* [PATCH Notebook] SELINUX=disabled is being deprecated
@ 2022-04-04 9:29 Richard Haines
2022-04-04 21:35 ` Paul Moore
0 siblings, 1 reply; 2+ messages in thread
From: Richard Haines @ 2022-04-04 9:29 UTC (permalink / raw)
To: selinux; +Cc: paul, Richard Haines
The existing kernel command line switch selinux=0, which allows users to
disable SELinux at system boot should be used instead.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/core_components.md | 6 +++++-
src/embedded_systems.md | 6 ++++++
src/global_config_files.md | 5 +++++
3 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/core_components.md b/src/core_components.md
index eeb1945..17c4d66 100644
--- a/src/core_components.md
+++ b/src/core_components.md
@@ -126,7 +126,11 @@ in the audit log. SELinux can also be disabled (at boot time only) by
setting *SELINUX=disabled*. There is also support for the
[***permissive***](type_statements.md#permissive) statement that allows a
domain to run in permissive mode while the others are still confined
-(instead of all or nothing set by *SELINUX=*).
+(instead of all or nothing set by *SELINUX=*). Note setting *SELINUX=disabled*
+will be deprecated at some stage, in favor of the existing kernel command line
+switch *selinux=0*, which allows users to disable SELinux at system boot. See
+<https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable>
+that explains how to achieve this on various Linux distributions.
<!-- %CUTHERE% -->
diff --git a/src/embedded_systems.md b/src/embedded_systems.md
index 75821fe..9661649 100644
--- a/src/embedded_systems.md
+++ b/src/embedded_systems.md
@@ -244,6 +244,12 @@ SELINUX=enforcing
SELINUXTYPE=targeted
```
+Note setting *SELINUX=disabled* will be deprecated at some stage, in favor of
+the existing kernel command line switch *selinux=0*, which allows users to
+disable SELinux at system boot. See
+<https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable>
+that explains how to achieve this on various Linux distributions.
+
The standard Linux SELinux policy load sequence is as follows:
- Obtain policy version supported by the kernel.
diff --git a/src/global_config_files.md b/src/global_config_files.md
index 7c8132d..1dcdfeb 100644
--- a/src/global_config_files.md
+++ b/src/global_config_files.md
@@ -46,6 +46,11 @@ This entry can contain one of three values:
the global SELinux enforcement mode. It is still possible to have domains
running in permissive mode and/or object managers running as disabled,
permissive or enforcing, when the global mode is enforcing or permissive.
+ Note setting *SELINUX=disabled* will be deprecated at some stage, in favor of
+ the existing kernel command line switch *selinux=0*, which allows users to
+ disable SELinux at system boot. See
+ <https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable>
+ that explains how to achieve this on various Linux distributions.
*SELINUXTYPE*
--
2.35.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH Notebook] SELINUX=disabled is being deprecated
2022-04-04 9:29 [PATCH Notebook] SELINUX=disabled is being deprecated Richard Haines
@ 2022-04-04 21:35 ` Paul Moore
0 siblings, 0 replies; 2+ messages in thread
From: Paul Moore @ 2022-04-04 21:35 UTC (permalink / raw)
To: Richard Haines; +Cc: selinux
On Mon, Apr 4, 2022 at 5:29 AM Richard Haines
<richard_c_haines@btinternet.com> wrote:
>
> The existing kernel command line switch selinux=0, which allows users to
> disable SELinux at system boot should be used instead.
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
> src/core_components.md | 6 +++++-
> src/embedded_systems.md | 6 ++++++
> src/global_config_files.md | 5 +++++
> 3 files changed, 16 insertions(+), 1 deletion(-)
Merged, thanks!
--
paul-moore.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-04-04 21:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-04 9:29 [PATCH Notebook] SELINUX=disabled is being deprecated Richard Haines
2022-04-04 21:35 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.