* [PATCH userspace v2 0/3] Update manpages to reflect that runtime SELinux disable is deprecated
@ 2020-11-11 16:23 Ondrej Mosnacek
2020-11-11 16:23 ` [PATCH userspace v2 1/3] selinux(8): mark up SELINUX values Ondrej Mosnacek
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Ondrej Mosnacek @ 2020-11-11 16:23 UTC (permalink / raw)
To: selinux; +Cc: Petr Lautrbach
SSIA
Ondrej Mosnacek (3):
selinux(8): mark up SELINUX values
selinux(8): explain that runtime disable is deprecated
selinux_config(5): add a note that runtime disable is deprecated
libselinux/man/man8/selinux.8 | 42 ++++++++++++++++-------
policycoreutils/man/man5/selinux_config.5 | 2 +-
2 files changed, 31 insertions(+), 13 deletions(-)
--
2.26.2
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH userspace v2 1/3] selinux(8): mark up SELINUX values
2020-11-11 16:23 [PATCH userspace v2 0/3] Update manpages to reflect that runtime SELinux disable is deprecated Ondrej Mosnacek
@ 2020-11-11 16:23 ` Ondrej Mosnacek
2020-11-11 16:23 ` [PATCH userspace v2 2/3] selinux(8): explain that runtime disable is deprecated Ondrej Mosnacek
2020-11-11 16:23 ` [PATCH userspace v2 3/3] selinux_config(5): add a note " Ondrej Mosnacek
2 siblings, 0 replies; 6+ messages in thread
From: Ondrej Mosnacek @ 2020-11-11 16:23 UTC (permalink / raw)
To: selinux; +Cc: Petr Lautrbach
Mark up the possible values of SELINUX (disabled, permissive, enforcing)
for better readability.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
libselinux/man/man8/selinux.8 | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
index 31364271..2afe6d3d 100644
--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
@@ -19,18 +19,18 @@ enabled or disabled, and if enabled, whether SELinux operates in
permissive mode or enforcing mode. The
.B SELINUX
variable may be set to
-any one of disabled, permissive, or enforcing to select one of these
-options. The disabled option completely disables the SELinux kernel
-and application code, leaving the system running without any SELinux
-protection. The permissive option enables the SELinux code, but
-causes it to operate in a mode where accesses that would be denied by
-policy are permitted but audited. The enforcing option enables the
-SELinux code and causes it to enforce access denials as well as
-auditing them. Permissive mode may yield a different set of denials
-than enforcing mode, both because enforcing mode will prevent an
-operation from proceeding past the first denial and because some
-application code will fall back to a less privileged mode of operation
-if denied access.
+any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to
+select one of these options. The \fIdisabled\fR option completely
+disables the SELinux kernel and application code, leaving the system
+running without any SELinux protection. The \fIpermissive\fR option
+enables the SELinux code, but causes it to operate in a mode where
+accesses that would be denied by policy are permitted but audited. The
+\fIenforcing\fR option enables the SELinux code and causes it to enforce
+access denials as well as auditing them. \fIpermissive\fR mode may
+yield a different set of denials than enforcing mode, both because
+enforcing mode will prevent an operation from proceeding past the first
+denial and because some application code will fall back to a less
+privileged mode of operation if denied access.
The
.I /etc/selinux/config
--
2.26.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH userspace v2 2/3] selinux(8): explain that runtime disable is deprecated
2020-11-11 16:23 [PATCH userspace v2 0/3] Update manpages to reflect that runtime SELinux disable is deprecated Ondrej Mosnacek
2020-11-11 16:23 ` [PATCH userspace v2 1/3] selinux(8): mark up SELINUX values Ondrej Mosnacek
@ 2020-11-11 16:23 ` Ondrej Mosnacek
2020-11-11 16:23 ` [PATCH userspace v2 3/3] selinux_config(5): add a note " Ondrej Mosnacek
2 siblings, 0 replies; 6+ messages in thread
From: Ondrej Mosnacek @ 2020-11-11 16:23 UTC (permalink / raw)
To: selinux; +Cc: Petr Lautrbach
Update the main SELinux manpage to explain that runtime disable (i.e.
disabling SELinux using SELINUX=Disabled) is deprecated and recommend
disabling SELinux only via the kernel boot parameter.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
libselinux/man/man8/selinux.8 | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
index 2afe6d3d..0ef01460 100644
--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
@@ -20,8 +20,8 @@ permissive mode or enforcing mode. The
.B SELINUX
variable may be set to
any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to
-select one of these options. The \fIdisabled\fR option completely
-disables the SELinux kernel and application code, leaving the system
+select one of these options. The \fIdisabled\fR disables most of the
+SELinux kernel and application code, leaving the system
running without any SELinux protection. The \fIpermissive\fR option
enables the SELinux code, but causes it to operate in a mode where
accesses that would be denied by policy are permitted but audited. The
@@ -32,6 +32,24 @@ enforcing mode will prevent an operation from proceeding past the first
denial and because some application code will fall back to a less
privileged mode of operation if denied access.
+.B NOTE:
+Disabling SELinux by setting
+.B SELINUX=disabled
+in
+.I /etc/selinux/config
+is deprecated and depending on kernel version and configuration it might
+not lead to SELinux being completely disabled. Specifically, the
+SELinux hooks will still be executed internally, but the SELinux policy
+will not be loaded and no operation will be denied. In such state, the
+system will act as if SELinux was disabled, although some operations
+might behave slightly differently. To properly disable SELinux, it is
+recommended to use the
+.B selinux=0
+kernel boot option instead. In that case SELinux will be disabled
+regardless of what is set in the
+.I /etc/selinux/config
+file.
+
The
.I /etc/selinux/config
configuration file also controls what policy
--
2.26.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH userspace v2 3/3] selinux_config(5): add a note that runtime disable is deprecated
2020-11-11 16:23 [PATCH userspace v2 0/3] Update manpages to reflect that runtime SELinux disable is deprecated Ondrej Mosnacek
2020-11-11 16:23 ` [PATCH userspace v2 1/3] selinux(8): mark up SELINUX values Ondrej Mosnacek
2020-11-11 16:23 ` [PATCH userspace v2 2/3] selinux(8): explain that runtime disable is deprecated Ondrej Mosnacek
@ 2020-11-11 16:23 ` Ondrej Mosnacek
2020-11-11 21:19 ` Nicolas Iooss
2 siblings, 1 reply; 6+ messages in thread
From: Ondrej Mosnacek @ 2020-11-11 16:23 UTC (permalink / raw)
To: selinux; +Cc: Petr Lautrbach
...and refer to selinux(8), which explains it further.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policycoreutils/man/man5/selinux_config.5 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5
index 1ffade15..8d56a559 100644
--- a/policycoreutils/man/man5/selinux_config.5
+++ b/policycoreutils/man/man5/selinux_config.5
@@ -48,7 +48,7 @@ SELinux security policy is enforced.
.IP \fIpermissive\fR 4
SELinux security policy is not enforced but logs the warnings (i.e. the action is allowed to proceed).
.IP \fIdisabled\fR
-SELinux is disabled and no policy is loaded.
+No SELinux policy is loaded. This option was used to disable SELinux completely, which is now deprected. Use the \fBselinux=0\fR kernel boot option instead (see \fBselinux\fR(8)).
.RE
.sp
The entry can be determined using the \fBsestatus\fR(8) command or \fBselinux_getenforcemode\fR(3).
--
2.26.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH userspace v2 3/3] selinux_config(5): add a note that runtime disable is deprecated
2020-11-11 16:23 ` [PATCH userspace v2 3/3] selinux_config(5): add a note " Ondrej Mosnacek
@ 2020-11-11 21:19 ` Nicolas Iooss
2020-11-12 21:07 ` Nicolas Iooss
0 siblings, 1 reply; 6+ messages in thread
From: Nicolas Iooss @ 2020-11-11 21:19 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: SElinux list, Petr Lautrbach
On Wed, Nov 11, 2020 at 5:23 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> ...and refer to selinux(8), which explains it further.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
> policycoreutils/man/man5/selinux_config.5 | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5
> index 1ffade15..8d56a559 100644
> --- a/policycoreutils/man/man5/selinux_config.5
> +++ b/policycoreutils/man/man5/selinux_config.5
> @@ -48,7 +48,7 @@ SELinux security policy is enforced.
> .IP \fIpermissive\fR 4
> SELinux security policy is not enforced but logs the warnings (i.e. the action is allowed to proceed).
> .IP \fIdisabled\fR
> -SELinux is disabled and no policy is loaded.
> +No SELinux policy is loaded. This option was used to disable SELinux completely, which is now deprected. Use the \fBselinux=0\fR kernel boot option instead (see \fBselinux\fR(8)).
Hi, there is a misspelling here: deprected -> deprecated. Otherwise
the 3 patches look good to me, thanks!
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Nicolas
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH userspace v2 3/3] selinux_config(5): add a note that runtime disable is deprecated
2020-11-11 21:19 ` Nicolas Iooss
@ 2020-11-12 21:07 ` Nicolas Iooss
0 siblings, 0 replies; 6+ messages in thread
From: Nicolas Iooss @ 2020-11-12 21:07 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: SElinux list, Petr Lautrbach
On Wed, Nov 11, 2020 at 10:19 PM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
>
> On Wed, Nov 11, 2020 at 5:23 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> >
> > ...and refer to selinux(8), which explains it further.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> > policycoreutils/man/man5/selinux_config.5 | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5
> > index 1ffade15..8d56a559 100644
> > --- a/policycoreutils/man/man5/selinux_config.5
> > +++ b/policycoreutils/man/man5/selinux_config.5
> > @@ -48,7 +48,7 @@ SELinux security policy is enforced.
> > .IP \fIpermissive\fR 4
> > SELinux security policy is not enforced but logs the warnings (i.e. the action is allowed to proceed).
> > .IP \fIdisabled\fR
> > -SELinux is disabled and no policy is loaded.
> > +No SELinux policy is loaded. This option was used to disable SELinux completely, which is now deprected. Use the \fBselinux=0\fR kernel boot option instead (see \fBselinux\fR(8)).
>
> Hi, there is a misspelling here: deprected -> deprecated. Otherwise
> the 3 patches look good to me, thanks!
>
> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Merged.
Thanks,
Nicolas
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-11-12 21:07 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-11 16:23 [PATCH userspace v2 0/3] Update manpages to reflect that runtime SELinux disable is deprecated Ondrej Mosnacek
2020-11-11 16:23 ` [PATCH userspace v2 1/3] selinux(8): mark up SELINUX values Ondrej Mosnacek
2020-11-11 16:23 ` [PATCH userspace v2 2/3] selinux(8): explain that runtime disable is deprecated Ondrej Mosnacek
2020-11-11 16:23 ` [PATCH userspace v2 3/3] selinux_config(5): add a note " Ondrej Mosnacek
2020-11-11 21:19 ` Nicolas Iooss
2020-11-12 21:07 ` Nicolas Iooss
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.