Please, implement selinux=0 kernel command line parameter

[PavelSosin-320]

Is your feature request related to a problem? Please describe. After installing Fedora33 remix from Microsoft store and upgrading to Fedora 34 I lost any ability to run many Linux utilities because Selinux blocks me :( . Describe the solution you'd like Drop SELiux runtime SeLinux can't be disabled during runtime or via configuration anymore. Since Fedora is the testbench for Kernel features all WSL distros like CentOS, Ubuntu, etc. will lost capabilities to disable SeLinux soon and their upgrades will result in the same showstopper problem. Describe alternatives you've considered This is security related decision. Somebody will install newly published distro or upgrade existing published officially by Microsoft and will get published, well described backdoor for reading ssh keys from ~/.ssh _ls /mnt/c/Users/Pavel/.ssh configWrong id_rsa id_rsa.pub knownhosts [root@MSI-wsl-wsl ~]# and publishing it to all world. You event don't need to access distro as root user - it works for any users. Additional context Attempt to install Podman on Microsoft published Fedora33remix distro and using it for development.

[Biswa96]

You can add your own kernel command line, see docs here https://docs.microsoft.com/en-us/windows/wsl/wsl-config#wsl-2-settings

[PavelSosin-320]

I'm looking at the WSL startup log _Kernel command line: initrd=\initrd.img panic=-1 nr_cpus=2 swiotlb=force console=ttyS0,115200 debug pty.legacycount=0 and output of cat /proc/cmdLine cat /proc/cmdline _initrd=\initrd.img panic=-1 nr_cpus=2 swiotlb=force console=ttyS0,115200 debug pty.legacycount=0 and don't see that kernelCommandline has any effect after termination of the distro, shutdown of wsl and new start of the distro. My current .wslconfig file is [wsl2] memory=8GB processors=2 swap=16GB debugConsoleLogFile=C:\Users\Pavel\WSL_Console_Log3.txt kernelComandLine=selinux=0 The value is simply ignored

[therealkenc]

SELinux is not compiled into the WSL2 kernel. There is no command line to set. [Enabling SELinux would be another matter.]

You may get better eyeballs on the "any ability to run many Linux utilities" problem in a Fedora-remix forum.

[PavelSosin-320]

Fedoraremix distro is Fedora33 remix. It had built long before the decision has been made. In Fedoraremix distro all configuration files and Semanage utilities were in their places and woked. Upgrade to Fedora 34 needed to install recent OCI runtimes versions wiped all old stuff and all old receipts how to manage security in Linux stopped to work. I think that decision made by SeLinux development team is wise and convenient. Why every first-time-trying Linux from Windows OEM Home edition student needs knowledge in the Linux security alchemy if the selection of Linux security mode can be done using one checkbox or wslconfig parameter with boolean value? But Pro and Enterprise developers using Pro or Enterprise version of Windows should be able to run OCI (Docker) containers with full=pledged security configuration.

[PavelSosin-320]

@therealkenc According to #https://github.com/WhitewaterFoundry/Fedora-Remix-for-WSL/issues/105 Fedora34remix will be released soon, April20 + 1 week. It will need this feature.

[WSLUser]

I'd be happy to provide SELinux support in my custom kernel config (hadn't realized I missed that particular kernel feature) if I knew all the config options needed. I have only seen CONFIG_SECURITY_SELINUX but I doubt that's the only config option. I would expect there to be dependencies enabled for it to run properly. Perhaps I just need to go through the make menuconfig but I don't really have time to mess around with customizing the kernel currently.

I do think WSL2 should provide SELinux support by default, something that's been supported for a long time in Linux and has no bearing on the kernel version being used now (it could be enabled in both the 4.19 and 5.4 kernels and would still work as intended).

[WSLUser]

I found SELinux using make menu config and compiled the mainline kernel. I didn't select all the options, just the default ones for enabling SELinux. I will update my config sometime next week after verifying the kernel runs fine. If there's anything SELinux related that a bug is found for, be sure to describe the bug and I'll see if it's related to one of those options I didn't select.