Bug 1203119 - Installation the Selinux Enforcing/Permissive is not available to choose
Installation the Selinux Enforcing/Permissive is not available to choose
Status: RESOLVED NORESPONSE
Classification: openSUSE
Product: openSUSE Leap Micro
Classification: openSUSE
Component: Installation
5.3
Other Other
: P5 - None : Normal
: ---
Assigned To: E-mail List
Jose Lausuch
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-09-05 12:14 UTC by Lubos Kocman
Modified: 2022-10-17 11:55 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
mfilka: needinfo? (lubos.kocman)


Attachments
selinux permissive (171.63 KB, image/png)
2022-09-05 12:14 UTC, Lubos Kocman
Details
SLE Micro 5.3 RC policy selection (104.87 KB, image/png)
2022-09-05 12:42 UTC, Lubos Kocman
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Lubos Kocman 2022-09-05 12:14:46 UTC
Created attachment 861303 [details]
selinux permissive

Seems like user can choose in between App Armor and SELinux, but he seems not to be able to change mode from Permissive (the list box seems disabled/ro).

More details in the screenshot.
Comment 1 Lubos Kocman 2022-09-05 12:18:29 UTC
Just to confirm we do inherit selinux policy from https://build.suse.de/package/show/SUSE:SLE-15-SP4:Update:Products:Micro53/selinux-policy
Comment 2 Lubos Kocman 2022-09-05 12:42:35 UTC
Created attachment 861304 [details]
SLE Micro 5.3 RC policy selection

SLE Micro 5.3 seems to have this correctly.
Comment 3 Lubos Kocman 2022-09-05 12:53:18 UTC
Related to https://bugzilla.suse.com/show_bug.cgi?id=1184215#c4

THis is state from the situation when there was no selinux-policy package, that has changed. However it seems selection seems to be implemented only for SLE Micro 5.3
Comment 4 Stefan Hundhammer 2022-09-05 13:11:38 UTC
AFAICS the combo box is disabled because there is only one policy available in this case:

https://github.com/yast/yast-installation/blob/master/src/lib/installation/widgets/lsm.rb#L112

      def init
        self.value = settings.selected&.id.to_s
        disable if items.size <= 1
      end

Why there is only one I don't know.
Comment 5 Max Lin 2022-09-05 13:53:41 UTC
Perhaps you need to update skelcd-control-SMO to verison 5.3.0 at least, it seem to be supporting the adjustable lsm clickbox since skelcd-control-SMO 5.3.0 https://build.opensuse.org/package/rdiff/SUSE:SLE-15-SP4:Update:Products:Micro53/skelcd-control-SMO?linkrev=base&rev=2 , Leap Micro 5.3 has skelcd-control-SMO 5.2.3. @YaST team, can that be related?
Comment 6 David Diaz 2022-09-05 13:59:23 UTC
(In reply to Stefan Hundhammer from comment #4)
> AFAICS the combo box is disabled because there is only one policy available
> in this case:
> 
> https://github.com/yast/yast-installation/blob/master/src/lib/installation/
> widgets/lsm.rb#L112
> 
>       def init
>         self.value = settings.selected&.id.to_s
>         disable if items.size <= 1
>       end
> 
> Why there is only one I don't know.

Actually, this is the code for the "Selected Module" selector, no for the "SELinux Mode" one.

The "SELinux Mode" is disabled because it is marked as not configurable, see https://github.com/yast/yast-installation/blob/ce0223d21b268ff579025f1f8c500d7ca908b578/src/lib/installation/widgets/selinux_mode.rb#L44

The configurable setting comes from Y2Security::LSM::Config instance (https://github.com/yast/yast-security/blob/a6a56535e9285f66804814daafe85d310786e140/src/lib/y2security/lsm/config.rb#L141), which loads it from the Yast::ProductFeatures unless running in WSL. I.e., it comes from the control file.

In MicroOS control file (master branch) it is set as configurable, see https://github.com/yast/skelcd-control-MicroOS/blob/55c1370a0ba4b86c8c17f54ff4a9f6a0e41f22ad/control/control.MicroOS.xml#L90. 


Where can I check the control file for openSUSE Leap Micro?
Comment 7 David Diaz 2022-09-05 14:10:41 UTC
(In reply to Max Lin from comment #5)
> Perhaps you need to update skelcd-control-SMO to verison 5.3.0 at least, it
> seem to be supporting the adjustable lsm clickbox since skelcd-control-SMO
> 5.3.0
> https://build.opensuse.org/package/rdiff/SUSE:SLE-15-SP4:Update:Products:
> Micro53/skelcd-control-SMO?linkrev=base&rev=2 , Leap Micro 5.3 has
> skelcd-control-SMO 5.2.3. @YaST team, can that be related?

Thanks Max!


Yes, it can. It depends on which version of yast2-security is in use. yast2-security 4.3.x expect configuration as it is in skelcd-control-SMO 5.2.3. Which is not the case for yast2-security 4.4.x, which extended the Major Linux Security Module support (see https://github.com/yast/yast-security/pull/115) and expect the configuration as in skelcd-control-SMO 5.3 (https://github.com/yast/skelcd-control-SMO/blob/aebdcf2429ce67c03c823995addd47b40ffda144/control/control.SMO.xml#L77-L93)
Comment 8 Michal Filka 2022-09-07 09:03:44 UTC
@Lubos:
Could you check whether right versions are currently available during installation? See comment#7 for details. Thanks
Comment 9 Stefan Hundhammer 2022-09-29 08:03:06 UTC
Lubos, this is still in NEEDINFO from you; see also comment #8.
Comment 10 Knut Alejandro Anderssen González 2022-10-17 11:55:50 UTC
Lubos, I will close it by now as we have been waiting for response for more than once month, so, please reopen it if it still makes sense or it is not solved yet.