* [PATCH userspace] selinux(8): explain that runtime disable is deprecated
@ 2020-11-11 9:51 Ondrej Mosnacek
2020-11-11 10:07 ` Petr Lautrbach
0 siblings, 1 reply; 4+ messages in thread
From: Ondrej Mosnacek @ 2020-11-11 9:51 UTC (permalink / raw)
To: selinux; +Cc: Petr Lautrbach
Update the main SELinux manpage to explain that runtime disable (i.e.
disabling SELinux using SELINUX=Disabled) is deprecated and recommend
disabling SELinux only via the kernel boot parameter.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
libselinux/man/man8/selinux.8 | 26 ++++++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
index 31364271..721a65f4 100644
--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
@@ -19,12 +19,12 @@ enabled or disabled, and if enabled, whether SELinux operates in
permissive mode or enforcing mode. The
.B SELINUX
variable may be set to
-any one of disabled, permissive, or enforcing to select one of these
-options. The disabled option completely disables the SELinux kernel
+any one of Disabled, Permissive, or Enforcing to select one of these
+options. The Disabled option completely disables the SELinux kernel
and application code, leaving the system running without any SELinux
-protection. The permissive option enables the SELinux code, but
+protection. The Permissive option enables the SELinux code, but
causes it to operate in a mode where accesses that would be denied by
-policy are permitted but audited. The enforcing option enables the
+policy are permitted but audited. The Enforcing option enables the
SELinux code and causes it to enforce access denials as well as
auditing them. Permissive mode may yield a different set of denials
than enforcing mode, both because enforcing mode will prevent an
@@ -32,6 +32,24 @@ operation from proceeding past the first denial and because some
application code will fall back to a less privileged mode of operation
if denied access.
+.B NOTE:
+Disabling SELinux by setting
+.B SELINUX=Disabled
+in
+.I /etc/selinux/config
+is deprecated and depending on kernel version and configuration it might
+not lead to SELinux being completely disabled. Specifically, the
+SELinux hooks will still be executed internally, but the SELinux policy
+will not be loaded and no operation will be denied. In such state, the
+system will act as if SELinux was disabled, although some operations
+might behave slightly differently. To properly disable SELinux, it is
+recommended to use the
+.B selinux=0
+kernel boot option instead. In that case SELinux will be disabled
+regardless of what is set in the
+.I /etc/selinux/config
+file.
+
The
.I /etc/selinux/config
configuration file also controls what policy
--
2.26.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH userspace] selinux(8): explain that runtime disable is deprecated
2020-11-11 9:51 [PATCH userspace] selinux(8): explain that runtime disable is deprecated Ondrej Mosnacek
@ 2020-11-11 10:07 ` Petr Lautrbach
2020-11-11 10:19 ` Ondrej Mosnacek
0 siblings, 1 reply; 4+ messages in thread
From: Petr Lautrbach @ 2020-11-11 10:07 UTC (permalink / raw)
To: selinux; +Cc: Ondrej Mosnacek
[-- Attachment #1: Type: text/plain, Size: 2974 bytes --]
On Wed, Nov 11, 2020 at 10:51:34AM +0100, Ondrej Mosnacek wrote:
> Update the main SELinux manpage to explain that runtime disable (i.e.
> disabling SELinux using SELINUX=Disabled) is deprecated and recommend
> disabling SELinux only via the kernel boot parameter.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
> libselinux/man/man8/selinux.8 | 26 ++++++++++++++++++++++----
> 1 file changed, 22 insertions(+), 4 deletions(-)
>
> diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
> index 31364271..721a65f4 100644
> --- a/libselinux/man/man8/selinux.8
> +++ b/libselinux/man/man8/selinux.8
> @@ -19,12 +19,12 @@ enabled or disabled, and if enabled, whether SELinux operates in
> permissive mode or enforcing mode. The
> .B SELINUX
> variable may be set to
> -any one of disabled, permissive, or enforcing to select one of these
> -options. The disabled option completely disables the SELinux kernel
> +any one of Disabled, Permissive, or Enforcing to select one of these
Is there a reson for these changes?
policycoreutils/man/man5/selinux_config.5 aka selinux_config(5) doesn't use
capitals:
SELINUX = enforcing | permissive | disabled
> +options. The Disabled option completely disables the SELinux kernel
> and application code, leaving the system running without any SELinux
> -protection. The permissive option enables the SELinux code, but
> +protection. The Permissive option enables the SELinux code, but
> causes it to operate in a mode where accesses that would be denied by
> -policy are permitted but audited. The enforcing option enables the
> +policy are permitted but audited. The Enforcing option enables the
> SELinux code and causes it to enforce access denials as well as
> auditing them. Permissive mode may yield a different set of denials
> than enforcing mode, both because enforcing mode will prevent an
> @@ -32,6 +32,24 @@ operation from proceeding past the first denial and because some
> application code will fall back to a less privileged mode of operation
> if denied access.
>
> +.B NOTE:
> +Disabling SELinux by setting
> +.B SELINUX=Disabled
> +in
> +.I /etc/selinux/config
> +is deprecated and depending on kernel version and configuration it might
> +not lead to SELinux being completely disabled. Specifically, the
> +SELinux hooks will still be executed internally, but the SELinux policy
> +will not be loaded and no operation will be denied. In such state, the
> +system will act as if SELinux was disabled, although some operations
> +might behave slightly differently. To properly disable SELinux, it is
> +recommended to use the
> +.B selinux=0
> +kernel boot option instead. In that case SELinux will be disabled
> +regardless of what is set in the
> +.I /etc/selinux/config
> +file.
> +
> The
> .I /etc/selinux/config
> configuration file also controls what policy
> --
> 2.26.2
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH userspace] selinux(8): explain that runtime disable is deprecated
2020-11-11 10:07 ` Petr Lautrbach
@ 2020-11-11 10:19 ` Ondrej Mosnacek
2020-11-11 15:56 ` Paul Moore
0 siblings, 1 reply; 4+ messages in thread
From: Ondrej Mosnacek @ 2020-11-11 10:19 UTC (permalink / raw)
To: Petr Lautrbach; +Cc: SElinux list
On Wed, Nov 11, 2020 at 11:07 AM Petr Lautrbach <plautrba@redhat.com> wrote:
> On Wed, Nov 11, 2020 at 10:51:34AM +0100, Ondrej Mosnacek wrote:
> > Update the main SELinux manpage to explain that runtime disable (i.e.
> > disabling SELinux using SELINUX=Disabled) is deprecated and recommend
> > disabling SELinux only via the kernel boot parameter.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> > libselinux/man/man8/selinux.8 | 26 ++++++++++++++++++++++----
> > 1 file changed, 22 insertions(+), 4 deletions(-)
> >
> > diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
> > index 31364271..721a65f4 100644
> > --- a/libselinux/man/man8/selinux.8
> > +++ b/libselinux/man/man8/selinux.8
> > @@ -19,12 +19,12 @@ enabled or disabled, and if enabled, whether SELinux operates in
> > permissive mode or enforcing mode. The
> > .B SELINUX
> > variable may be set to
> > -any one of disabled, permissive, or enforcing to select one of these
> > -options. The disabled option completely disables the SELinux kernel
> > +any one of Disabled, Permissive, or Enforcing to select one of these
>
> Is there a reson for these changes?
Just for better readability. Although I should probably just mark them
up, as in selinux_config(5)...
> policycoreutils/man/man5/selinux_config.5 aka selinux_config(5) doesn't use
> capitals:
>
> SELINUX = enforcing | permissive | disabled
Good point, it should be consistent. And also that page will need a
similar update. v2 coming soon...
>
> > +options. The Disabled option completely disables the SELinux kernel
> > and application code, leaving the system running without any SELinux
> > -protection. The permissive option enables the SELinux code, but
> > +protection. The Permissive option enables the SELinux code, but
> > causes it to operate in a mode where accesses that would be denied by
> > -policy are permitted but audited. The enforcing option enables the
> > +policy are permitted but audited. The Enforcing option enables the
> > SELinux code and causes it to enforce access denials as well as
> > auditing them. Permissive mode may yield a different set of denials
> > than enforcing mode, both because enforcing mode will prevent an
> > @@ -32,6 +32,24 @@ operation from proceeding past the first denial and because some
> > application code will fall back to a less privileged mode of operation
> > if denied access.
> >
> > +.B NOTE:
> > +Disabling SELinux by setting
> > +.B SELINUX=Disabled
> > +in
> > +.I /etc/selinux/config
> > +is deprecated and depending on kernel version and configuration it might
> > +not lead to SELinux being completely disabled. Specifically, the
> > +SELinux hooks will still be executed internally, but the SELinux policy
> > +will not be loaded and no operation will be denied. In such state, the
> > +system will act as if SELinux was disabled, although some operations
> > +might behave slightly differently. To properly disable SELinux, it is
> > +recommended to use the
> > +.B selinux=0
> > +kernel boot option instead. In that case SELinux will be disabled
> > +regardless of what is set in the
> > +.I /etc/selinux/config
> > +file.
> > +
> > The
> > .I /etc/selinux/config
> > configuration file also controls what policy
> > --
> > 2.26.2
> >
--
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH userspace] selinux(8): explain that runtime disable is deprecated
2020-11-11 10:19 ` Ondrej Mosnacek
@ 2020-11-11 15:56 ` Paul Moore
0 siblings, 0 replies; 4+ messages in thread
From: Paul Moore @ 2020-11-11 15:56 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: Petr Lautrbach, SElinux list
On Wed, Nov 11, 2020 at 5:19 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> On Wed, Nov 11, 2020 at 11:07 AM Petr Lautrbach <plautrba@redhat.com> wrote:
> > On Wed, Nov 11, 2020 at 10:51:34AM +0100, Ondrej Mosnacek wrote:
> > > Update the main SELinux manpage to explain that runtime disable (i.e.
> > > disabling SELinux using SELINUX=Disabled) is deprecated and recommend
> > > disabling SELinux only via the kernel boot parameter.
> > >
> > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > > ---
> > > libselinux/man/man8/selinux.8 | 26 ++++++++++++++++++++++----
> > > 1 file changed, 22 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
> > > index 31364271..721a65f4 100644
> > > --- a/libselinux/man/man8/selinux.8
> > > +++ b/libselinux/man/man8/selinux.8
> > > @@ -19,12 +19,12 @@ enabled or disabled, and if enabled, whether SELinux operates in
> > > permissive mode or enforcing mode. The
> > > .B SELINUX
> > > variable may be set to
> > > -any one of disabled, permissive, or enforcing to select one of these
> > > -options. The disabled option completely disables the SELinux kernel
> > > +any one of Disabled, Permissive, or Enforcing to select one of these
> >
> > Is there a reson for these changes?
>
> Just for better readability. Although I should probably just mark them
> up, as in selinux_config(5)...
>
> > policycoreutils/man/man5/selinux_config.5 aka selinux_config(5) doesn't use
> > capitals:
> >
> > SELINUX = enforcing | permissive | disabled
>
> Good point, it should be consistent. And also that page will need a
> similar update. v2 coming soon...
Thanks!
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-11-11 15:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-11 9:51 [PATCH userspace] selinux(8): explain that runtime disable is deprecated Ondrej Mosnacek
2020-11-11 10:07 ` Petr Lautrbach
2020-11-11 10:19 ` Ondrej Mosnacek
2020-11-11 15:56 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.