selinux: how to query if selinux is enabled

Thu Oct 8 22:50:24 UTC 2020

On 10/8/2020 1:56 PM, Olga Kornievskaia wrote:
> On Thu, Oct 8, 2020 at 2:44 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>> On 10/8/2020 8:15 AM, Olga Kornievskaia wrote:
>>> On Thu, Oct 8, 2020 at 10:08 AM Ondrej Mosnacek <omosnace at redhat.com> wrote:
>>>> On Thu, Oct 8, 2020 at 3:50 PM Olga Kornievskaia <aglo at umich.edu> wrote:
>>>>> On Wed, Oct 7, 2020 at 9:07 PM Paul Moore <paul at paul-moore.com> wrote:
>>>>>> On Wed, Oct 7, 2020 at 8:41 PM Olga Kornievskaia <aglo at umich.edu> wrote:
>>>>>>> Hi folks,
>>>>>>>
>>>>>>> From some linux kernel module, is it possible to query and find out
>>>>>>> whether or not selinux is currently enabled or not?
>>>>>>>
>>>>>>> Thank you.
>>>>>> [NOTE: CC'ing the SELinux list as it's probably a bit more relevant
>>>>>> that the LSM list]
>>>>>>
>>>>>> In general most parts of the kernel shouldn't need to worry about what
>>>>>> LSMs are active and/or enabled; the simply interact with the LSM(s)
>>>>>> via the interfaces defined in include/linux/security.h (there are some
>>>>>> helpful comments in include/linux/lsm_hooks.h).  Can you elaborate a
>>>>>> bit more on what you are trying to accomplish?
>>>>> Hi Paul,
>>>>>
>>>>> Thank you for the response. What I'm trying to accomplish is the
>>>>> following. Within a file system (NFS), typically any queries for
>>>>> security labels are triggered by the SElinux (or I guess an LSM in
>>>>> general) (thru the xattr_handler hooks). However, when the VFS is
>>>>> calling to get directory entries NFS will always get the labels
>>>>> (baring server not supporting it). However this is useless and affects
>>>>> performance (ie., this makes servers do extra work  and adds to the
>>>>> network traffic) when selinux is disabled. It would be useful if NFS
>>>>> can check if there is anything that requires those labels, if SElinux
>>>>> is enabled or disabled.
>>>> Isn't this already accomplished by the security_ismaclabel() checks
>>>> that NFS is already doing?
>>> No it is not (for the readdir). Yes security_ismaclabel() is used
>>> during the calls triggers thru the xattr_handle when a security_label
>>> is queried on a specific file system object (inode).
>>>
>>> This is done thru the xattr_handler interface which supplies things
>>> like a "key" (which I'm not exactly sure that is but LSM(selinux)
>>> uses). The only thing that we have in VFS readdir call is a
>>> dentry(inode). (inode)->i_security isn't NULL (I already checked as I
>>> was hoping that would be null when selinux is disabled). So I need
>>> something else to check to see if selinux/LSM is active.
>> The NFS labeling is supposed to work for any security module, not
>> just SELinux. security_ismaclabel() should be the interface you need
>> to use. Checking inode->i_security would NOT give you a definitive
>> answer, as a security module may very well have an inode attribute
>> that is not related to Mandatory Access Control (MAC).
> Can you suggest what should be passed into security_ismaclabel()?
> Typically this is driven by a call into the kernel module that
> registered an xattr_handler and LSM passes into it an attribute name
> to use to lookup (basically what is passed into the xatrr_handler for
> key/name is passed to security_ismaclabel()). VFS readdir doesn't have
> anything like that.

I'm not convinced that the question makes sense. Are you trying to
avoid in the VFS layer a call in the NFS layer to fetch an attribute
the NFS layer isn't supporting? Is that reasonable? I could see changing
the NFS implementation to be more careful about the calls it is making,
but not the VFS layer. Or am I (once again) missing the point?