[RFC PATCH] selinux: deprecate disabling SELinux and runtime

[Paul Moore]

On Thu, Jan 2, 2020 at 4:24 AM Ondrej Mosnacek <omosnace at redhat.com> wrote:
> On Thu, Dec 19, 2019 at 8:22 PM Paul Moore <paul at paul-moore.com> wrote:
> > Deprecate the CONFIG_SECURITY_SELINUX_DISABLE functionality.  The
> > code was originally developed to make it easier for Linux
> > distributions to support architectures where adding parameters to the
> > kernel command line was difficult.  Unfortunately, supporting runtime
> > disable meant we had to make some security trade-offs when it came to
> > the LSM hooks, as documented in the Kconfig help text:
> >
> >   NOTE: selecting this option will disable the '__ro_after_init'
> >   kernel hardening feature for security hooks.   Please consider
> >   using the selinux=0 boot parameter instead of enabling this
> >   option.
> >
> > Fortunately it looks as if that the original motivation for the
> > runtime disable functionality is gone, and Fedora/RHEL appears to be
> > the only major distribution enabling this capability at build time
> > so we are now taking steps to remove it entirely from the kernel.
> > The first step is to mark the functionality as deprecated and print
> > an error when it is used (what this patch is doing).  As Fedora/RHEL
> > makes progress in transitioning the distribution away from runtime
> > disable, we will introduce follow-up patches over several kernel
> > releases which will block for increasing periods of time when the
> > runtime disable is used.  Finally we will remove the option entirely
> > once we believe all users have moved to the kernel cmdline approach.
> >
> > Signed-off-by: Paul Moore <paul at paul-moore.com>
>
> Looks reasonable, informal ACK from me.

Thanks.  You want to make that a formal ACK? ;)

-- 
paul moore
www.paul-moore.com