Ondrej Mosnacek <omosnace@xxxxxxxxxx> writes: > James Cassell wrote: >> Ben Cotton wrote: >> >>> https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable >>> >>> == Summary == >>> Remove support for SELinux runtime disable so that the LSM hooks can >>> be hardened via read-only-after-initialization protections. >>> >>> Migrate users to using ''selinux=0'' if they want to disable SELinux. >> >> I like the proposal. A few thoughts and questions, though: >> >> 1. I think systems with SELINUX=disabled without selinux=0 should >> hard fail very loudly. > > That's an interesting opinion... It would be easier and more direct to > do it that way, but we are worried that users would complain that > their SELINUX=disabled setup is suddenly broken and they need to mess > with the bootloader to get a working system again. (I don't know that > much about real-time systems, so feel free to correct/enlighten me > here.) That's why we try to make sure that things keep working > more-or-less the same as before. Please correct me if I'm wrong, but *aren't* those systems broken? That is, if an admin sets selinux=disabled on a system after this change has (hypothetically) gone through, won't they have a system in which selinux isn't disabled? Or is there going to be migration logic in perpetuity? Thanks, --Robbie
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
