELinux modules Source102: rpm.macros @@ -66,6 +68,7 @@ Url: %{giturl} BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 BuildRequires: make +BuildRequires: systemd-rpm-macros Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(post): /bin/awk /usr/bin/sha512sum Requires: rpm-plugin-selinux @@ -88,6 +91,7 @@ the policy has been adjusted to provide support for Fedora. %ghost %{_sysconfdir}/sysconfig/selinux %{_usr}/lib/tmpfiles.d/selinux-policy.conf %{_rpmconfigdir}/macros.d/macros.selinux-policy +%{_unitdir}/selinux-check-proper-disable.service %package sandbox Summary: SELinux sandbox policy @@ -480,9 +484,13 @@ install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy +mkdir -p %{buildroot}%{_unitdir} +install -m 644 %{SOURCE36} %{buildroot}%{_unitdir} rm -rf selinux_config + %post +%systemd_post selinux-check-proper-disable.service if [ ! -s %{_sysconfdir}/selinux/config ]; then # # New install so we will default to targeted policy @@ -524,7 +532,11 @@ else fi exit 0 +%preun +%systemd_preun selinux-check-proper-disable.service + %postun +%systemd_postun selinux-check-proper-disable.service if [ $1 = 0 ]; then %{_sbindir}/setenforce 0 2> /dev/null if [ ! -s %{_sysconfdir}/selinux/config ]; then