rpms / libselinux

Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f7 f8 f9 main private-master-2.4 private-master-2.5 private-upstream-master rawhide
  1.   rawhide
  2.   0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch
Blob Blame History Raw 
From 225486048881d429e4b92ad24b65af7a1fc4c3a9 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 11 Nov 2020 17:23:39 +0100
Subject: [PATCH] selinux(8): explain that runtime disable is deprecated

Update the main SELinux manpage to explain that runtime disable (i.e.
disabling SELinux using SELINUX=Disabled) is deprecated and recommend
disabling SELinux only via the kernel boot parameter.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 libselinux/man/man8/selinux.8 | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
index 522d45960bf3..a36e286b1409 100644
--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
@@ -20,8 +20,8 @@ permissive mode or enforcing mode.  The
 .B SELINUX
 variable may be set to
 any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to
-select one of these options.  The \fIdisabled\fR option completely
-disables the SELinux kernel and application code, leaving the system
+select one of these options.  The \fIdisabled\fR disables most of the
+SELinux kernel and application code, leaving the system
 running without any SELinux protection.  The \fIpermissive\fR option
 enables the SELinux code, but causes it to operate in a mode where
 accesses that would be denied by policy are permitted but audited.  The
@@ -32,6 +32,24 @@ enforcing mode will prevent an operation from proceeding past the first
 denial and because some application code will fall back to a less
 privileged mode of operation if denied access.
 
+.B NOTE:
+Disabling SELinux by setting
+.B SELINUX=disabled
+in
+.I /etc/selinux/config
+is deprecated and depending on kernel version and configuration it might
+not lead to SELinux being completely disabled.  Specifically, the
+SELinux hooks will still be executed internally, but the SELinux policy
+will not be loaded and no operation will be denied.  In such state, the
+system will act as if SELinux was disabled, although some operations
+might behave slightly differently.  To properly disable SELinux, it is
+recommended to use the
+.B selinux=0
+kernel boot option instead.  In that case SELinux will be disabled
+regardless of what is set in the
+.I /etc/selinux/config
+file.
+
 The
 .I /etc/selinux/config
 configuration file also controls what policy
-- 
2.29.2
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.