From 225486048881d429e4b92ad24b65af7a1fc4c3a9 Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Wed, 11 Nov 2020 17:23:39 +0100 Subject: [PATCH] selinux(8): explain that runtime disable is deprecated Update the main SELinux manpage to explain that runtime disable (i.e. disabling SELinux using SELINUX=Disabled) is deprecated and recommend disabling SELinux only via the kernel boot parameter. Signed-off-by: Ondrej Mosnacek --- libselinux/man/man8/selinux.8 | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 index 522d45960bf3..a36e286b1409 100644 --- a/libselinux/man/man8/selinux.8 +++ b/libselinux/man/man8/selinux.8 @@ -20,8 +20,8 @@ permissive mode or enforcing mode. The .B SELINUX variable may be set to any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to -select one of these options. The \fIdisabled\fR option completely -disables the SELinux kernel and application code, leaving the system +select one of these options. The \fIdisabled\fR disables most of the +SELinux kernel and application code, leaving the system running without any SELinux protection. The \fIpermissive\fR option enables the SELinux code, but causes it to operate in a mode where accesses that would be denied by policy are permitted but audited. The @@ -32,6 +32,24 @@ enforcing mode will prevent an operation from proceeding past the first denial and because some application code will fall back to a less privileged mode of operation if denied access. +.B NOTE: +Disabling SELinux by setting +.B SELINUX=disabled +in +.I /etc/selinux/config +is deprecated and depending on kernel version and configuration it might +not lead to SELinux being completely disabled. Specifically, the +SELinux hooks will still be executed internally, but the SELinux policy +will not be loaded and no operation will be denied. In such state, the +system will act as if SELinux was disabled, although some operations +might behave slightly differently. To properly disable SELinux, it is +recommended to use the +.B selinux=0 +kernel boot option instead. In that case SELinux will be disabled +regardless of what is set in the +.I /etc/selinux/config +file. + The .I /etc/selinux/config configuration file also controls what policy -- 2.29.2