Thread (22 messages) 22 messages, 6 authors, 2020-11-04

Re: selinux: how to query if selinux is enabled

From: Olga Kornievskaia <hidden>
Date: 2020-10-08 15:15:42
Also in: selinux 

On Thu, Oct 8, 2020 at 10:08 AM Ondrej Mosnacek [off-list ref] wrote:
On Thu, Oct 8, 2020 at 3:50 PM Olga Kornievskaia [off-list ref] wrote:
quoted
On Wed, Oct 7, 2020 at 9:07 PM Paul Moore [off-list ref] wrote:
quoted
On Wed, Oct 7, 2020 at 8:41 PM Olga Kornievskaia [off-list ref] wrote:
quoted
Hi folks,

From some linux kernel module, is it possible to query and find out
whether or not selinux is currently enabled or not?

Thank you.
[NOTE: CC'ing the SELinux list as it's probably a bit more relevant
that the LSM list]

In general most parts of the kernel shouldn't need to worry about what
LSMs are active and/or enabled; the simply interact with the LSM(s)
via the interfaces defined in include/linux/security.h (there are some
helpful comments in include/linux/lsm_hooks.h).  Can you elaborate a
bit more on what you are trying to accomplish?
Hi Paul,

Thank you for the response. What I'm trying to accomplish is the
following. Within a file system (NFS), typically any queries for
security labels are triggered by the SElinux (or I guess an LSM in
general) (thru the xattr_handler hooks). However, when the VFS is
calling to get directory entries NFS will always get the labels
(baring server not supporting it). However this is useless and affects
performance (ie., this makes servers do extra work  and adds to the
network traffic) when selinux is disabled. It would be useful if NFS
can check if there is anything that requires those labels, if SElinux
is enabled or disabled.
Isn't this already accomplished by the security_ismaclabel() checks
that NFS is already doing?
No it is not (for the readdir). Yes security_ismaclabel() is used
during the calls triggers thru the xattr_handle when a security_label
is queried on a specific file system object (inode).

This is done thru the xattr_handler interface which supplies things
like a "key" (which I'm not exactly sure that is but LSM(selinux)
uses). The only thing that we have in VFS readdir call is a
dentry(inode). (inode)->i_security isn't NULL (I already checked as I
was hoping that would be null when selinux is disabled). So I need
something else to check to see if selinux/LSM is active.

--
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help