[RFC PATCH] selinux: deprecate disabling SELinux and runtime

Ondrej Mosnacek omosnace at redhat.com
Fri Jan 3 09:32:39 UTC 2020 

On Thu, Jan 2, 2020 at 10:38 PM Paul Moore <paul at paul-moore.com> wrote:
>
> On Thu, Jan 2, 2020 at 4:24 AM Ondrej Mosnacek <omosnace at redhat.com> wrote:
> > On Thu, Dec 19, 2019 at 8:22 PM Paul Moore <paul at paul-moore.com> wrote:
> > > Deprecate the CONFIG_SECURITY_SELINUX_DISABLE functionality.  The
> > > code was originally developed to make it easier for Linux
> > > distributions to support architectures where adding parameters to the
> > > kernel command line was difficult.  Unfortunately, supporting runtime
> > > disable meant we had to make some security trade-offs when it came to
> > > the LSM hooks, as documented in the Kconfig help text:
> > >
> > >   NOTE: selecting this option will disable the '__ro_after_init'
> > >   kernel hardening feature for security hooks.   Please consider
> > >   using the selinux=0 boot parameter instead of enabling this
> > >   option.
> > >
> > > Fortunately it looks as if that the original motivation for the
> > > runtime disable functionality is gone, and Fedora/RHEL appears to be
> > > the only major distribution enabling this capability at build time
> > > so we are now taking steps to remove it entirely from the kernel.
> > > The first step is to mark the functionality as deprecated and print
> > > an error when it is used (what this patch is doing).  As Fedora/RHEL
> > > makes progress in transitioning the distribution away from runtime
> > > disable, we will introduce follow-up patches over several kernel
> > > releases which will block for increasing periods of time when the
> > > runtime disable is used.  Finally we will remove the option entirely
> > > once we believe all users have moved to the kernel cmdline approach.
> > >
> > > Signed-off-by: Paul Moore <paul at paul-moore.com>
> >
> > Looks reasonable, informal ACK from me.
>
> Thanks.  You want to make that a formal ACK? ;)

Sure, if you find it useful :)

Acked-by: Ondrej Mosnacek <omosnace at redhat.com>

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.

More information about the Linux-security-module-archive mailing list