selinux: how to query if selinux is enabled

Thu Oct 8 20:56:14 UTC 2020

On Thu, Oct 8, 2020 at 2:44 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>
> On 10/8/2020 8:15 AM, Olga Kornievskaia wrote:
> > On Thu, Oct 8, 2020 at 10:08 AM Ondrej Mosnacek <omosnace at redhat.com> wrote:
> >> On Thu, Oct 8, 2020 at 3:50 PM Olga Kornievskaia <aglo at umich.edu> wrote:
> >>> On Wed, Oct 7, 2020 at 9:07 PM Paul Moore <paul at paul-moore.com> wrote:
> >>>> On Wed, Oct 7, 2020 at 8:41 PM Olga Kornievskaia <aglo at umich.edu> wrote:
> >>>>> Hi folks,
> >>>>>
> >>>>> From some linux kernel module, is it possible to query and find out
> >>>>> whether or not selinux is currently enabled or not?
> >>>>>
> >>>>> Thank you.
> >>>> [NOTE: CC'ing the SELinux list as it's probably a bit more relevant
> >>>> that the LSM list]
> >>>>
> >>>> In general most parts of the kernel shouldn't need to worry about what
> >>>> LSMs are active and/or enabled; the simply interact with the LSM(s)
> >>>> via the interfaces defined in include/linux/security.h (there are some
> >>>> helpful comments in include/linux/lsm_hooks.h).  Can you elaborate a
> >>>> bit more on what you are trying to accomplish?
> >>> Hi Paul,
> >>>
> >>> Thank you for the response. What I'm trying to accomplish is the
> >>> following. Within a file system (NFS), typically any queries for
> >>> security labels are triggered by the SElinux (or I guess an LSM in
> >>> general) (thru the xattr_handler hooks). However, when the VFS is
> >>> calling to get directory entries NFS will always get the labels
> >>> (baring server not supporting it). However this is useless and affects
> >>> performance (ie., this makes servers do extra work  and adds to the
> >>> network traffic) when selinux is disabled. It would be useful if NFS
> >>> can check if there is anything that requires those labels, if SElinux
> >>> is enabled or disabled.
> >> Isn't this already accomplished by the security_ismaclabel() checks
> >> that NFS is already doing?
> > No it is not (for the readdir). Yes security_ismaclabel() is used
> > during the calls triggers thru the xattr_handle when a security_label
> > is queried on a specific file system object (inode).
> >
> > This is done thru the xattr_handler interface which supplies things
> > like a "key" (which I'm not exactly sure that is but LSM(selinux)
> > uses). The only thing that we have in VFS readdir call is a
> > dentry(inode). (inode)->i_security isn't NULL (I already checked as I
> > was hoping that would be null when selinux is disabled). So I need
> > something else to check to see if selinux/LSM is active.
>
> The NFS labeling is supposed to work for any security module, not
> just SELinux. security_ismaclabel() should be the interface you need
> to use. Checking inode->i_security would NOT give you a definitive
> answer, as a security module may very well have an inode attribute
> that is not related to Mandatory Access Control (MAC).

Can you suggest what should be passed into security_ismaclabel()?
Typically this is driven by a call into the kernel module that
registered an xattr_handler and LSM passes into it an attribute name
to use to lookup (basically what is passed into the xatrr_handler for
key/name is passed to security_ismaclabel()). VFS readdir doesn't have
anything like that.