* Ben Cotton: > https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable > > == Summary == > Remove support for SELinux runtime disable so that the LSM hooks can > be hardened via read-only-after-initialization protections. > > Migrate users to using ''selinux=0'' if they want to disable SELinux. > > == Owner == > * Name: [[User:plautrba| Petr Lautrbach]] > * Email: plautrba@xxxxxxxxxx > * Name: [[User:omos| Ondrej Mosnacek]] > * Email: omosnace@xxxxxxxxxx > > > == Detailed Description == > Support for SELinux runtime disable via ''/etc/selinux/config'' was > originally developed to make it easier for Linux distributions to > support architectures where adding parameters to the kernel command > line was difficult. > Unfortunately, supporting runtime disable meant we had to make some > security trade-offs when it comes to the kernel LSM hooks. > > Marking the kernel LSM hooks as read only provides some very nice > security benefits, but it does mean that we can no longer disable > SELinux at runtime. Could the static_call framework be used instead for this? <https://lore.kernel.org/lkml/cover.1547073843.git.jpoimboe@xxxxxxxxxx/> Thanks, Florian -- Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
