[PATCH Notebook] SELINUX=disabled is being deprecated

From: Richard Haines <richard_c_haines@btinternet.com>
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com, Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH Notebook] SELINUX=disabled is being deprecated
Date: Mon,  4 Apr 2022 10:29:00 +0100	[thread overview]
Message-ID: <20220404092900.6400-1-richard_c_haines@btinternet.com> (raw)

The existing kernel command line switch selinux=0, which allows users to
disable SELinux at system boot should be used instead.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/core_components.md     | 6 +++++-
 src/embedded_systems.md    | 6 ++++++
 src/global_config_files.md | 5 +++++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/core_components.md b/src/core_components.md
index eeb1945..17c4d66 100644
--- a/src/core_components.md
+++ b/src/core_components.md
@@ -126,7 +126,11 @@ in the audit log. SELinux can also be disabled (at boot time only) by
 setting *SELINUX=disabled*. There is also support for the
 [***permissive***](type_statements.md#permissive) statement that allows a
 domain to run in permissive mode while the others are still confined
-(instead of all or nothing set by *SELINUX=*).
+(instead of all or nothing set by *SELINUX=*). Note setting *SELINUX=disabled*
+will be deprecated at some stage, in favor of the existing kernel command line
+switch *selinux=0*, which allows users to disable SELinux at system boot. See
+<https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable>
+that explains how to achieve this on various Linux distributions.
 
 <!-- %CUTHERE% -->
 
diff --git a/src/embedded_systems.md b/src/embedded_systems.md
index 75821fe..9661649 100644
--- a/src/embedded_systems.md
+++ b/src/embedded_systems.md
@@ -244,6 +244,12 @@ SELINUX=enforcing
 SELINUXTYPE=targeted
 ```
 
+Note setting *SELINUX=disabled* will be deprecated at some stage, in favor of
+the existing kernel command line switch *selinux=0*, which allows users to
+disable SELinux at system boot. See
+<https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable>
+that explains how to achieve this on various Linux distributions.
+
 The standard Linux SELinux policy load sequence is as follows:
 
 - Obtain policy version supported by the kernel.
diff --git a/src/global_config_files.md b/src/global_config_files.md
index 7c8132d..1dcdfeb 100644
--- a/src/global_config_files.md
+++ b/src/global_config_files.md
@@ -46,6 +46,11 @@ This entry can contain one of three values:
   the global SELinux enforcement mode. It is still possible to have domains
   running in permissive mode and/or object managers running as disabled,
   permissive or enforcing, when the global mode is enforcing or permissive.
+  Note setting *SELINUX=disabled* will be deprecated at some stage, in favor of
+  the existing kernel command line switch *selinux=0*, which allows users to
+  disable SELinux at system boot. See
+  <https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable>
+  that explains how to achieve this on various Linux distributions.
 
 *SELINUXTYPE*
 
-- 
2.35.1

