diff mbox series

[Notebook] SELINUX=disabled is being deprecated

Message ID 20220404092900.6400-1-richard_c_haines@btinternet.com (mailing list archive)
State Accepted
Delegated to: Paul Moore
Headers show
Series [Notebook] SELINUX=disabled is being deprecated | expand

Commit Message

Richard Haines April 4, 2022, 9:29 a.m. UTC 
The existing kernel command line switch selinux=0, which allows users to
disable SELinux at system boot should be used instead.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/core_components.md     | 6 +++++-
 src/embedded_systems.md    | 6 ++++++
 src/global_config_files.md | 5 +++++
 3 files changed, 16 insertions(+), 1 deletion(-)

Comments

Paul Moore April 4, 2022, 9:35 p.m. UTC | #1 
On Mon, Apr 4, 2022 at 5:29 AM Richard Haines
<richard_c_haines@btinternet.com> wrote:
>
> The existing kernel command line switch selinux=0, which allows users to
> disable SELinux at system boot should be used instead.
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
>  src/core_components.md     | 6 +++++-
>  src/embedded_systems.md    | 6 ++++++
>  src/global_config_files.md | 5 +++++
>  3 files changed, 16 insertions(+), 1 deletion(-)

Merged, thanks!
diff mbox series

Patch

diff --git a/src/core_components.md b/src/core_components.md
index eeb1945..17c4d66 100644
--- a/src/core_components.md
+++ b/src/core_components.md
@@ -126,7 +126,11 @@  in the audit log. SELinux can also be disabled (at boot time only) by
 setting *SELINUX=disabled*. There is also support for the
 [***permissive***](type_statements.md#permissive) statement that allows a
 domain to run in permissive mode while the others are still confined
-(instead of all or nothing set by *SELINUX=*).
+(instead of all or nothing set by *SELINUX=*). Note setting *SELINUX=disabled*
+will be deprecated at some stage, in favor of the existing kernel command line
+switch *selinux=0*, which allows users to disable SELinux at system boot. See
+<https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable>
+that explains how to achieve this on various Linux distributions.
 
 <!-- %CUTHERE% -->
 
diff --git a/src/embedded_systems.md b/src/embedded_systems.md
index 75821fe..9661649 100644
--- a/src/embedded_systems.md
+++ b/src/embedded_systems.md
@@ -244,6 +244,12 @@  SELINUX=enforcing
 SELINUXTYPE=targeted
 ```
 
+Note setting *SELINUX=disabled* will be deprecated at some stage, in favor of
+the existing kernel command line switch *selinux=0*, which allows users to
+disable SELinux at system boot. See
+<https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable>
+that explains how to achieve this on various Linux distributions.
+
 The standard Linux SELinux policy load sequence is as follows:
 
 - Obtain policy version supported by the kernel.
diff --git a/src/global_config_files.md b/src/global_config_files.md
index 7c8132d..1dcdfeb 100644
--- a/src/global_config_files.md
+++ b/src/global_config_files.md
@@ -46,6 +46,11 @@  This entry can contain one of three values:
   the global SELinux enforcement mode. It is still possible to have domains
   running in permissive mode and/or object managers running as disabled,
   permissive or enforcing, when the global mode is enforcing or permissive.
+  Note setting *SELINUX=disabled* will be deprecated at some stage, in favor of
+  the existing kernel command line switch *selinux=0*, which allows users to
+  disable SELinux at system boot. See
+  <https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable>
+  that explains how to achieve this on various Linux distributions.
 
 *SELINUXTYPE*