58 lines
2.3 KiB
Diff
58 lines
2.3 KiB
Diff
|
From 225486048881d429e4b92ad24b65af7a1fc4c3a9 Mon Sep 17 00:00:00 2001
|
||
|
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||
|
Date: Wed, 11 Nov 2020 17:23:39 +0100
|
||
|
Subject: [PATCH] selinux(8): explain that runtime disable is deprecated
|
||
|
|
||
|
Update the main SELinux manpage to explain that runtime disable (i.e.
|
||
|
disabling SELinux using SELINUX=Disabled) is deprecated and recommend
|
||
|
disabling SELinux only via the kernel boot parameter.
|
||
|
|
||
|
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
||
|
---
|
||
|
libselinux/man/man8/selinux.8 | 22 ++++++++++++++++++++--
|
||
|
1 file changed, 20 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
|
||
|
index 522d45960bf3..a36e286b1409 100644
|
||
|
--- a/libselinux/man/man8/selinux.8
|
||
|
+++ b/libselinux/man/man8/selinux.8
|
||
|
@@ -20,8 +20,8 @@ permissive mode or enforcing mode. The
|
||
|
.B SELINUX
|
||
|
variable may be set to
|
||
|
any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to
|
||
|
-select one of these options. The \fIdisabled\fR option completely
|
||
|
-disables the SELinux kernel and application code, leaving the system
|
||
|
+select one of these options. The \fIdisabled\fR disables most of the
|
||
|
+SELinux kernel and application code, leaving the system
|
||
|
running without any SELinux protection. The \fIpermissive\fR option
|
||
|
enables the SELinux code, but causes it to operate in a mode where
|
||
|
accesses that would be denied by policy are permitted but audited. The
|
||
|
@@ -32,6 +32,24 @@ enforcing mode will prevent an operation from proceeding past the first
|
||
|
denial and because some application code will fall back to a less
|
||
|
privileged mode of operation if denied access.
|
||
|
|
||
|
+.B NOTE:
|
||
|
+Disabling SELinux by setting
|
||
|
+.B SELINUX=disabled
|
||
|
+in
|
||
|
+.I /etc/selinux/config
|
||
|
+is deprecated and depending on kernel version and configuration it might
|
||
|
+not lead to SELinux being completely disabled. Specifically, the
|
||
|
+SELinux hooks will still be executed internally, but the SELinux policy
|
||
|
+will not be loaded and no operation will be denied. In such state, the
|
||
|
+system will act as if SELinux was disabled, although some operations
|
||
|
+might behave slightly differently. To properly disable SELinux, it is
|
||
|
+recommended to use the
|
||
|
+.B selinux=0
|
||
|
+kernel boot option instead. In that case SELinux will be disabled
|
||
|
+regardless of what is set in the
|
||
|
+.I /etc/selinux/config
|
||
|
+file.
|
||
|
+
|
||
|
The
|
||
|
.I /etc/selinux/config
|
||
|
configuration file also controls what policy
|
||
|
--
|
||
|
2.29.2
|
||
|
|