Where to look for system services modified for SELinux

Where to look for system services modified for SELinux

[Casey Schaufler]

It would be very helpful if I could find documentation about, or even a
list of, system services that have been enhanced in support of SELinux.
I'm doing this as part of the LSM stacking effort, looking for things that
may require additional work for the multiple LSM environment. I already
know about systemd, dbus and the pam module.

Thanks.
 

Re: Where to look for system services modified for SELinux

[Stephen Smalley]

On Tue, Mar 19, 2024 at 7:03 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> It would be very helpful if I could find documentation about, or even a
> list of, system services that have been enhanced in support of SELinux.
> I'm doing this as part of the LSM stacking effort, looking for things that
> may require additional work for the multiple LSM environment. I already
> know about systemd, dbus and the pam module.

(re-send in plaintext mode, with some additional info appended at the end)

There is an old list at
https://github.com/SELinuxProject/selinux/wiki/Userspace-Packages

But the only way to get an accurate up-to-date list is to use your
favorite package manager and ask it for the list of all packages that
depend on libselinux. That will be more than just services of course.
Technically that might not get all of them since some could just be
directly using the xattr system calls, the /proc/pid/attr interface,
and/or the /sys/fs/selinux interface without using the libselinux
wrappers.

Some SELinux-aware services besides the ones you listed above and not
in the original list on GitHub include nscd (part of glibc), sssd,
Xorg, PostgreSQL, libvirtd, all the modern cron variants, and various
container runtimes/daemons. The extent to which they use SELinux APIs
varies though, from those that are merely getting/setting SELinux
process or file contexts to full-fledged userspace object managers /
policy enforcers.

Then there is a completely different list for Android, but not sure
you care about it.

Re: Where to look for system services modified for SELinux

[Casey Schaufler]

On 3/20/2024 8:50 AM, Stephen Smalley wrote:
> On Tue, Mar 19, 2024 at 7:03 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>> It would be very helpful if I could find documentation about, or even a
>> list of, system services that have been enhanced in support of SELinux.
>> I'm doing this as part of the LSM stacking effort, looking for things that
>> may require additional work for the multiple LSM environment. I already
>> know about systemd, dbus and the pam module.
> (re-send in plaintext mode, with some additional info appended at the end)
>
> There is an old list at
> https://github.com/SELinuxProject/selinux/wiki/Userspace-Packages
>
> But the only way to get an accurate up-to-date list is to use your
> favorite package manager and ask it for the list of all packages that
> depend on libselinux. That will be more than just services of course.
> Technically that might not get all of them since some could just be
> directly using the xattr system calls, the /proc/pid/attr interface,
> and/or the /sys/fs/selinux interface without using the libselinux
> wrappers.
>
> Some SELinux-aware services besides the ones you listed above and not
> in the original list on GitHub include nscd (part of glibc), sssd,
> Xorg, PostgreSQL, libvirtd, all the modern cron variants, and various
> container runtimes/daemons. The extent to which they use SELinux APIs
> varies though, from those that are merely getting/setting SELinux
> process or file contexts to full-fledged userspace object managers /
> policy enforcers.
>
> Then there is a completely different list for Android, but not sure
> you care about it.

Thank you, that's been a big help. Turns out Fedora 39 installs 93
packages with "selinux" in the title. Yoiks!

Re: Where to look for system services modified for SELinux

[Petr Lautrbach]

Casey Schaufler <casey@schaufler-ca.com> writes:

> On 3/20/2024 8:50 AM, Stephen Smalley wrote:
>> On Tue, Mar 19, 2024 at 7:03 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>>> It would be very helpful if I could find documentation about, or even a
>>> list of, system services that have been enhanced in support of SELinux.
>>> I'm doing this as part of the LSM stacking effort, looking for things that
>>> may require additional work for the multiple LSM environment. I already
>>> know about systemd, dbus and the pam module.
>> (re-send in plaintext mode, with some additional info appended at the end)
>>
>> There is an old list at
>> https://github.com/SELinuxProject/selinux/wiki/Userspace-Packages
>>
>> But the only way to get an accurate up-to-date list is to use your
>> favorite package manager and ask it for the list of all packages that
>> depend on libselinux. That will be more than just services of course.
>> Technically that might not get all of them since some could just be
>> directly using the xattr system calls, the /proc/pid/attr interface,
>> and/or the /sys/fs/selinux interface without using the libselinux
>> wrappers.
>>
>> Some SELinux-aware services besides the ones you listed above and not
>> in the original list on GitHub include nscd (part of glibc), sssd,
>> Xorg, PostgreSQL, libvirtd, all the modern cron variants, and various
>> container runtimes/daemons. The extent to which they use SELinux APIs
>> varies though, from those that are merely getting/setting SELinux
>> process or file contexts to full-fledged userspace object managers /
>> policy enforcers.
>>
>> Then there is a completely different list for Android, but not sure
>> you care about it.
>
> Thank you, that's been a big help. Turns out Fedora 39 installs 93
> packages with "selinux" in the title. Yoiks!

Title could be misleading as there are -selinux packages with custom
policies.

But there's about 95 packages which require libselinux:

$ sudo dnf repoquery --disablerepo=\* --enablerepo=fedora --whatrequires='libselinux.so.1()(64bit)' --qf '%{sourcerpm}' | uniq 

Re: Where to look for system services modified for SELinux

[Petr Lautrbach]

Petr Lautrbach <plautrba@redhat.com> writes:

> Casey Schaufler <casey@schaufler-ca.com> writes:
>
>> On 3/20/2024 8:50 AM, Stephen Smalley wrote:
>>> On Tue, Mar 19, 2024 at 7:03 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>>>> It would be very helpful if I could find documentation about, or even a
>>>> list of, system services that have been enhanced in support of SELinux.
>>>> I'm doing this as part of the LSM stacking effort, looking for things that
>>>> may require additional work for the multiple LSM environment. I already
>>>> know about systemd, dbus and the pam module.
>>> (re-send in plaintext mode, with some additional info appended at the end)
>>>
>>> There is an old list at
>>> https://github.com/SELinuxProject/selinux/wiki/Userspace-Packages
>>>
>>> But the only way to get an accurate up-to-date list is to use your
>>> favorite package manager and ask it for the list of all packages that
>>> depend on libselinux. That will be more than just services of course.
>>> Technically that might not get all of them since some could just be
>>> directly using the xattr system calls, the /proc/pid/attr interface,
>>> and/or the /sys/fs/selinux interface without using the libselinux
>>> wrappers.
>>>
>>> Some SELinux-aware services besides the ones you listed above and not
>>> in the original list on GitHub include nscd (part of glibc), sssd,
>>> Xorg, PostgreSQL, libvirtd, all the modern cron variants, and various
>>> container runtimes/daemons. The extent to which they use SELinux APIs
>>> varies though, from those that are merely getting/setting SELinux
>>> process or file contexts to full-fledged userspace object managers /
>>> policy enforcers.
>>>
>>> Then there is a completely different list for Android, but not sure
>>> you care about it.
>>
>> Thank you, that's been a big help. Turns out Fedora 39 installs 93
>> packages with "selinux" in the title. Yoiks!
>
> Title could be misleading as there are -selinux packages with custom
> policies.
>
> But there's about 95 packages which require libselinux:
>
> $ sudo dnf repoquery --disablerepo=\* --enablerepo=fedora --whatrequires='libselinux.so.1()(64bit)' --qf '%{sourcerpm}' | uniq 

sourcegraph found 103 .spec files with BuildRequires: libselinux-devel

https://sourcegraph.com/search?q=context:global+repo:%5Esrc.fedoraproject.org/+BuildRequires:+libselinux-devel&patternType=regexp&sm=0