Selinux not working with provided kernels

[arrfab]

Hi,

I initially opened a proper ticket with Scaleway, but I was answered this : "Please be aware that we do not provide support regarding available kernels. I would suggest getting in touch with our developers directly through GitHub if needed, as they are the only ones in charge regarding kernels."

So here we go !

When booting various provided kernels on aarch64 nodes, selinux is disabled, and there is no way to change that. No way to influence cmdline to add "enforcing=1" or other parameters. and no way to just confirm that buit and provided kernels support it. I only see older config files (like for https://github.com/scaleway/kernel-tools/blob/master/aarch64/4.9.30-std/.config) but nothing that maps to any kernel provided through any bootscript.

What would be the best way to have selinux enabled at kernel compile time and at runtime on the provisioned nodes ?

[arrfab]

Just to add that I also provisioned a C2 / x86_64 instance and same issue : selinux is Disabled

[arrfab]

Just to mention (in case people read this bug report) that it's a known issue : https://github.com/scaleway/image-centos/issues/19

For aarch64 there is still no workaround, but for x86_64, one can :

• boot with normal bootscript/kernel
• modify /etc/sysconfig/selinux (to put it in permissive)
• touch /.autorelabel
• modify bootscript to use fedora kernel
• systemctl reboot

after a reboot, one can :

• modify /etc/sysconfig/selinux (to put it in enforcing)
• setenforce 1

What I'd like to see if support from Scaleway for bootscripts that allow selinux on all centos images, like aarch64 too and it will relabel the filesystem and will have selinux in

[starlilyth]

Scaleway images have been altered to prevent SELinux from being enabled:

# zcat /proc/config.gz | grep SELINUX
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
# CONFIG_DEFAULT_SECURITY_SELINUX is not set

Specifically: CONFIG_SECURITY_SELINUX_DISABLE=y

[arrfab]

But the question is : "why ?" as there is no way to modify bootscripts to enable it, what's the proper solution ? I checked the 4.9.75 LTS kernel built to fix meltdown/spectre and it has the same problem again

[starlilyth]

So far my responses from Scaleway support are full denial of making the alteration. Not a great first impression when the evidence is so plainly available.

[Canisaur]

I'm not sure what's preventing you from using SELinux, but a quick search shows that CONFIG_SECURITY_SELINUX_DISABLE is not the problem. That config simply adds the option to disable SELinux at runtime.

See https://cateee.net/lkddb/web-lkddb/SECURITY_SELINUX_DISABLE.html and https://github.com/torvalds/linux/tree/master/security/selinux/Kconfig

This option enables writing to a selinuxfs node 'disable', which allows SELinux to be disabled at runtime prior to the policy load. SELinux will then remain disabled until the next boot. This option is similar to the selinux=0 boot parameter, but is to support runtime disabling of SELinux, e.g. from /sbin/init, for portability across platforms where boot parameters are difficult to employ.

[starlilyth]

Then I am not sure either, but as a 20 year RHCE I am pretty positive I am attempting to enable it correctly, as are many others who are also unable to turn it on successfully. It is well documented and quite simple, and it does not work on Scaleway images. It is not a lack of understanding on my or anyone elses part; these images are incapable of using SELinux.

If you have a better understanding of why, please do share it so Scaleway engineers can perhaps correct their fault and we can all move on.

[Canisaur]

Does the default image have SELinux disabled in /etc/sysconfig/selinux? If so, since the kernel provides the option to disable (but not enable) SELinux at runtime via this flag, it seems like a solution to make everyone happy is:

1. Scaleway changes CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE to 1.
2. Scaleway changes their default images so that they write to the selinuxfs node 'disable' via /sbin/init or whatever as described. Now SELinux is effectively disabled by default (as it is today) for those who don't know/care about it.
3. Users who want SELinux simply disable whatever writes to the selinuxfs node 'disable'.

If SELinux is set to enforced by default in /etc/sysconfig/selinux, then doing the above will unexpectedly enable SELinux for everybody, which is bad. But if it's disabled then I don't see any problem with the above steps.

In fact, steps 2 and 3 aren't even necessary if they've got it disabled in /etc/sysconfig/selinux. So really Scaleway just needs to set SECURITY_SELINUX_BOOTPARAM_VALUE to 1.

[arrfab]

That's also where I have a big issue with all this : providing a unique kernel and claim to the whole world that it's a distro is in fact also lying to to users .. but that's a different story. As the user itself has no way to modify the boot nor alter/change kernel parameters, user is stuck not in a configuration he dediced, but the one imposed by someone at Scaleway ...

Still waiting for Scaleway to respond to this, as they refuse to answer that through official support and I was asked to instead ask here ...

[debianmaster]

im seeing same issue, what is the fix?