Reduce the amount of “dontaudit” rules pertaining to unlabeled_t
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
Reduce the amount of rules that prevent reporting of SELinux denials pertaining to unlabeled_t. This could influence the amount of SELinux-related logs on some systems, but will not cause any new permission denials.
Owner
-
Name: Vít Mojžíš
-
Email: vmojzis@redhat.com
-
Name: Miloš Malík
-
Email: mmalik@redhat.com
Current status
Detailed Description
The SELinux security policy primarily comprises allow rules, which permit specific operations on a confined system. However, there are also SELinux rules featuring the “dontaudit” keyword. In general, these rules signify that the described operation is not allowed and will not be logged as a permission denial in audit logs. The primary purpose of these rules is to hide certain false positives or code defects, such as leaked descriptors. The drawback is that, in certain instances, these rules might obscure hints that could expedite debugging and issue resolution. It is possible to disable all dontaudit rules using “semodule -DB”, but this usually leads to large amounts of benign denials being logged and hence is not practical for long term use.
The goal of this change is to significantly reduce the amount of dontaudit rules suppressing “unlabeled_t” denials, which are often caused by miss-labeled filesystems and can usually be easily fixed when noticed by the system administrator. The rules will not be completely removed from the policy, only disabled by default, so that the change can be reverted by the admin if needed (# setsebool -P dontaudit_unlabeled_files 1
). The change could influence the amount of SELinux-related logs on some systems, but will not cause any new permission denials.
Feedback
Benefit to Fedora
Access denials caused by labeling issues will more likely be reported by SELinux.
Scope
-
Proposal owners: Determine which dontaudit rules are safe to disable by default and wrap them in conditional statements in the policy sources – changes will be limited to SElinux policy (and possibly setroubleshoot) packages
-
Other developers: Report any unlabeled_t AVCs triggered by their software
-
Release engineering: N/A (not needed for this Change)
-
Policies and guidelines: N/A (not needed for this Change)
-
Trademark approval: N/A (not needed for this Change)
-
Alignment with the Fedora Strategy: The change aligns with the “accessibility” goal as it simplifies debugging of some labeling issues
Upgrade/compatibility impact
No functionality impact, no configuration or data migration. The change could influence the amount of SELinux-related logs on some systems.
Early Testing (Optional)
Do you require ‘QA Blueprint’ support? - No
How To Test
Run your testsuite with SELinux enabled (Enforcing or Permissive mode) and record any AVCs containing unlabeld_t keyword.
# ausearch -m AVC,USER_AVC | grep unlabeled_t
User Experience
The change could increase the amount of SELinux-related logs on some systems.
Dependencies
Changes will be limited to SElinux policy (and possibly setroubleshoot) packages.
Contingency Plan
- Contingency mechanism: Do not ship the updated SELinux-policy package
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? No
Documentation
Dontaudit rules can be added selectively using audit2allow:
# ausearch -m AVC | grep unlabeled_t | audit2allow -D -M dontaudit_unlabeled
# semodule -i dontaudit_unlabeled.pp
All the disabled rules can be re-enabled by switching the “dontaudit_unlabeled_files” boolean (will be added as part of the change).
# setsebool -P dontaudit_unlabeled_files 1
Release Notes
Last edited by @amoloney 2024-07-01T20:46:45Z