NAK: [X][SRU][PATCH 1/1] UBUNTU: [Config] Enable CONFIG_SECURITY_SELINUX_DISABLE for s390x
Tyler Hicks
tyhicks at canonical.com
Tue Jul 9 22:02:40 UTC 2019
[+sbeattie]
On 2019-07-09 13:53:58, Po-Hsu Lin wrote:
> BugLink: https://bugs.launchpad.net/bugs/1813721
>
> Enable CONFIG_SECURITY_SELINUX_DISABLE for s390x.
>
> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
> ---
> debian.master/config/annotations | 2 +-
> debian.master/config/s390x/config.common.s390x | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/debian.master/config/annotations b/debian.master/config/annotations
> index adb84bb..3d6015b 100644
> --- a/debian.master/config/annotations
> +++ b/debian.master/config/annotations
> @@ -9864,7 +9864,7 @@ CONFIG_IMA_SIG_TEMPLATE policy<{'amd64': 'n', 'arm64': '
> CONFIG_SECURITY_SELINUX policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc': 'y', 'ppc64el': 'y', 's390x': 'y'}>
> CONFIG_SECURITY_SELINUX_BOOTPARAM policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc': 'y', 'ppc64el': 'y', 's390x': 'n'}>
> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE policy<{'amd64': '0', 'arm64': '0', 'armhf': '0', 'i386': '0', 'powerpc': '0', 'ppc64el': '0'}>
> -CONFIG_SECURITY_SELINUX_DISABLE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc': 'y', 'ppc64el': 'y', 's390x': 'n'}>
> +CONFIG_SECURITY_SELINUX_DISABLE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc': 'y', 'ppc64el': 'y', 's390x': 'y'}>
Having CONFIG_SECURITY_SELINUX_DISABLE off is the more secure setting.
The current s390x setting follows the KSPP recommended settings:
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
In other words, turning it on would weaken security.
QRT is failing due to the config test added earlier this year:
https://git.launchpad.net/qa-regression-testing/commit/?id=8ad898971ba8c1b3be8f237bad277f3888371e6a
Here's the description from the bug linked to in that QRT test
(LP: #1680315):
In the v4.12 kernel, CONFIG_SECURITY_SELINUX_DISABLE (which allows
disabling selinux after boot) will conflict with read-only LSM
structures. Since Ubuntu is primarily using AppArmor for its LSM, and
SELinux is disabled by default, it makes sense to drop this feature in
favor of the protections offered by __ro_after_init markings on the
LSM structures.
The test is a little misguided, IMO, as it shouldn't be failing if
the config setting is off, regardless of kernel version.
I think this patch should be NAK'ed and the test should be adjusted. Do
you agree, Steve?
Tyler
> CONFIG_SECURITY_SELINUX_DEVELOP policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc': 'y', 'ppc64el': 'y', 's390x': 'y'}>
> CONFIG_SECURITY_SELINUX_AVC_STATS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc': 'y', 'ppc64el': 'y', 's390x': 'y'}>
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE policy<{'amd64': '1', 'arm64': '1', 'armhf': '1', 'i386': '1', 'powerpc': '1', 'ppc64el': '1', 's390x': '1'}>
> diff --git a/debian.master/config/s390x/config.common.s390x b/debian.master/config/s390x/config.common.s390x
> index a3be5b1..93fdbf6 100644
> --- a/debian.master/config/s390x/config.common.s390x
> +++ b/debian.master/config/s390x/config.common.s390x
> @@ -315,7 +315,7 @@ CONFIG_SCSI_SRP_ATTRS=m
> # CONFIG_SCSI_UFSHCD is not set
> # CONFIG_SCSI_WD719X is not set
> # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
> -# CONFIG_SECURITY_SELINUX_DISABLE is not set
> +CONFIG_SECURITY_SELINUX_DISABLE=y
> # CONFIG_SERIAL_8250 is not set
> # CONFIG_SERIAL_ALTERA_JTAGUART is not set
> # CONFIG_SERIAL_ALTERA_UART is not set
> --
> 2.7.4
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list