On Thu, Jan 2, 2020 at 4:24 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > On Thu, Dec 19, 2019 at 8:22 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > Deprecate the CONFIG_SECURITY_SELINUX_DISABLE functionality. The > > code was originally developed to make it easier for Linux > > distributions to support architectures where adding parameters to the > > kernel command line was difficult. Unfortunately, supporting runtime > > disable meant we had to make some security trade-offs when it came to > > the LSM hooks, as documented in the Kconfig help text: > > > > NOTE: selecting this option will disable the '__ro_after_init' > > kernel hardening feature for security hooks. Please consider > > using the selinux=0 boot parameter instead of enabling this > > option. > > > > Fortunately it looks as if that the original motivation for the > > runtime disable functionality is gone, and Fedora/RHEL appears to be > > the only major distribution enabling this capability at build time > > so we are now taking steps to remove it entirely from the kernel. > > The first step is to mark the functionality as deprecated and print > > an error when it is used (what this patch is doing). As Fedora/RHEL > > makes progress in transitioning the distribution away from runtime > > disable, we will introduce follow-up patches over several kernel > > releases which will block for increasing periods of time when the > > runtime disable is used. Finally we will remove the option entirely > > once we believe all users have moved to the kernel cmdline approach. > > > > Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx> > > Looks reasonable, informal ACK from me. Thanks. You want to make that a formal ACK? ;) -- paul moore www.paul-moore.com
