Bug 1189580

Summary: security: when enabling SELinux during install apparmor is still present
Product: [openSUSE] openSUSE Tumbleweed Reporter: Ludwig Nussel <lnussel>
Component: YaST2Assignee: E-mail List <yast2-maintainers>
Status: RESOLVED FEATURE QA Contact: Jiri Srain <jsrain>
Severity: Normal    
Priority: P5 - None CC: dgonzalez, jreidinger, llzhao, lnussel, msvec, petr.vorel
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1194332
https://bugzilla.suse.com/show_bug.cgi?id=1196274
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2021-08-18 14:05:03 UTC 
yast gained a feature to enable SELinux during installation:
https://github.com/yast/yast-installation-control/pull/109

However when checking that option, apparmor stuff still gets installed. That is due to patterns pulling it in. Now we could remove that dependency like this: https://build.opensuse.org/request/show/912903

I can't find code in yast that would pull in the apparmor pattern then though. So I suppose when we accept that SR all default installs won't have apparmor anymore.

Wouldn't it make sense if the security module would allow to choose which LSM to use, ie apparmor, selinux or none? The apparmor case could then read a global section for pattern list, just like the selinux path does.
Comment 1 Lukas Ocilka 2021-08-18 15:09:24 UTC 
Frankly, that would be a feature request as the current implementation comes from another feature request (for SELinux) that wanted to have it exactly like this. Especially as TW is SLE 15 SP4 for us - we can't maintain two development branches at the same time.
Comment 2 David Diaz 2021-08-18 15:17:33 UTC 
Hi Ludwig!

To add a little bit more context, let me clarify to future readers that, as long as the product allows it, the SELinux mode can be configured during the installation through the recently added security client (see screenshots at [1]). Setting it to "Disabled" means to not use SELinux as Linux Security Module but keep using the "default" one (AppArmor in our case, see [2]).

That said, if I understood you correctly, you're proposing to give the user the possibility to select the desired LSM (AppArmor, SELinux, or even none) directly from this client. I.e., having a "Linux Security Module" selector which those options and updating the "security", "apparmor", and "selinux" boot params accordingly in addition to select the needed security pattern(s). Right?

If so, it sounds more like a feature request than an issue. @Josef, what do you think? Is it feasible?

If not, please let me know where I got lost :)

Thanks!

[1] https://github.com/yast/yast-installation/pull/906
[2] https://github.com/yast/yast-security/pull/83
Comment 3 David Diaz 2021-08-18 15:20:52 UTC 
(In reply to David Diaz from comment #2)
>  
> If so, it sounds more like a feature request than an issue. @Josef, what do
> you think? Is it feasible?
> 
> If not, please let me know where I got lost :)
> 

I mean, 

If so, it sounds more like a feature request than an issue. If not, please let me know where I got lost :)

@Josef, what do you think? Is it feasible?
Comment 4 Josef Reidinger 2021-08-18 15:22:59 UTC 
yes, for me it makes sense to allow in security to pick and possibly fine tune LSM, but I think this should really go thrue jira with proper discussion, so hopefully we can prevent issues we have after implementing that selinux jira entry.
Comment 5 Ludwig Nussel 2021-08-18 15:53:39 UTC 
Looking at the feature request (https://jira.suse.com/browse/PM-2244) it doesn't specify what is supposed to happen with Apparmor at all. The feature originated in MicroOS which I suppose doesn't have Apparmor on the medium. So actually it wouldn't be dragged in on MicroOS. All good there.
My guess is that PM is not aware that the side effect of the way this feature is implemented would be having both Apparmor and SELinux packages on the system for TW and probably SLE itself when enabling SELinux during installation.
Comment 6 Michal Svec 2021-08-19 13:25:04 UTC 
(In reply to Josef Reidinger from comment #4)
> yes, for me it makes sense to allow in security to pick and possibly fine
> tune LSM, but I think this should really go thrue jira with proper
> discussion, so hopefully we can prevent issues we have after implementing
> that selinux jira entry.

This is definitely a reasonable suggestion and I agree would be nice to have.
Josef, David, can you please create a Jira request for 15 SP4? TiA!
Comment 7 Lukas Ocilka 2021-08-24 15:03:04 UTC 
I've created a feature request https://jira.suse.com/browse/PM-2920
Please add your comment there.
Comment 8 Petr Vorel 2022-02-22 07:52:50 UTC 
FYI: there is not just AppArmor and SELinux, we support more LSM modules (at least IMA/EVM). Please when change LSM related kernel boot parameters keep that in mind and try to retest all LSM modules we support (changes driven by this initiative caused #1194332 and #1196274).