Message ID | 164617518151.117500.8843073220563946007.stgit@olly (mailing list archive) |
---|---|
State | Accepted |
Delegated to: | Paul Moore |
Headers | show |
Series | [RFC] selinux: runtime disable is deprecated, add some ssleep() discomfort | expand |
On Tue, Mar 1, 2022 at 5:53 PM Paul Moore <paul@paul-moore.com> wrote: > > We deprecated the SELinux runtime disable functionality in Linux > v5.6, and it is time to get a bit more serious about removing it. > Add a five second sleep to anyone using it to help draw their > attention to the deprecation and provide a URL which helps explain > things in more detail, including how to add kernel command line > parameters to some of the more popular Linux distributions. > > Signed-off-by: Paul Moore <paul@paul-moore.com> > --- > security/selinux/selinuxfs.c | 2 ++ > 1 file changed, 2 insertions(+) Comments are also welcome on the text in the URL shown as part of the error message below. > diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c > index f2f6203e0fff..3739155ee0db 100644 > --- a/security/selinux/selinuxfs.c > +++ b/security/selinux/selinuxfs.c > @@ -293,6 +293,8 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf, > * kernel releases until eventually it is removed > */ > pr_err("SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline.\n"); > + pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n"); > + ssleep(5); > > if (count >= PAGE_SIZE) > return -ENOMEM; >
On 3/1/2022 2:53 PM, Paul Moore wrote: > We deprecated the SELinux runtime disable functionality in Linux > v5.6, and it is time to get a bit more serious about removing it. > Add a five second sleep to anyone using it to help draw their > attention to the deprecation and provide a URL which helps explain > things in more detail, including how to add kernel command line > parameters to some of the more popular Linux distributions. > > Signed-off-by: Paul Moore <paul@paul-moore.com> Thank you for pressing on this. FWIW - Acked-by: Casey Schaufler <casey@schaufler-ca.com> > --- > security/selinux/selinuxfs.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c > index f2f6203e0fff..3739155ee0db 100644 > --- a/security/selinux/selinuxfs.c > +++ b/security/selinux/selinuxfs.c > @@ -293,6 +293,8 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf, > * kernel releases until eventually it is removed > */ > pr_err("SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline.\n"); > + pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n"); > + ssleep(5); > > if (count >= PAGE_SIZE) > return -ENOMEM; >
On Tue, Mar 1, 2022 at 5:53 PM Paul Moore <paul@paul-moore.com> wrote: > > We deprecated the SELinux runtime disable functionality in Linux > v5.6, and it is time to get a bit more serious about removing it. > Add a five second sleep to anyone using it to help draw their > attention to the deprecation and provide a URL which helps explain > things in more detail, including how to add kernel command line > parameters to some of the more popular Linux distributions. > > Signed-off-by: Paul Moore <paul@paul-moore.com> > --- > security/selinux/selinuxfs.c | 2 ++ > 1 file changed, 2 insertions(+) Merged into selinux/next.
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index f2f6203e0fff..3739155ee0db 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -293,6 +293,8 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf, * kernel releases until eventually it is removed */ pr_err("SELinux: Runtime disable is deprecated, use selinux=0 on the kernel cmdline.\n"); + pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n"); + ssleep(5); if (count >= PAGE_SIZE) return -ENOMEM;
We deprecated the SELinux runtime disable functionality in Linux v5.6, and it is time to get a bit more serious about removing it. Add a five second sleep to anyone using it to help draw their attention to the deprecation and provide a URL which helps explain things in more detail, including how to add kernel command line parameters to some of the more popular Linux distributions. Signed-off-by: Paul Moore <paul@paul-moore.com> --- security/selinux/selinuxfs.c | 2 ++ 1 file changed, 2 insertions(+)