selinux: how to query if selinux is enabled

Thu Oct 8 18:43:56 UTC 2020

On 10/8/2020 8:15 AM, Olga Kornievskaia wrote:
> On Thu, Oct 8, 2020 at 10:08 AM Ondrej Mosnacek <omosnace at redhat.com> wrote:
>> On Thu, Oct 8, 2020 at 3:50 PM Olga Kornievskaia <aglo at umich.edu> wrote:
>>> On Wed, Oct 7, 2020 at 9:07 PM Paul Moore <paul at paul-moore.com> wrote:
>>>> On Wed, Oct 7, 2020 at 8:41 PM Olga Kornievskaia <aglo at umich.edu> wrote:
>>>>> Hi folks,
>>>>>
>>>>> From some linux kernel module, is it possible to query and find out
>>>>> whether or not selinux is currently enabled or not?
>>>>>
>>>>> Thank you.
>>>> [NOTE: CC'ing the SELinux list as it's probably a bit more relevant
>>>> that the LSM list]
>>>>
>>>> In general most parts of the kernel shouldn't need to worry about what
>>>> LSMs are active and/or enabled; the simply interact with the LSM(s)
>>>> via the interfaces defined in include/linux/security.h (there are some
>>>> helpful comments in include/linux/lsm_hooks.h).  Can you elaborate a
>>>> bit more on what you are trying to accomplish?
>>> Hi Paul,
>>>
>>> Thank you for the response. What I'm trying to accomplish is the
>>> following. Within a file system (NFS), typically any queries for
>>> security labels are triggered by the SElinux (or I guess an LSM in
>>> general) (thru the xattr_handler hooks). However, when the VFS is
>>> calling to get directory entries NFS will always get the labels
>>> (baring server not supporting it). However this is useless and affects
>>> performance (ie., this makes servers do extra work  and adds to the
>>> network traffic) when selinux is disabled. It would be useful if NFS
>>> can check if there is anything that requires those labels, if SElinux
>>> is enabled or disabled.
>> Isn't this already accomplished by the security_ismaclabel() checks
>> that NFS is already doing?
> No it is not (for the readdir). Yes security_ismaclabel() is used
> during the calls triggers thru the xattr_handle when a security_label
> is queried on a specific file system object (inode).
>
> This is done thru the xattr_handler interface which supplies things
> like a "key" (which I'm not exactly sure that is but LSM(selinux)
> uses). The only thing that we have in VFS readdir call is a
> dentry(inode). (inode)->i_security isn't NULL (I already checked as I
> was hoping that would be null when selinux is disabled). So I need
> something else to check to see if selinux/LSM is active.

The NFS labeling is supposed to work for any security module, not
just SELinux. security_ismaclabel() should be the interface you need
to use. Checking inode->i_security would NOT give you a definitive
answer, as a security module may very well have an inode attribute
that is not related to Mandatory Access Control (MAC).